Cloudflare SaaS setup
Setting up a Cloudflare zone for SaaS
- Add your zone to Cloudflare on a Free plan.
- Enable Cloudflare for SaaS for your zone.
- Select your account and zone.
- Go to SSL/TLS > Custom Hostnames.
- Select Enable.
- Confirm Payment
- Review the Hostname prioritization guidelines. Wildcard custom hostnames behave differently than an exact hostname match.
- Create fallback origin
- Create a proxied A, AAAA, or CNAME record pointing to the IP address of your fallback origin (where Cloudflare will send custom hostname traffic).
A proxy-fallback <origin-ip> ProxiedAAAA proxy-fallback 100:: Proxied(for worker)- or
A proxy-fallback 192.0.2.0 Proxied(for worker)
- Designate that record as your fallback origin.
- Go to SSL/TLS > Custom Hostnames.
- For Fallback Origin, enter the hostname for your fallback origin.
- Select Add Fallback Origin.
- Once you have added the fallback origin, confirm that its status is Active.
- Workers as your fallback origin
- Ensure the fallback origin only has an originless DNS record (100:😃
- In that same zone, navigate to Workers Routes.
- Click Add route.
- Decide whether you want traffic bound for your SaaS zone (example.com) to go to that Worker
- https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/worker-as-origin/
- Worker routes have to be mapped to the custom hostname that are created later. For routing all to the same worker use
*/*route, not the fallback origin as it doesn't work.
- Create a proxied A, AAAA, or CNAME record pointing to the IP address of your fallback origin (where Cloudflare will send custom hostname traffic).
- (Optional) Create CNAME target
- Create a proxied CNAME that points your CNAME target to your fallback origin (can be a wildcard such as *.customers.saasprovider.com).
CNAME .customers proxy-fallback.saasprovider.com Proxied
Adding hostnames
- Docs are fine for this
- Open website in cloudflare dashboard, SSL/TLS > Custom Hostnames
- Click Add Custom Hostname
- Options - TLS 1.0 (default), HTTP Validation(might have downtime), cert by cloudflare
Apex domain proxy
- Customers can add CNAME record to point to our CNAME target, but many providers don't allow CNAME at apex domain.
- One solution is to either ask them to put nameservers for cloudflare and use it for DNS(since it does CNAME flatenning)
- Or get cloudflare enterprise plan to get IP ranges or use BYOIP which also requires enterprise.
- Or ask them to map www to our CNAME target and redirect apex to www.