I have a zone like example1.com and zone like example2.com. Cloudflare is the authoritative nameserver for both example1.com and example2.com and they are in the same account. I have a subdomain under example2.com like subsubdomain.azure.example2.com, and I have delegated the subdomain azure.example2.com to a DNS server provided by azure. Thus, the authoritative nameserver for subsubdomain.azure.example2.com (i.e., the output of nslookup -type=soa subsubdomain.azure.example2.com) is azure, not Cloudflare. We are using page rules to forward some paths under example1.com to subsubdomain.azure.example2.com.
Does Cloudflare guarantee that no other Cloudflare account is able to perform a request originating from a Cloudflare IP and having a host header of subsubdomain.azure.example2.com, whether it is via Cloudflare workers, or via page rule host override? Because that would allow them to bypass the WAF and possibly set CF-Connecting-IP to a wrong value.
The statement at https://community.cloudflare.com/t/overriding-cf-connecting-ip-in-subrequests-destined-for-a-non-cloudflare-customer-zone/352850/2 does not make it fully clear for the case of a delegated subdomain.
Lastly, I would like to make a suggestion: Cloudflare should provide a header like X-Forwarded-Host (maybe call it cf-forwarded-host to not break existing users who set x-forwarded-host themselves) and Cloudflare would then guarantee that no request originating from Cloudflare (no matter if workers or page rules) can override this header. This would decouple the two parts “Cloudflare guarantees that this request passed the security settings in the zone of the domain owner” and “Cloudflare should to use this host header toward the origin”.
The way it is now, I cannot see how in the case of an origin that cannot be on a Cloudflare-controlled zone ((maybe it is some aws lambda function url or whatever) one would be able to validate that the request passed the security checks configured in one’s own Cloudflare account, without resorting to uploading custom client certificates to Cloudflare or using Cloudflare Tunnel .
It seems others are having this problem as well: https://community.cloudflare.com/t/cloudflare-proxy-and-x-forwarded-host-header/6123/5.