SAAS Custom Hostname HTTPS Hits Fallback, Bypassing Custom Origin

What is the name of the domain?

example.com

What is the issue you’re encountering

HTTPS requests to a Custom Hostname (a.example.com) are not being routed to its specifically assigned custom origin (a.origin.com). Instead, these HTTPS requests are incorrectly routed to the default fallback origin (fallback.origin.com). HTTP requests to the same Custom Hostname (http://a.example.com) work correctly and route to the intended custom origin (a.origin.com).

What is the current SSL/TLS setting?

Full

What are the steps to reproduce the issue?

  1. Configured a Default Fallback Origin for Custom Hostnames in Cloudflare dashboard to fallback.origin.com.
  2. Created a Cloudflare Tunnel (“Fallback”) with fallback.origin.com as a public hostname. This tunnel has a catch-all rule returning http_status:406 for diagnostic purposes.
  3. Configured a Custom Hostname a.example.com to target its own custom origin a.origin.com.
  4. Created a Cloudflare Tunnel (“A”) with public hostnames a.example.com and a.origin.com. This tunnel serves the actual content for a.origin.com.
  5. Verified that http://a.example.com routes correctly to Tunnel “A”.
  6. Observed that https://a.example.com routes incorrectly to Tunnel “Fallback”.

Any ideas what I might have misconfigured for HTTPS to behave this way?

Thanks in advance!

I’ve tried the setup that you described, and all requests arrived at the correct tunnel.

My default fallback returns 406 as catch-all, the custom origin 404 (opposite to your setup), and I received 404 both via http and https.

curl -sI https://saas-test.laudian.de
HTTP/2 404
date: Tue, 10 Jun 2025 08:46:46 GMT
cf-ray: 94d799a67ead4e13-HEL
cf-cache-status: DYNAMIC
server: cloudflare
alt-svc: h3=":443"; ma=86400
curl -sI http://saas-test.laudian.de
HTTP/1.1 404 Not Found
Date: Tue, 10 Jun 2025 08:46:52 GMT
Connection: keep-alive
Cf-Ray: 94d799c8ec038dc2-HEL
Cf-Cache-Status: DYNAMIC
Server: cloudflare
alt-svc: h3=":443"; ma=86400

Can you go into a bit more detail about your setup?
Things such as locally or remotely managed tunnel, are both domains you tested with in the same CF account.

Can you also use the Trace function to see if you have anything interfering with the request? Do your public hostnames point to http or https services?

Same here, it’s very random every 2/4 requests go to the fallback. To follow your example, it means a request to a.example.com goes to fallback.origin.com half the time which is crazy, and this is without Tunnels, just plain public requesting going through EWR PoP. Custom Hostname is all green(Active SSL and Active ownership).

I tested the the custom origin is correctly setup as orange record and works 10/10 requests, no problems.

Also using SSL/TLS in Full mode, no strict.

I wonder what’s going on, I see your post is from 6 days ago, did you see any resolution?

Unfortunately, no, I still haven’t found a solution and the problem persists.

The problem persists on my end as well. I contacted support, they asked for clarification two days ago, still waiting for a resolution. I hope they’re investigating, it’s weird that this isn’t a popular bug, makes me wonder how many cloudflare customers are actively using this feature.

Thanks for the suggestion. The trace came back clean.

To answer your questions: both tunnels are remotely managed, and the SaaS domains use an external DNS provider.

Unfortunately, the original issue still persists.

@Clarenna it’s fixed now!!!

Yeah it worked! GREAT!!