Error 1001 from AWS CDN url

Hello all,

I have the following workflow:
We have a subdomain in our Cloudflare account, pointing to an IP address. If we try and access the subdomain directly, it works fine, proxied, on not proxied.
Now, our CDN, which is AWS in this case, uses a subdomain of *.cloudfront.net.
And it points to the subdomain of our website.
For example, if our subdomain is “subdomain”. In Cloudflare it is configured as the following: “subdomain” → 1.2.3.4( whatever ip we are using)
And in AWS the configuration is:
*.cloudfront.com → “subdomain”

Now, if you check connectivity of the AWS CDN when the proxy is off on the subdomain, it works fine.
But when we enable the proxy, we get error 1001.

From what I read here [1] the non-Cloudflare domain must be added to a Cloudflare account.
This is not possible, as I can’t, since this is related to AWS CDN. I cannot just move the CDN to be hosted on Cloudflare.

I have read that there is the option of SSL for Saas [2], also a thread that suggested this as well [3].
But this is only available for enterprise plan, and we have business plan.

Is there any workaround for this issue?
Enterprise plan is not an option in our case, it costs too much, and the relevant features in business are quite acceptable at this stage.

Would love to get a help on this issue

Thanks all


[1] https://support.cloudflare.com/hc/en-us/articles/360029779472-Troubleshooting-Cloudflare-1XXX-errors#error1001
[2] https://support.cloudflare.com/hc/en-us/articles/217371987-Managed-CNAME
[3] Error 1001: DNS resolution error

Based on your description, it sounds like this is something that would happen if Cloudflare receives an unexpected HTTP Host header value. This might only be an issue when you have proxy turned on for that subdomain on the Cloudflare side. With “proxy off”, CloudFront is talking directly to your server and exactly which Host header value it receives is not necessarily an issue depending on your server configuration. But with “proxy on”, the requests go through Cloudflare who has to recognize the domain.

My theory is that CloudFront is sending an HTTP Host header with a value other than subdomain.example.com when contacting the origin. I believe CloudFront will send the domain name of the origin by default, but it seems like there may be other settings that can change this behavior. I don’t have access to easily experiment with this at the moment, but check if the Host header is mentioned anywhere in the distribution configuration (like cache settings for example). You could also inspect the HTTP requests reaching the origin server (with “proxy off”).

1 Like

Thanks for the provided info and insight
I will be checking you input with my team members and hopefully we can get an insight regarding this matter

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.