I’d like to use Cloudflare Tunnels for a new service we’ll be launching shortly; when a tunnel was configured for direct requests (via the cfargotunnel.comCNAME) work.
However when I try setting up an “example client domain” (a domain / sub-domain external to Cloudflare / or using a different Cloudflare account with records not proxied) with SSL for SaaS, I see an error:
“You’ve requested a page on a website that is part of the Cloudflare network. The host is configured as a CNAME across accounts on Cloudflare, which is not allowed by Cloudflare’s security policy.”
I have reviewed documentation for both SSL for SaaS and Tunnels; I didn’t find anything specifically stating the two are incompatible, but neither did I find any examples / tutorials of anyone achieving the setup I’m looking for here.
I suspect that SSL for SaaS and Tunnels are not compatible - but is this a limitation of the free plan or applicable to all? Alternatively, if there are some instructions for setting this up I’d be very grateful if you could share these.
“Does the custom hostname work fine if the fallback origin is not a tunnel?”
Yes
“Are the host and client domains in the same or different accounts?”
Same - but records for the custom domain are “grey clouded” - bypassing Cloudflare.
“Could you share a screenshot of the custom hostname tab in the dashboard?”
Interesting development - I noticed the 404 page was one I’d added to the server; I think the issue is that the CNAME (for saas-test-tunnel.jamesmorrison.uk) was being ignored; the “fallback origin” is being used - it’s unclear why.
This is progress, I can setup a single tunnel to catch all traffic and act as an internal proxy - but I think there’s a bug with SSL for SaaS & Tunnels; I did not have this fallback origin used on requests to saas-test-direct.jamesmorrison.uk).
This is the intended behavior. As long as the custom hostname has a CNAME record pointing to the zone, requests to the custom hostname are sent to the zone’s fallback origin. Per-hostname origin servers are only available to Enterprise customers with the custom origin server addon.
The confusion here was due to use of the word “fallback” (rather than for example “only”) - which implied that custom records could be set and the fallback would only take effect where a record is missing (like using wildcard for a fallback vs specific hostname records - the wildcard is only used if a specific hostname was not set).
