#Custom Hostname Error 522 - Cloudflare SSL for SaaS

Hi Cloudflare community,

I'm encountering an Error 522 (Connection timed out) when trying to access my custom hostname through Cloudflare SSL for SaaS. Here are the details:

1. Main domain (falback-origin): worker.domain.com (shows "Hello World" when accessed directly)
2. Custom Host name(custom domain): files.otherdomain.com
3. Setup:
   • Using Cloudflare SSL for SaaS
   • CNAME and TXT records added and showing as active
   • DNS checkers confirm correct pointing
4. Issue: When accessing files.otherdomain.com, I get Error 522

I've verified the following:

• DNS configuration appears correct
• SSL/TLS encryption mode is set appropriately
• No obvious firewall rules blocking the connection,
• the cname record is connected

What else should I check to resolve this timeout issue? Any guidance would be greatly appreciated.

Thank you!

Do you have a catch-all route? https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/worker-as-origin/

Workers Routes see the files.otherdomain.com when evaling, so need a wildcard route (or a route specifically for, but you'd run out of routes if you made one for each saas domain)

Yeah, and also the custom domain is connected to the worker.
I also set a route to get all route from that subdomain to the worker

the worker.domain.com is going well, but the custom hostname isn't.
All dns record are active, txt and cname

that's not enough, did you see my explanation? You need a truly wildcard route */*

Custom Domains won't do anything with SaaS, and Worker Routes see the incoming request as files.otherdomain.com and so worker.domain.com or *.worker.domain.com/* isn't going to match

So like this instead?

still not working

A Wildcard Route like that yea bound to your service

is your custom hostname showing as active in your saas zone?

Yeah it is.

you should be able to trace the URL then through your config, top level item Account -> Trace, and then https://files.otherdomain.com

Magic Link: https://dash.cloudflare.com/?to=/:account/trace/search

It should hit your worker.

errr it's worth mentioning too, which zone did you make that in? Would have to be in the SaaS target zone (the one with worker.domain.com)

Yeah that's it.

I have other subdomains mapping to other dns and main domain hosting a pages

the subdomain is the one used for the saas.

Your route needs to point to your worker, not disable workers on that route

That's the trace error probably doing a mistake somewhere, is that how the route shoudl be

Oh okay, it worked.

but new issue 🙂

all my domain are showing that worker content.

plus I have one subdomain files.domain.com connected to r2 and all stopped working.

is that how that works? or I need to changee something

or any other way to connect domains to mine and not have that issue.

I don't want to use worker to process all reqeusts 🙂

So as that guide mentions one option is to make another route to disable catching your own domains in that:

Route: `*.<zonename>.com/*` (only routes custom hostname traffic to the Worker)
Worker: None

honestly though it gets a bit messy and one suggestion that is often made is to have a zone/website in CF dedicated just to being your cf for saas setup

CF For SaaS runs through your own zone's configuration too, so if you configure firewall rules or waf rules, they inherit it. Same with config rules/all the other rules types if they're not properly scoped. This can be useful, to enable specific things for your cf for saas traffic, and can also be annoying to properly use/combine with an existing website

opps the wildcards got literalized in that example, you'd want *.<zonename>/* to avoid your subdomains being grabbed

hmm this sounds good, so if i have a website mainly for that then I can that as the saas,

and route all request from that to that domain right? without affecting my other website

.<zonename>com/

oh okay so like .domain.com/

That's what I did before and didn't work

You could have
*/* -> cf for saas worker
*.domain.com/* -> Service: None
domain.com/* -> Service: None (avoid grabbing main domain too)

oh this is risky because the platofrm is life, let me quickly try it

yeaa that's another reason why just using a diff domain for your cf for saas stuff is a good setup

Yeah I think i'll do that, I'll get a new domain now and use that mainly for the saas set up, too riskly tbh 😅
Thank you so much, I've tested the wildcard and it works, so I'll just replace everything with the new domain 🙏