Since you mentioned SaaS, depending on how far along your business is, I would advise you contact Cloudflare for enterprise pricing. This would allow customers to CNAME your domain (this is called a managed CNAME), which would then get SSL issued for those domain names by the Cloudflare certificate authority service.
Without enterprise, you should have no problem reverse proxying your domain. You would need to set it up to where the HOST header is that of your actual domain, and the 3rd party domain is in a separate header, like x-forwarded-host (or a custom header key) and your heroku application would have to respect the x-forwarded-host header as the actual HOST.
customer sets sub.customer1.com as a CNAME pointing to a reverse proxy subdomain
Reverse proxy adds the following headers to the request to Cloudflare
x-forwarded-host: the original hostname the CNAME is for. eg sub.customer1.com would be the value if the request came from that hostname
x-forwarded-ip: the visitor’s real IP address. You can’t rely on Cf-Connecting-Ip since that will be your Reverse proxy IP address.
Reverse proxy will proxy traffic to a different subdomain on your domain that is .
Your application behind Cloudflare must change its logic to obtain the visitor IP address from thex-forwarded-ip header and the original hostname (sub.customer1.com) from the x-forwarded-host header.
Also make sure your proxy’s IP is whitelisted in the Cloudflare firewall.
With this setup, you lose the Cloudflare Firewall/IP reputation, DDOS protection (someone could just DDOS your reverse proxy) and the performance of Cloudflare’s anycast network, but features like caching and WAF will still work.
Good points, however I’d still question the point of the exercise.
It would only cache on the PoP close to the proxy though, he could achieve the same with a cache on his own proxy.
Which part of WAF would you exactly refer to? Considering the entire traffic will originate from one IP address and that IP address should be allowlisted the entire firewall idea will go down the drain.
Primarily it complicates everything but leaves out most (all?) of Cloudflare’s benefits. Unless there is a convincing argument for it I’d strongly suggest to skip one of the proxies, either the own or Cloudflare.