HTTPS requests to a Custom Hostname (a.example.com) are not being routed to its specifically assigned custom origin (a.origin.com). Instead, these HTTPS requests are incorrectly routed to the default fallback origin (fallback.origin.com). HTTP requests to the same Custom Hostname (http://a.example.com) work correctly and route to the intended custom origin (a.origin.com).
What is the current SSL/TLS setting?
Full
What are the steps to reproduce the issue?
Configured a Default Fallback Origin for Custom Hostnames in Cloudflare dashboard to fallback.origin.com.
Created a Cloudflare Tunnel (“Fallback”) with fallback.origin.com as a public hostname. This tunnel has a catch-all rule returning http_status:406 for diagnostic purposes.
Configured a Custom Hostnamea.example.com to target its own custom origin a.origin.com.
Created a Cloudflare Tunnel (“A”) with public hostnames a.example.com and a.origin.com. This tunnel serves the actual content for a.origin.com.
Verified that http://a.example.com routes correctly to Tunnel “A”.
Observed that https://a.example.com routes incorrectly to Tunnel “Fallback”.
Any ideas what I might have misconfigured for HTTPS to behave this way?
curl -sI http://saas-test.laudian.de
HTTP/1.1 404 Not Found
Date: Tue, 10 Jun 2025 08:46:52 GMT
Connection: keep-alive
Cf-Ray: 94d799c8ec038dc2-HEL
Cf-Cache-Status: DYNAMIC
Server: cloudflare
alt-svc: h3=":443"; ma=86400
Can you go into a bit more detail about your setup?
Things such as locally or remotely managed tunnel, are both domains you tested with in the same CF account.
Can you also use the Trace function to see if you have anything interfering with the request? Do your public hostnames point to http or https services?
Same here, it’s very random every 2/4 requests go to the fallback. To follow your example, it means a request to a.example.com goes to fallback.origin.com half the time which is crazy, and this is without Tunnels, just plain public requesting going through EWR PoP. Custom Hostname is all green(Active SSL and Active ownership).
I tested the the custom origin is correctly setup as orange record and works 10/10 requests, no problems.
Also using SSL/TLS in Full mode, no strict.
I wonder what’s going on, I see your post is from 6 days ago, did you see any resolution?
The problem persists on my end as well. I contacted support, they asked for clarification two days ago, still waiting for a resolution. I hope they’re investigating, it’s weird that this isn’t a popular bug, makes me wonder how many cloudflare customers are actively using this feature.