Custom Hostname Error 522 - Cloudflare SSL for SaaS
Hi Cloudflare community,
I'm encountering an Error 522 (Connection timed out) when trying to access my custom hostname through Cloudflare SSL for SaaS. Here are the details:
1. Main domain (falback-origin): worker.domain.com (shows "Hello World" when accessed directly)
2. Custom Host name(custom domain): files.otherdomain.com
3. Setup:
- Using Cloudflare SSL for SaaS
- CNAME and TXT records added and showing as active
- DNS checkers confirm correct pointing
4. Issue: When accessing files.otherdomain.com, I get Error 522
I've verified the following:
- DNS configuration appears correct
- SSL/TLS encryption mode is set appropriately
- No obvious firewall rules blocking the connection,
- the cname record is connected
What else should I check to resolve this timeout issue? Any guidance would be greatly appreciated.
Thank you!
18 Replies
Do you have a catch-all route? https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/worker-as-origin/
Cloudflare Docs
Workers as your fallback origin | Cloudflare for Platforms docs
Learn how to use a Worker as the fallback origin for your SaaS zone.
Workers Routes see the
files.otherdomain.com when evaling, so need a wildcard route (or a route specifically for, but you'd run out of routes if you made one for each saas domain)Yeah, and also the custom domain is connected to the worker.
I also set a route to get all route from that subdomain to the worker
the worker.domain.com is going well, but the custom hostname isn't.
All dns record are active, txt and cname
that's not enough, did you see my explanation? You need a truly wildcard route
*/*
Custom Domains won't do anything with SaaS, and Worker Routes see the incoming request as files.otherdomain.com and so worker.domain.com or *.worker.domain.com/* isn't going to matchSo like this instead?
still not working
A Wildcard Route like that yea bound to your service
is your custom hostname showing as active in your saas zone?
Yeah it is.
you should be able to trace the URL then through your config, top level item Account -> Trace, and then
https://files.otherdomain.com
Magic Link: https://dash.cloudflare.com/?to=/:account/trace/search
It should hit your worker.
errr it's worth mentioning too, which zone did you make that in? Would have to be in the SaaS target zone (the one with worker.domain.com)Yeah that's it.
I have other subdomains mapping to other dns and main domain hosting a pages
the subdomain is the one used for the saas.
Your route needs to point to your worker, not disable workers on that route
That's the trace error probably doing a mistake somewhere, is that how the route shoudl be
Oh okay, it worked.
but new issue 🙂
all my domain are showing that worker content.
plus I have one subdomain files.domain.com connected to r2 and all stopped working.
is that how that works? or I need to changee something
or any other way to connect domains to mine and not have that issue.
I don't want to use worker to process all reqeusts 🙂
So as that guide mentions one option is to make another route to disable catching your own domains in that:
Route: *.<zonename>.com/* (only routes custom hostname traffic to the Worker)
Worker: None
honestly though it gets a bit messy and one suggestion that is often made is to have a zone/website in CF dedicated just to being your cf for saas setup
CF For SaaS runs through your own zone's configuration too, so if you configure firewall rules or waf rules, they inherit it. Same with config rules/all the other rules types if they're not properly scoped. This can be useful, to enable specific things for your cf for saas traffic, and can also be annoying to properly use/combine with an existing website
opps the wildcards got literalized in that example, you'd want *.<zonename>/* to avoid your subdomains being grabbedhmm this sounds good, so if i have a website mainly for that then I can that as the saas,
and route all request from that to that domain right? without affecting my other website
.<zonename>com/
oh okay so like .domain.com/
That's what I did before and didn't work
You could have
*/* -> cf for saas worker
*.domain.com/* -> Service: None
domain.com/* -> Service: None (avoid grabbing main domain too)oh this is risky because the platofrm is life, let me quickly try it
yeaa that's another reason why just using a diff domain for your cf for saas stuff is a good setup
Yeah I think i'll do that, I'll get a new domain now and use that mainly for the saas set up, too riskly tbh 😅
Thank you so much, I've tested the wildcard and it works, so I'll just replace everything with the new domain 🙏
I tested this and it worked 🙂
I'll still get the domain, thank you so much