What is a reverse proxy?
A reverse proxy is a type of proxy server that retrieves resources from one or more servers and returns them to the client as if they came from the proxy server itself. In other words, the reverse proxy acts as the website’s “public face” while fetching content from different origins behind the scenes. For example, you might have an existing website atwww.website.com that is not hosted on HubSpot, while also hosting a blog on HubSpot at www.website.com/blog. Using a reverse proxy, the blog would appear to be hosted from the same server as the website when it’s actually coming from HubSpot’s servers.
When to use a reverse proxy
There are several common scenarios where a reverse proxy makes sense:-
SEO consolidation: some organizations prefer to host all content under subdirectories (e.g.,
www.website.com/blog) rather than subdomains (e.g.,blog.website.com). A reverse proxy allows HubSpot-hosted content to appear under the same domain structure as your main website. - Multi-platform hosting: when your website spans multiple platforms (e.g., HubSpot for marketing content, Shopify for e-commerce, a custom application for your product), a reverse proxy unifies them under a single domain.
- Existing CDN infrastructure: if your organization already has a CDN with specific configurations, security rules, or compliance requirements, you may want to route traffic through your existing infrastructure rather than adopting HubSpot’s CDN.
- Complex routing requirements: if you have advanced routing logic that can’t be handled by HubSpot’s built-in CDN, a reverse proxy gives you full control over how requests are routed.
How it works with HubSpot
When you set up a reverse proxy with HubSpot, your CDN communicates with HubSpot’s CDN (powered by Cloudflare) to retrieve content. The general flow works as follows:- A visitor requests a page from your domain (e.g.,
www.website.com/blog/article). - Your reverse proxy recognizes the request is for HubSpot-hosted content.
- The proxy forwards the request to HubSpot’s origin servers, including specific headers that identify the request as coming from a reverse proxy.
- HubSpot returns the content (HTML, CSS, JavaScript, images) to your proxy.
- Your proxy serves the content to the visitor, who sees it as coming from your domain.
Why a CDN or distributed environment is required
HubSpot requires that reverse proxies be implemented through a CDN or distributed computing environment, not a single server. This is because of how web application firewalls (WAF) work. When requests come from a single server or small cluster of servers, thousands of requests from different end users appear to originate from just a few IP addresses. This traffic pattern closely resembles a distributed denial-of-service (DDoS) attack, which would trigger Cloudflare’s security rules and block the traffic. By using a CDN or distributed computing environment, requests are spread across many IP addresses, mimicking normal traffic patterns and avoiding rate limiting.Considerations
Using your own CDN or reverse proxy opens up more configuration options, but it also requires significant operational knowledge and maintenance. Before proceeding with a reverse proxy setup, review the considerations below.Feature comparison
| Feature | HubSpot’s CDN | Custom solution |
|---|---|---|
| Bandwidth | Included | Additional cost |
| SSL certificates | Included; automatic setup and renewal | Additional cost; manual setup and renewal |
| Global CDN | Included | Varies by provider |
| Cache management | Automatic; pages update when content is published | Manual; requires cache invalidation rules |
| Anti-abuse protection (WAF) | Included | Customer-owned |
| 24/7 monitoring | Included | Customer-owned |
| Support | Included | Customer-owned |
| IPv6 | Included | Varies by provider |
| HTTP/2 | Included | Varies by provider |
| Latency | Optimal (direct CDN) | Additional network hop required |
Additional considerations
-
Sitemap management: if you proxy only a subpath of your site to HubSpot (e.g.,
/blog), your mainsitemap.xmlfile won’t automatically include HubSpot pages. You’ll need to manually add them or configure your sitemap to pull from multiple sources. - Cache invalidation: HubSpot automatically manages cache for content hosted on its CDN. When you publish changes, pages update immediately. With a custom proxy, you’re responsible for configuring cache rules and invalidation to ensure content updates are reflected.
-
Load balancing: HubSpot’s built-in CDN and all other services have multiple instances with automatic failover and recovery. If you implement a reverse proxy, you should use multiple instances with load balancing. If all requests are routed through a single proxy node, requests may trip rate limiting protocols, resulting in
429or403responses until an in-browser JavaScript challenge is completed.
Prerequisites
Before setting up a reverse proxy with HubSpot, ensure you have:- A live domain with SSL: the domain you want to proxy must be live with publicly accessible content and a valid SSL certificate.
- A CDN or distributed computing environment: as explained above, you cannot proxy through a single server. You need a CDN (such as Amazon CloudFront or Cloudflare Enterprise) or a distributed computing environment.
- Technical resources: your IT team must be capable of implementing and maintaining the proxy configuration, including custom headers, SSL certificates, and cache rules. HubSpot’s support team does not assist with reverse proxy setup.
Frequently asked questions
Why can't I just point my domain to HubSpot?
Why can't I just point my domain to HubSpot?
If you only need to host content on HubSpot, you should connect your domain directly rather than using a reverse proxy. Direct connection is simpler, fully supported, and includes all of HubSpot’s CDN benefits.A reverse proxy is only necessary when you need to host content from multiple origins (HubSpot and other platforms) under the same domain, or when you have specific infrastructure requirements that HubSpot’s built-in CDN cannot accommodate.
Why can't I proxy through a single server?
Why can't I proxy through a single server?
Proxying through a single server or small cluster concentrates all traffic through a few IP addresses. This traffic pattern resembles a DDoS attack and will trigger Cloudflare’s security rules, resulting in blocked requests or JavaScript challenges for your visitors.Using a CDN or distributed computing environment spreads requests across many IP addresses, mimicking normal traffic patterns.
Which CNAME do I use for the reverse proxy?
Which CNAME do I use for the reverse proxy?
When configuring your reverse proxy, use the origin CNAME provided in the setup guide. This will be in the format
<HubID>.sites-proxy.hscoscdn[XX].net.Don’t use the CNAME provided during the SSL pre-provisioning step (which looks like <HubID>.groupXX.sites.hubspot.net). That CNAME is only for domain verification.What is a CNAME record?
What is a CNAME record?
A CNAME (Canonical Name) record is a type of DNS record that maps one domain name to another. For example, you might create a CNAME record that points
www.example.com to example.com, so both addresses resolve to the same server.In the context of reverse proxies, CNAME records are used during the SSL pre-provisioning step to verify domain ownership with Cloudflare.What are the custom headers used for?
What are the custom headers used for?
HubSpot requires specific headers (
X-Forwarded-For, X-HubSpot-Trust-Forwarded-For, X-HS-Public-Host) to:- Identify reverse proxy requests: these headers help HubSpot distinguish proxy traffic from direct traffic, allowing different handling if needed.
- Preserve visitor information: headers like
X-Forwarded-Forensure HubSpot can see the original visitor’s IP address for personalization, analytics, and security. - Enable proper content serving: the
X-HS-Public-Hostheader tells HubSpot which domain the content should be served for.
Should I use absolute or relative URLs in my HubSpot content?
Should I use absolute or relative URLs in my HubSpot content?
This depends on your setup:
- Recommended setup (domain in HubSpot matches the proxied domain): use absolute URLs. HubSpot automatically converts absolute URLs to relative URLs when the linked page is on the same domain.
- Alternate setup (domain in HubSpot differs from the proxied domain): use relative URLs. Check your templates to remove any absolute URL HubL tags.
Can I test a reverse proxy in a staging environment?
Can I test a reverse proxy in a staging environment?
Yes, but keep these points in mind:
- Use a real domain: do not use HubSpot staging domains (e.g.,
<portalid>.hs-sites.com). The staging website must be a live domain with a valid SSL certificate. - Disable VPN restrictions: if your staging environment typically requires a VPN, you’ll need to make the entire root domain publicly accessible for HubSpot to verify DNS records.
- Configure both HTTP and HTTPS: HubSpot checks both protocols during setup. Ensure HTTP redirects to HTTPS, or that content is available on both.