SSL for SaaS Setup Guide: Routing Customer Domains to R2

🧭 Overview

This guide explains how to configure Cloudflare for SaaS to allow external customer domains to serve static content stored in Cloudflare R2, using custom hostnames, and origin rules — without using Cloudflare Workers.

📦 System Components

🛠 Setup Steps

1. ✅ Prerequisites

• Your eyeball zone (r2.hong-lei.com) is active on Cloudflare.

• R2 bucket is deployed and accessible via r2.techandne.net.

• Cloudflare for SaaS (Custom Hostnames) is enabled.

• SSL fallback domain fallback.techandme.net is configured.

2. 🔧 Configure Origin Rules

Use Cloudflare’s Origin Rules feature to rewrite the Host header so traffic to your SaaS zone is properly routed to your R2 origin.

In the Cloudflare Dashboard:

1. Navigate to Rules → Origin Rules for the r2.hong-lei.com zone.

2. Create a new rule:

   If:

   Copy

   Hostname matches r2.hong-lei.com

   Then:

   • Overwrite Host Header → r2.techandne.net

   • (Optional) Set Origin Server → r2.techandne.net if DNS doesn’t resolve automatically

This tells Cloudflare to route all eyeball requests through to your R2-backed origin.

3. 🔑 Enable SSL for SaaS

In the techandme.net zone:

• Go to Custom Hostnames

• Set fallback origin to fallback.techandme.net

• Enable SSL with Domain Validation (DV) using TXT or HTTP verification

4. Add custom domain in R2:

5. 📡 Instruct the Customer to Update DNS (using CF as example)

Ask your customer to add a DNS record:

r2.hong-lei.com CNAME fallback.techandme.net

6. ✅ Testing & Validation

Once DNS and SSL validation are complete:

• Access: https://r2.hong-lei.com/Cloudflare_Logo.svg.png

• Cloudflare will route the request to r2.techandne.net using your Origin Rule

• Content should be served from the R2 bucket as expected