cloudflare · RebeccaTamachiro · Oct 14, 2024 · Oct 10, 2024 · Oct 10, 2024 · Oct 10, 2024
@@ -11,7 +11,7 @@ Before Cloudflare can proxy traffic through a custom hostname, we need to verify
 :::note
 
 
-If a custom hostname is already on Cloudflare, using the [pre-validation methods](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/pre-validation/) will not shift the traffic to the SaaS zone. That will only happen once the [DNS target](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#step-3--have-customer-create-cname-record) of the custom hostnames changes to point to the SaaS zone.
+If a custom hostname is already on Cloudflare, using the [pre-validation methods](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/pre-validation/) will not shift the traffic to the SaaS zone. That will only happen once the [DNS target](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#3-have-customer-create-cname-record) of the custom hostnames changes to point to the SaaS zone.
 
 
 :::

@@ -11,7 +11,7 @@ head:
 
 import { Render } from "~/components"
 
-When you use a real-time validation method, Cloudflare verifies your customer's hostname when your customers adds their [DNS routing record](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#step-3--have-customer-create-cname-record) to their authoritative DNS.
+When you use a real-time validation method, Cloudflare verifies your customer's hostname when your customers adds their [DNS routing record](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#3-have-customer-create-cname-record) to their authoritative DNS.
 
 ## Use when
 
@@ -25,7 +25,7 @@ To avoid any chance of downtime, use a [pre-validation method](/cloudflare-for-p
 
 ## How to
 
-Real-time validation occurs automatically when your customer adds their [DNS routing record](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#step-3--have-customer-create-cname-record).
+Real-time validation occurs automatically when your customer adds their [DNS routing record](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#3-have-customer-create-cname-record).
 
 The exact record depends on your Cloudflare for SaaS setup.
 

@@ -15,7 +15,7 @@ As a SaaS provider, your customers may decide to no longer participate in your s
 
 If your customer's domain is also using Cloudflare, they can stop routing their traffic through your custom hostname by updating their Cloudflare DNS.
 
-If they update their [`CNAME` record](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#step-3--have-customer-create-cname-record) so that it no longer points to your `CNAME` target:
+If they update their [`CNAME` record](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#3-have-customer-create-cname-record) so that it no longer points to your `CNAME` target:
 
 - The domain's traffic will not route through your custom hostname.
 - The custom hostname will enter into a **Moved** state.

@@ -32,7 +32,7 @@ Cloudflare returns a 1016 error when the custom hostname cannot be routed or pro
 There are three main causes of error 1016:
 
 1. Custom Hostname ownership validation is not complete. To check validation status, run an API call to [search for a certificate by hostname](/cloudflare-for-platforms/cloudflare-for-saas/start/common-api-calls/) and check the verification error field: `"verification_errors": ["custom hostname does not CNAME to this zone."]`.
-2. Fallback Origin is not [correctly set](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#step-1--create-fallback-origin). Confirm that you have created a DNS record for the fallback origin and also set the fallback origin.
+2. Fallback Origin is not [correctly set](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#1-create-fallback-origin). Confirm that you have created a DNS record for the fallback origin and also set the fallback origin.
 3. A Wildcard Custom Hostname has been created, but the requested hostname is associated with a domain that exists in Cloudflare as a standalone zone. In this case, the [hostname priority](/ssl/reference/certificate-and-hostname-priority/#hostname-priority-cloudflare-for-saas) for the standalone zone will take precedence over the wildcard custom hostname. This behavior applies even if there is no DNS record for this standalone zone hostname.
 
 In this scenario each hostname that needs to be served by the Cloudflare for SaaS parent zone needs to be added as an individual Custom Hostname.

@@ -21,7 +21,7 @@ Once the CSR has been generated, provide it to your customer. Your customer will
 
 ## Generate the private key and CSR
 
-### Step 1 — Build the CSR payload
+### 1. Build the CSR payload
 
 All fields except for organizational\_unit and key\_type are required. If you do not specify a `key_type`, the default of `rsa2048` (RSA 2048 bit) will be used; the other option is `p256v1` (NIST P-256).
 
@@ -48,7 +48,7 @@ EOF
 ))
 ```
 
-### Step 2 — Generate a CSR
+### 2. Generate a CSR
 
 Now, you want to generate a CSR that you can provide to your customer.
 
@@ -92,11 +92,11 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_csrs \
 --data "$request_body" | jq .result.csr | perl -npe s'/\\n/\n/g; s/"//g' > csr.txt
 ```
 
-### Step 3 — Customer obtains certificate
+### 3. Customer obtains certificate
 
 Your customer will take the provided CSR and work with their CA to obtain a signed, publicly trusted certificate.
 
-### Step 4 — Upload the certificate
+### 4. Upload the certificate
 
 Upload the certificate and reference the ID that was provided when you generated the CSR.
 

@@ -15,7 +15,7 @@ For use cases and limitations, refer to [custom certificates](/cloudflare-for-pl
 
 :::caution
 
-You can only use one of the different [supported types](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/#limitations). For example, you cannot upload an `SHA256WithRSA` + `ECDSAWithSHA256` certificate. 
+You can only use one of the different [supported types](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/#limitations). For example, you cannot upload an `SHA256WithRSA` + `ECDSAWithSHA256` certificate.
 :::
 
 ## Upload certificates
@@ -32,7 +32,7 @@ The call below will upload a certificate for use with `app.example.com`.
 
 Note that if you are using an ECC key generated by OpenSSL, you will need to first remove the `-----BEGIN EC PARAMETERS-----...-----END EC PARAMETERS-----` section of the file.
 
-#### Step 1 — Update the file and build the payload
+#### 1. Update the file and build the payload
 
 <Render file="custom-cert-file-example" product="ssl" />
 
@@ -52,7 +52,7 @@ EOF
 ))
 ```
 
-#### Step 2 — Upload your certificate and key
+#### 2. Upload your certificate and key
 
 Use a [POST request](/api/operations/custom-hostname-for-a-zone-create-custom-hostname) to upload your certificate and key.
 

@@ -30,7 +30,7 @@ This means that - if you choose to use wildcard custom hostnames - you will need
 
 ---
 
-### Step 1 - Get TXT tokens
+### 1. Get TXT tokens
 
 Once you [create a new hostname](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/issue-certificates/) and choose this validation method, your tokens will be ready after a few seconds.
 
@@ -48,21 +48,21 @@ Once you [create a new hostname](/cloudflare-for-platforms/cloudflare-for-saas/s
 
 </TabItem> </Tabs>
 
-### Step 2 - Share with your customer
+### 2. Share with your customer
 
 You will then need to share these TXT tokens with your customers.
 
-### Step 3 - Add DNS records (customer)
+### 3. Add DNS records (customer)
 
 <Render file="txt-validation_post" />
 
 <Render file="ssl-for-saas-validate-patch" />
 
-### Step 4 (optional) - Fetch new tokens
+### 4. (Optional) Fetch new tokens
 
 Your DCV tokens expire after a [certain amount of time](/cloudflare-for-platforms/cloudflare-for-saas/reference/token-validity-periods/), depending on your certificate authority.
 
-This means that, if your customers take too long to place their tokens at their authoritative DNS provider, you may need to [get new tokens](#step-1---get-txt-tokens) and re-share them with your customer.
+This means that, if your customers take too long to place their tokens at their authoritative DNS provider, you may need to [get new tokens](#1-get-txt-tokens) and re-share them with your customer.
 
 ---
 

@@ -26,7 +26,7 @@ curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_hostnames" \
 --data '{"Hostname":"example.com"}, "Ssl":{wildcard:false}}'
 ```
 
-## Step 1 - Associate custom metadata to a custom hostname
+## 1. Associate custom metadata to a custom hostname
 
 To apply WAF to your custom hostname, you need to create an association between your customer's domain and the WAF configuration that you would like to attach to it. Cloudflare's product, [custom metadata](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata/) allows you to do this via the API.
 
@@ -68,7 +68,7 @@ curl --request PATCH \
 
 This assigns custom metadata to your custom hostname so that it has a security tag associated with its ID.
 
-## Step 2 - Trigger security products based on tags
+## 2. Trigger security products based on tags
 
 1. Locate the custom metadata field in the Ruleset Engine where the WAF runs. This can be used to trigger different configurations of products such as [WAF custom rules](/waf/custom-rules/), [rate limiting rules](/waf/rate-limiting-rules/), and [Transform Rules](/rules/transform/).
 

@@ -25,11 +25,11 @@ Customers can automate the [custom metadata](/cloudflare-for-platforms/cloudflar
 
 ***
 
-## Step 1 - Choose security tagging system
+## 1. Choose security tagging system
 
 1. Outline `security_tag` buckets. These are fully customizable with no strict limit on quantity. For example, you can set `security_tag` to `low`,`medium`, and `high` as a default, with one tag per custom hostname.
 
-2. If you have not already done so, [associate your custom metadata to custom hostnames](/cloudflare-for-platforms/cloudflare-for-saas/security/waf-for-saas#step-1---associate-custom-metadata-to-a-custom-hostname) by including the `security_tag`in the custom metadata associated with the custom hostname. The JSON blob associated with the custom hostname is fully customizable.
+2. If you have not already done so, [associate your custom metadata to custom hostnames](/cloudflare-for-platforms/cloudflare-for-saas/security/waf-for-saas/#1-associate-custom-metadata-to-a-custom-hostname) by including the `security_tag`in the custom metadata associated with the custom hostname. The JSON blob associated with the custom hostname is fully customizable.
 
 :::note
 
@@ -41,7 +41,7 @@ After the association is complete, the JSON blob is added to the defined custom
 
 ***
 
-## Step 2 - Deploy Rulesets
+## 2. Deploy Rulesets
 
 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and navigate to your account.
 

@@ -23,7 +23,7 @@ To set up Cloudflare for SaaS for [apex proxying](/cloudflare-for-platforms/clou
 
 <Render file="get-started-initial-setup-preamble" /> <br/>
 
-### Step 1 - Get IP range
+### 1. Get IP range
 
 With apex proxying, you can either [bring your own IP range](/byoip/) or use a set of IP addresses provided by Cloudflare.
 
@@ -37,7 +37,7 @@ These IP addresses are different than those associated with your Cloudflare zone
 
 :::
 
-### Step 2 - Create fallback origin
+### 2. Create fallback origin
 
 <Render file="get-started-fallback-origin" />
 
@@ -47,7 +47,7 @@ These IP addresses are different than those associated with your Cloudflare zone
 
 <Render file="get-started-per-hostname" />
 
-### Step 3 - Have customer create DNS record
+### 3. Have customer create DNS record
 
 To finish the custom hostname setup, your customer can set up either an `A` or `CNAME` record at their authoritative DNS provider.
 
@@ -73,7 +73,7 @@ example.com.  60  IN  A   192.0.2.1
 
 #### `CNAME` record
 
-If your customer uses a `CNAME` record at their authoritative DNS, they need to point their hostname to your [`CNAME` target](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#step-2-optional--create-cname-target) [^1].
+If your customer uses a `CNAME` record at their authoritative DNS, they need to point their hostname to your [`CNAME` target](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#2-optional-create-cname-target) [^1].
 
 <Render file="get-started-check-statuses" />
 

@@ -12,7 +12,7 @@ description: Learn how to use a Worker as the fallback origin for your SaaS zone
 
 If you are building your application on [Cloudflare Workers](/workers/), you can use a Worker as the origin for your SaaS zone (also known as your fallback origin).
 
-1. In your SaaS zone, [create and set a fallback origin](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#step-1--create-fallback-origin). Ensure the fallback origin only has an [originless DNS record](/dns/troubleshooting/faq/#what-ip-should-i-use-for-parked-domain--redirect-only--originless-setup):
+1. In your SaaS zone, [create and set a fallback origin](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#1-create-fallback-origin). Ensure the fallback origin only has an [originless DNS record](/dns/troubleshooting/faq/#what-ip-should-i-use-for-parked-domain--redirect-only--originless-setup):
 
    * **Example**: `service.example.com AAAA 100::`
 

@@ -22,7 +22,7 @@ As a SaaS provider, you may want to configure and manage Cloudflare for SaaS [vi
 
 ## Fallback origins
 
-Our API includes the following endpoints related to the [fallback origin](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#step-1--create-fallback-origin) of a custom hostname:
+Our API includes the following endpoints related to the [fallback origin](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#1-create-fallback-origin) of a custom hostname:
 
 * [Get fallback origin](/api/operations/custom-hostname-fallback-origin-for-a-zone-get-fallback-origin-for-custom-hostnames)
 * [Update fallback origin](/api/operations/custom-hostname-fallback-origin-for-a-zone-update-fallback-origin-for-custom-hostnames)

@@ -20,13 +20,13 @@ import { Example, Render } from "~/components"
 
 <Render file="get-started-initial-setup-preamble" /> <br/>
 
-### Step 1 — Create fallback origin
+### 1. Create fallback origin
 
 <Render file="get-started-fallback-origin" />
 
-### Step 2 (optional) — Create CNAME target
+### 2. (Optional) Create CNAME target
 
-The `CNAME` target — optional, but highly encouraged — provides a friendly and more flexible place for customers to [route their traffic](#step-3--have-customer-create-cname-record). You may want to use a subdomain such as `customers.<SAAS_PROVIDER>.com`.
+The `CNAME` target — optional, but highly encouraged — provides a friendly and more flexible place for customers to [route their traffic](#3-have-customer-create-cname-record). You may want to use a subdomain such as `customers.<SAAS_PROVIDER>.com`.
 
 [Create](/dns/manage-dns-records/how-to/create-dns-records/#create-dns-records) a proxied `CNAME` that points your `CNAME` target to your fallback origin (can be a wildcard such as `*.customers.saasprovider.com`).
 
@@ -44,9 +44,9 @@ The `CNAME` target — optional, but highly encouraged — provides a friendly a
 
 <Render file="get-started-per-hostname" />
 
-### Step 3 — Have customer create CNAME record
+### 3. Have customer create CNAME record
 
-To finish the custom hostname setup, your customer needs to set up a `CNAME` record at their authoritative DNS that points to your [`CNAME` target](#step-2-optional--create-cname-target) [^1].
+To finish the custom hostname setup, your customer needs to set up a `CNAME` record at their authoritative DNS that points to your [`CNAME` target](#2-optional-create-cname-target) [^1].
 
 <Render file="get-started-check-statuses" />
 

@@ -92,7 +92,7 @@ This approach introduces using Cloudflare's [Regional Services](/data-localizati
 ![Figure 2: Standard Fallback Origin Setup with Regional Services.](~/assets/images/reference-architecture/extending-cloudflares-benefits-to-saas-providers-end-customers/standard-fallback-origin-setup-regional-services.svg "Figure 2: Standard Fallback Origin Setup with Regional Services.")
 
 1. The Custom Hostname (`custom.example.com`) is configured as a CNAME record that points to a regionalized SaaS hostname (`eu-customers.myappexample.com`). This configuration ensures that all processing, including TLS termination, occurs exclusively within the specified geographic region.
-2. The regionalized SaaS hostname is set up as a CNAME record that directs traffic to the standard [Fallback Origin](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#step-1--create-fallback-origin) of the SaaS provider (`fallback.myappexample.com`).
+2. The regionalized SaaS hostname is set up as a CNAME record that directs traffic to the standard [Fallback Origin](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#1-create-fallback-origin) of the SaaS provider (`fallback.myappexample.com`).
 3. The Fallback Origin is set up as an A record that points to the public IP address of the origin server. Cloudflare will route traffic sent to the custom hostnames to this origin server by default.
 
 ### Cloudflare Tunnel as Fallback Origin Setup with Regional Services
@@ -102,7 +102,7 @@ For enhanced security, rather than exposing your application servers directly to
 ![Figure 3: Cloudflare Tunnel as Fallback Origin Setup with Regional Services.](~/assets/images/reference-architecture/extending-cloudflares-benefits-to-saas-providers-end-customers/cloudflare-tunnel-fallback-origin-setup-regional-services.svg "Figure 3: Cloudflare Tunnel as Fallback Origin Setup with Regional Services.")
 
 1. The Custom Hostname (`custom.example.com`) is configured as a CNAME record that points to a regionalized SaaS hostname (`eu-customers.myappexample.com`). This configuration ensures that all processing, including TLS termination, occurs exclusively within the specified geographic region.
-2. The regionalized SaaS hostname is set up as a CNAME record that directs traffic to the standard [Fallback Origin](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#step-1--create-fallback-origin) of the SaaS provider (`fallback.myappexample.com`).
+2. The regionalized SaaS hostname is set up as a CNAME record that directs traffic to the standard [Fallback Origin](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#1-create-fallback-origin) of the SaaS provider (`fallback.myappexample.com`).
 3. The Fallback Origin is a CNAME DNS record that points to a [public hostname](/cloudflare-one/connections/connect-networks/routing-to-tunnel/) exposed by Cloudflare Tunnel. This public hostname should be configured to route traffic to your application (e.g., `localhost:8080`).
 
 This setup is ideal for SaaS providers that do not need granular load balancing, such as [geo-based traffic steering](/load-balancing/understand-basics/traffic-steering/), across multiple origin servers. It's also well-suited for simple testing and development environments, where [protecting your origin server](/fundamentals/basic-tasks/protect-your-origin-server/) by only allowing requests through the Cloudflare Tunnel is sufficient. However, for distributed applications requiring load balancing at both global and local levels, we recommend using [Cloudflare's Load Balancer](/load-balancing/) with global and local traffic management capabilities.
-Original file line number
+Diff line change
@@ Expand Up @@
     :::note
-    If a custom hostname is already on Cloudflare, using the [pre-validation methods](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/pre-validation/) will not shift the traffic to the SaaS zone. That will only happen once the [DNS target](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#step-3--have-customer-create-cname-record) of the custom hostnames changes to point to the SaaS zone.
+    If a custom hostname is already on Cloudflare, using the [pre-validation methods](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/pre-validation/) will not shift the traffic to the SaaS zone. That will only happen once the [DNS target](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/#3-have-customer-create-cname-record) of the custom hostnames changes to point to the SaaS zone.
     :::
@@ Expand Down @@