Big picture - the desire is to bypass Akamai entirely and connect to the origin server; once that’s working, carefully apply whatever Cloudflare protections we may come up with.
Cloudflare owns the DNS entries, the vast majority of which are set to unproxied for now (feeding Akamai) while I get this working on a couple of subdomains.
Currently the subdomain ‘test’ points to a place within edgekey[.]net (Akamai CDN) using a CNAME.
When I update that record to either the hostname (which frustratingly is a different domain we own) or IP of the origin server and enable proxying, that’s when the 522 throws.
If I try a 302 redirect in Redirect Rules, leaving proxying on, I get ERR_TOO_MANY_REDIRECTS.
If I try a Host Header Override to the target domain, I get a 522 again.
I’ve since heard that they’re not using anything found under techdocs[.]akamai[.]com/property-mgr/docs/content-tgting. I’ve vetted similar features with them earlier, and it appears the Cloudflare defaults should be fine - but there are a lot to consider!
I double-checked just now, and encryption for the domain is set to “Strict (SSL-Only Origin Pull)”. I thought there was a way to alter that at the subdomain level if needed, to keep the main domain (and our sweet sweet revenue) safe, but couldn’t find it.