Using a Reverse Proxy with HubSpot

A reverse proxy is a type of proxy server that takes resources from one or more servers and then returns them to the client with the appearance of it coming from the proxy server itself.

For example, you have an existing website such as www.website.com that is not hosted on the HubSpot CMS, while also hosting a HubSpot managed blog at www.website.com/blog. Using a reverse proxy, the blog would appear to be hosted from the same server as the website when it's actually coming from HubSpot's servers. 

Using your own CDN or reverse proxy may open up more configuration options, but it also requires significant operational knowledge and maintenance. Below is a list of some considerations before you choose this route.

Additionally, if you proxy a subpath of your site to HubSpot, your main sitemap.xml won't include HubSpot pages unless you manually add them.

Adding a custom reverse proxy means that users of your website will make a request to your service and then be proxied through to HubSpot’s CDN, introducing another network hop.

To start the proxy setup process, first configure the proxy in your external environment, such as a CDN like Amazon CloudFront or an nginx server.

You should always implement the proxy in a load balanced environment so that traffic from your proxy rotates requests to the HubSpot CNAME origin from multiple IP addresses.

The CNAME needed for the proxy will be in the following format: <HubID>.<suffix>, where suffix is determined by the last two digits of your HubID. Use the table below to match the last two digits of your HubID with a suffix.

For example, if your HubID is 123456, your correct origin CNAME would be 123456.sites-proxy.hscoscdn00.net.  

Below are general instructions for configuring a reverse proxy, as well as specific guidance for Amazon CloudFront and nginx.

In general, you can configure your proxy to forward requests using your origin CNAME and add the following configurations:

1. Set your proxy to perform no caching for paths originating from HubSpot. HubSpot automatically manages the content of our CDN’s cache so pages are updated automatically when content is published. Note that if the service caches responses, ​pages may not update for hours or days​.
2. Add or prepend to a ​X-Forwarded-For​ header with the client IP address of the original requestor. This is required to differentiate clients from each other. Many services such as CloudFront maintain these headers automatically.
3. To ensure personalized content based on location works, pass a static header of X-HubSpot-Trust-Forwarded-For: true​. This will trust the ​X-Forwarded-For​ header, which may not have been updated by all upstream proxies.
4. Pass a ​X-HS-Public-Host​ header with a value of your destination domain.
5. Allow all HTTP methods.
6. Ensure an SSL certificate is provisioned and installed for your proxy domain.
7. Forward all query strings.
8. Forward ​all​ other request and response headers as-is, including cookies.
9. Ideally, all paths under your domain should proxy to HubSpot. If that’s not the case, then the paths /_hcms/*, /hs/*, /hubfs/* and /hs-fs/*​ ​must​ proxy so assets load properly from your domain.

To set up a reverse proxy in Amazon CloudFront, you’ll need to create a new distribution with a new alternate domain name, create a new origin, then create cache behaviors for the page paths where your HubSpot content is hosted. You can learn more about working with distributions in the AWS documentation.

• Log in to your Amazon CloudFront account. 
• In the left sidebar, navigate to Distributions.
• If you’re starting from scratch, you’ll first need to create a new distribution by clicking Create Distribution. Alternatively, you can edit an existing distribution or skip to the origin and behaviors setup steps.
  • On the General tab, click Edit.
  • In the Alternate Domain Names (CNAMEs) field, add the domain, including the subdomain. This must match the domain you added to HubSpot.
  • Confirm your changes by clicking Yes, Edit. You’ll then be directed back to the General tab where your domain should now be listed next to Alternate Domain Names (CNAMEs).
  • You’ll also need to create a new CNAME record in your DNS provider using the value from the Domain Name field. This value should look something like <value>.cloudfront.net.
• In the distribution you just created, add the domain you’re setting up the reverse proxy for as an alternate domain name:
• Next, set up a new origin:
  • In the Origin domain field, enter the <HubID>.<suffix> CNAME value from the table above. This value should look something like 123.sites-proxy.hscoscdn20.net.
  • Under Add custom header, click Add header. Then, add the following header details:
  • To ensure personalized content based on location works, either pass a ​X-Client-IP​ header with a value of the end user’s IP (preferred) or pass a static header of X-HubSpot-Trust-Forwarded-For: true​. The latter will trust the ​X-Forwarded-For​ header, which may not have been updated by all upstream proxies.
  • Pass a ​X-HS-Public-Host​ header with a value of your destination domain.
• Click the Origins and Origin Groups tab.
• Click Create Origin, then set up your origin:
• Save your changes by clicking Create.
• Then, set up cache behaviors for the page paths you’ll be hosting HubSpot content on:
  • In the Path pattern field, enter the URL path of the page that your HubSpot content is hosted on. This can be a path to a specific page, or a flexible URL such as a wildcard. Learn more about path patterns.
  • Click the Origin and Origin Groups field, then select the origin you created earlier.
• Click the Behaviors tab.
• Click Create Behavior.
• Set up the cache behavior:
• Click Save changes.

With your distribution, origin, and behaviors configured, the reverse proxy will now be available for HubSpot pages that you create at the specified paths. Proceed to the steps for configuring your domain in HubSpot.

To configure a reverse proxy with nginx, you’ll need to create a location configuration file that includes SSL information and the location path information. 

When working with nginx, there are several headers and settings required to route traffic. Below are snippets of a sample nginx location configuration file to use as a starting point. 

In the above code, note that the proxy connection and content host domain are different: one is a HubSpot provided CNAME, and the other is the domain that the content should be served from, matching the domain you’ll add to HubSpot. This is due to the SNI (Server Name Indication) connection process that establishes a secure connection between your proxy and HubSpot’s servers.

To enable this in your nginx proxy, ensure that you include the settings below, which are also in the above code:

These settings instruct nginx to send the server domain name with the SNI SSL connection handshake since the origin domain is different from the Host.

With your proxy configured, you’ll then add your domain to HubSpot. It’s important to note that you will not be fully connecting the domain to HubSpot in the way that you would in the standard domain connection process. Rather, you’ll start the connection process to make the domain for publishing HubSpot content, but without creating CNAME records in your DNS provider. By the end of this process, your proxy will receive all requests to the domain and can choose to proxy certain paths to HubSpot and other paths to other content hosts.

For example, if you’re looking to set up a reverse proxy for paths on www.website.com, you’ll need to add www.website.com to your HubSpot domains. The proxy will receive all requests for www.website.com and can choose to proxy certain paths to HubSpot and other paths to other content hosts. This will allow you to publish content to paths on that domain through HubSpot, such as www.website.com/pricing. 

To add your domain to HubSpot:

• In your HubSpot account, navigate to your domain settings.
• Click Connect a domain.
• Select Primary or Secondary. Redirect and email sending domains are not supported for this feature.
• Click Connect.
• Select the content type you’ll be hosting on the domain, then click Next.
• Enter the brand domain. For example, for www.website.com, you would enter website.com.

• Enter the subdomain that you’ll be hosting content on. The subdomain needs to match the subdomain for the externally hosted domain. Then click Next.
• Review the domain you’ve entered, then click Next.
• If the domain is hosted with GoDaddy, click No, I’ll set it up manually when the GoDaddy connection modal appears.
• Next, verify your domain so that HubSpot can confirm your domain ownership and allow content publishing. 
  • If the domain is currently hosted externally with a valid SSL certificate: 
    • HubSpot will display an alert that says It looks like this domain already has an SSL certificate from another provider. 
    • In the alert, click Click here to get the CNAME and TXT values needed for hostname validation. 
    • In your DNS provider, create the records using the provided values.
    • In HubSpot, click Verify. It can take up to 4 hours for HubSpot to recognize changes made to your DNS provider and verify your hostname.
  • If the domain is not currently hosted externally with an SSL certificate, contact HubSpot support to get the values needed to create the CNAME and TXT records.
• After verifying your domain, exit the connection wizard by clicking Back to domains in the bottom left.
• In your list of domains, hover over the new domain, then click Edit and select Set as ready for publishing. In the domain manager, the domain’s status will then update from Not connected to Ready for publishing.

Your domain is now properly configured in HubSpot for proxying. After requests have been successfully made to the domain, the domain’s status will update from Ready for publishing to Connected via reverse proxy. This can take up to a few weeks.

To confirm your configuration, visit:
https://[yourFullDomain]/_hcms/diagnostics

and then verify the following:

• The current time value changes on every load. This confirms that the page is not cached.
• The User-Agent is consistent with your browser.
• The Accept-Language value is consistent with your browser.
• The Cookie value is not blank.
• The Protocol is “https”.
• The leftmost IP address in X-Forwarded-For matches your IP address as reported by a service like https://www.whatismyip.com. 
• The IP-Determined Location values are accurate to your location. These are based on the IP-related headers in X-Forwarded-For.

If you're seeing a 404 when going to the diagnostics URL that likely means you have an issue with your configuration. 

Visit https://[yourFullDomain]/_hcms/_worker/headers to view all the headers that HubSpot is receiving from a request through your reverse proxy.

The most important headers for proxies are:

• X-Forwarded-For
• X-HubSpot-Trust-Forwarded-For
• X-HS-Public-Host

Verify you are not sending additional/unnecessary headers, or duplicate values.

Publishing content with the HubSpot CMS should work just as if your domain was directly hosted by HubSpot. Features such as A/B tests and Content Membership that rely on cookies should work normally. When creating pages be sure to select your destination domain (if available) in the URL.