Using a Reverse Proxy with HubSpot

A reverse proxy is a type of proxy server that takes resources from one or more servers and then returns them to the client with the appearance of it coming from the proxy server itself. For example, you could have an existing website such as www.example.com that is not hosted on the HubSpot CMS, while also hosting a HubSpot managed blog at www.example.com/blog. Using a reverse proxy, the blog would appear to be hosted from the same server as the website when it's actually coming from HubSpot's servers. 

Using your own CDN or reverse proxy may open up more configuration options, but it also requires significant operational know-how and maintenance. Below is a list of some considerations before you choose this route.

Additionally, if you proxy a subpath of your site to HubSpot, your main sitemap.xml won't include HubSpot pages unless you manually add them.

Adding a custom reverse proxy means that users of your website will make a request to your service and then be proxied through to HubSpot’s CDN, introducing another network hop.

To set up a reverse proxy, you'll first add your domain to HubSpot:

1. Go to your domain settings for your portal.
2. Click Connect a domain.
3. Select Primary or Secondary. Redirect and email sending domains are not supported for this feature.
4. Click Connect.
5. Choose the type of content this domain will be used for.
6. Click Next.
7. Select your brand domain if one has already been added in your account, then enter your domain. This will become the destination domain for your proxy.
8. Click Next.
9. Review the domain you've entered, then click Next.
10. If this domain is hosted with GoDaddy, click No, I'll set it up manually when the GoDaddy connect modal appears.
11. If this subdomain is currently hosted externally with a valid SSL certificate in place:
    • HubSpot will display the message It looks like this domain already has an SSL certificate from another provider. Click Click here to view the CNAME and a TXT values required for hostname validation. Hostname validation will allow HubSpot's CDN to serve content to incoming requests for a domain.
    • Once you've created the records in your DNS provider, click Verify. It may take up to 4 hours for HubSpot to recognize the changes made to your DNS provider and verify your hostname. 
12. If the subdomain is not currently hosted externally with an SSL certification, contact HubSpot support to get the values needed to create the CNAME and TXT records.
13. After verifying your domain, click Back to domains in the bottom left.
    
14. Hover over the new domain in your list of domains, then click Edit.
15. Select the Set as ready for publishing checkbox and click Save.
16. Your domain is now ready for proxying. 

Using your HubID from the steps above, your origin CNAME will be in the following form: <HubId>.<Suffix>. Your suffix is determined by the last two digits of your HubID.

For example, if your HubID is 123, your correct origin CNAME would be 123.sites-proxy.hscoscdn20.net.  

Now configure your proxy to forward requests using your origin CNAME and add the following configurations:

1. Set your proxy to perform no caching for paths originating from HubSpot. HubSpot automatically manages the content of our CDN’s cache so pages are updated automatically when content is published. Note: If the service caches responses, ​pages may not update for hours or days​.
2. Add or prepend to a ​X-Forwarded-For​ header with the client IP address of the original requestor. This is required to differentiate clients from each other. Many services such as CloudFront maintain these headers automatically.
3. To ensure personalized content based on location works, either pass a ​X-Client-IP​ header with a value of the end user’s IP (preferred) or pass a static header of X-HubSpot-Trust-Forwarded-For: true​. The latter will trust the ​X-Forwarded-For​ header, which may not have been updated by all upstream proxies.
4. Pass a ​X-HS-Public-Host​ header with a value of your destination domain.
5. Allow all HTTP methods.
6. Ensure an SSL certificate is provisioned and installed for your proxy domain.
7. Forward all query strings.
8. Forward ​all​ other request and response headers as-is, including cookies.
9. Ideally, all paths under your domain should proxy to HubSpot. If that’s not the case, then the paths /_hcms/*, /hs/*, /hubfs/* and /hs-fs/*​ ​must​ proxy so assets load properly from your domain.

To confirm your configuration, visit:
https://[yourFullDomain]/_hcms/diagnostics

and then verify the following:

• The current time value changes on every load. This confirms that the page is not cached.
• The User-Agent is consistent with your browser.
• The Accept-Language value is consistent with your browser.
• The Cookie value is not blank.
• The Protocol is “https”.
• The leftmost IP address in X-Forwarded-For matches your IP address as reported by a service like https://www.whatismyip.com. 
• The IP-Determined Location values are accurate to your location. These are based on the IP-related headers, starting with X-Client-IP and ending in X-Forwarded-For in descending order of precedence. If X-HubSpot-Trust-Forwarded-For is passed, True-Client-Ip and X-Real-Ip are ignored.

If you're seeing a 404 when going to the diagnostics URL that likely means you have an issue with your configuration. 

Visit https://[yourFullDomain]/_hcms/_worker/headers to view all the headers that HubSpot is receiving from a request through your reverse proxy.

The most important headers for proxies are:

• X-Forwarded-For
• X-Client-IP
• X-HubSpot-Trust-Forwarded-For
• X-HS-Public-Host

Verify you are not sending additional/unnecessary headers, or duplicate values.

Publishing content with the HubSpot CMS should work just as if your domain was directly hosted by HubSpot. Features such as A/B tests and Content Membership that rely on cookies should work normally. When creating pages be sure to select your destination domain (if available) in the URL.