Configuring Cloudflare for SaaS

---

Before you begin

Before you start creating custom hostnames:

1. Add your zone to Cloudflare on a Free plan.
2. Enable Cloudflare for SaaS for your zone.
3. Review the Hostname prioritization guidelines. Wildcard custom hostnames behave differently than an exact hostname match.
4. (optional) Review the following documentation:

• API documentation (if you have not worked with the Cloudflare API before).
• Certificate validation.

---

Initial setup

When you first enable Cloudflare for SaaS, you need to perform a few steps prior to creating any custom hostnames.

1. Create fallback origin

The fallback origin is where Cloudflare will route traffic sent to your custom hostnames (must be proxied).

Note

To route custom hostnames to distinct origins, refer to custom origin server.

To create your fallback origin:

1. Create a proxied A, AAAA, or CNAME record pointing to the IP address of your fallback origin (where Cloudflare will send custom hostname traffic).

Type	Name	IPv4 address	Proxy status
A	proxy-fallback	192.0.2.1	Proxied

2. Designate that record as your fallback origin.

Dashboard

1. Log into the Cloudflare dashboard ↗.
2. Select your account and zone.
3. Go to SSL/TLS > Custom Hostnames.
4. For Fallback Origin, enter the hostname for your fallback origin.
5. Select Add Fallback Origin.

API

Using the hostname of the record you just created, update the fallback origin value.

3. Once you have added the fallback origin, confirm that its status is Active.

Note

When Cloudflare marks your fallback origin as Active, that only reflects that we are ready to send traffic to that DNS record.

You need to make sure your DNS record is sending traffic to the correct origin location.

2. (Optional) Create CNAME target

The CNAME target — optional, but highly encouraged — provides a friendly and more flexible place for customers to route their traffic. You may want to use a subdomain such as customers.<SAAS_PROVIDER>.com.

Create a proxied CNAME that points your CNAME target to your fallback origin (can be a wildcard such as *.customers.saasprovider.com).

Type	Name	Target	Proxy status
CNAME	.customers	proxy-fallback.saasprovider.com	Proxied

---

Per-hostname setup

You need to perform the following steps for each custom hostname.

1. Plan for validation

Before you create a hostname, you need to plan for:

1. Certificate validation: Upon successful validation, the certificates are deployed to Cloudflare’s global network.
2. Hostname validation: Upon successful validation, Cloudflare proxies traffic for this hostname.

You must complete both these steps for the hostname to work as expected.

Important

Depending on which method you select for each of these options, additional steps might be required for you and your customers.

2. Create custom hostname

After planning for certification and hostname validation, you can create the custom hostname.

To create a custom hostname:

Dashboard

1. Log in to the Cloudflare dashboard ↗ and select your account.
2. Select your Cloudflare for SaaS application.
3. Navigate to SSL/TLS > Custom Hostnames.
4. Click Add Custom Hostname.
5. Add your customer's hostname app.customer.com and set the relevant options, including:
   • The minimum TLS version.
   • Defining whether you want to use a certificate provided by Cloudflare or upload a custom certificate.
   • Selecting the certificate authority (CA) that will issue the certificate.
   • Choosing the validation method.
   • Whether you want to Enable wildcard, which adds a *.<custom-hostname> SAN to the custom hostname certificate. For more details, refer to