Setup

To set up Cloudflare for SaaS for apex proxying - as opposed to the normal setup - perform the following steps.

---

Before you begin

Before you start creating custom hostnames:

1. Add your zone to Cloudflare (this should be within the account associated with your IP prefixes).
2. Enable Cloudflare for SaaS for your zone.
3. Review the Hostname prioritization guidelines. Wildcard custom hostnames behave differently than an exact hostname match.
4. (optional) Review the following documentation:

• API documentation (if you have not worked with the Cloudflare API before).
• Certificate validation.

---

Initial setup

When you first enable Cloudflare for SaaS, you need to perform a few steps prior to creating any custom hostnames.

1. Get IP range

With apex proxying, you can either bring your own IP range or use a set of IP addresses provided by Cloudflare.

For more details on this step, reach out to your account team.

Warning

These IP addresses are different than those associated with your Cloudflare zone.

2. Create fallback origin

The fallback origin is where Cloudflare will route traffic sent to your custom hostnames (must be proxied).

Note

If you are an Enterprise customer, you can route custom hostnames to distinct origins by using custom origin server.

To create your fallback origin:

1. Create a proxied A, AAAA, or CNAME record pointing to the IP address of your fallback origin (where Cloudflare will send custom hostname traffic).

Type	Name	IPv4 address	Proxy status
A	proxy-fallback	192.0.2.1	Proxied

2. Designate that record as your fallback origin.

Dashboard

1. Log into the Cloudflare dashboard ↗.
2. Select your account and zone.
3. Go to SSL/TLS > Custom Hostnames.
4. For Fallback Origin, enter the hostname for your fallback origin.
5. Select Add Fallback Origin.

API

Using the hostname of the record you just created, update the fallback origin value.

3. Once you have added the fallback origin, confirm that its status is Active.

Note

When Cloudflare marks your fallback origin as Active, that only reflects that we are ready to send traffic to that DNS record.

You need to make sure your DNS record is sending traffic to the correct origin location.

---

Per-hostname setup

You need to perform the following steps for each custom hostname.

Step 1 — Plan for validation

Before you create a hostname, you need to plan for:

1. Certificate validation: Upon successful validation, the certificates are deployed to Cloudflare’s global network.
2. Hostname validation: Upon successful validation, Cloudflare proxies traffic for this hostname.

You must complete both these steps for the hostname to work as expected.

Important

Depending on which method you select for each of these options, additional steps might be required for you and your customers.

Step 2 — Create custom hostname

After planning for certification and hostname validation, you can create the custom hostname.

To create a custom hostname:

Dashboard

1. Log in to the Cloudflare dashboard ↗ and select your account.
2. Select your Cloudflare for SaaS application.
3. Navigate to SSL/TLS > Custom Hostnames.
4. Click Add Custom Hostname.
5. Add your customer’s hostname app.customer.com and set the relevant options, including:
   • Choosing the Validation method.
   • Whether you want to Enable wildcard, which adds a *.<custom-hostname> SAN to the custom hostname certificate. For more details, refer to Hostname priority.
   • Choosing a value for Custom origin server.
6. Click Add Custom Hostname.

Default behavior

When you create a custom hostname:

• If you issue a custom hostname certificate with wildcards enabled, you cannot customize TLS settings for these wildcard hostnames.
• If you do not specify the Minimum TLS Version, it defaults to 1.0, not the zone’s Minimum TLS Version. You can still edit this setting after creation.

API

1. To create a custom hostname using the API, use the Create Custom Hostname endpoint.

   • You can leave the certificate_authority parameter empty to set it to “default CA”. With this option, Cloudflare checks the CAA records before requesting the certificates, which helps ensure the certificates can be issued from the CA.

2. For the newly created custom hostname, the POST response may not return the DCV validation token validation_records. It is recommended to make a second GET command (with a delay) to retrieve these details.

The response contains the complete definition of the new custom hostname.

Default behavior

When you create a custom hostname:

• If you issue a custom hostname certificate with wildcards enabled, you cannot customize TLS settings for these wildcard hostnames.
• If you do not specify the Minimum TLS Version, it defaults to 1.0, not the zone’s Minimum TLS Version. You can still edit this setting after creation.

Note

For each custom hostname, Cloudflare issues two certificates bundled in chains that maximize browser compatibility (unless you upload custom certificates).

The primary certificate uses a P-256 key, is SHA-2/ECDSA signed, and will be presented to browsers that support elliptic curve cryptography (ECC). The secondary or fallback certificate uses an RSA 2048-bit key, is SHA-2/RSA signed, and will be presented to browsers that do not support ECC.

3. Have customer create DNS record

To finish the custom hostname setup, your customer can set up either an A or CNAME record at their authoritative DNS provider.

Note

If you want your customers to be able to use CNAME records, you will need to complete the normal setup process as well.

A record

If your customer uses an A record at their authoritative DNS provider, they need to point their hostname to the IP prefixed allocated for your account.

Warning

Before your customer does this step, confirm that the hostname’s Certificate status and Hostname status are both Active.

If not, confirm that you are using a method of certificate or hostnames validation that occurs after your customer adds their DNS record.

Your customer’s A record might look like the following:

example.com.  60  IN  A   192.0.2.1

CNAME record

If your customer uses a CNAME record at their authoritative DNS, they need to point their hostname to your CNAME target ¹.

Warning

Before your customer does this step, confirm that the hostname’s Certificate status and Hostname status are both Active.

If not, confirm that you are using a method of certificate or hostnames validation that occurs after your customer adds their DNS record.

Your customer’s CNAME record might look like the following:

mystore.com CNAME customers.saasprovider.com

Service continuation

If your customer is also using Cloudflare for their domain, they should keep their DNS record pointing to your SaaS provider in place for as long as they want to use your service.

For more details, refer to Remove custom hostnames.

Footnotes

1. If you have regional services set up for your custom hostnames, Cloudflare always uses the processing region associated with your DNS target record (instead of the processing region of any custom origins).

   ↩