Issue with using Reverse Proxy with Hubspot

AAlsalkhadi · ‎Jun 12, 2023

Hallo ,

I am currently in the process of reverse proxying a subdomain (client-domain-portal.rexx-systems.com) to another domain (client-domain.com) and have encountered some difficulties that I hope you can assist me with.

For clarity:
- I have used "client-domain-portal" as a placeholder for the actual subdomain name in this context.

- rexx-systems.com is a job portal and is an third party service provider. client-domain.com uses its services.

Our primary domain, client-domain.com, is hosted on HubSpot. The challenge arises when I attempt to reverse proxy from "client-domain-portal.rexx-systems.com" to the HubSpot-hosted domain, as these two domains are distinct. My initial assumption was that it might not be feasible to reverse proxy "client-domain-portal.rexx-systems.com" to a subdomain of "client-domain.com" (like jobs.client-domain.com).

To troubleshoot, I tried to add the equivalent subdomain (client-domain-portal.client-domain.com) to the HubSpot Domain Manager without directly connecting it. Unfortunately, this attempt wasn't successful. I also attempted to add "client-domain-portal.rexx-systems.com" as suggested on Hubspot offical documentation for reverse proxy support. In this documentation: I read that the "added to HubSpot but not directly connected" domain must match the domain being requested through the reverse proxy, but this too was met with the same hurdle.

Considering the above, I would greatly appreciate if you could provide guidance on how to structure the Nginx configuration file in this particular scenario and clarify which domains are permissible to add.

For your reference, the HubSpot CNAME is something like XXXXXX67.sites-proxy.hscoscdn10.net.

The following is a summary of how I understand it, please correct me, if I am wrong:

Domain ownership verification via pre-provisioning an SSL certificate is a crucial step: no direct domain connection ==> only the "pre-provisioning DNS records" have to be added to the DNS provider.
the origin connection (proxy connection) is a HubSpot CNAME.

Host = X-HS-Public-Host = the content host domain "added to HubSpot Domain Manager but not directly connected" = HubSpot domain where content will be served from. ==> HubSpot systems are ‘aware’ of the domain.

Based on that

server {
    location /karrieres {
        proxy_set_header Host $http_host;

        proxy_pass_request_headers on;
        proxy_pass https://XXXXXX67.sites-proxy.hscoscdn10.net;


        proxy_set_header Accept-Encoding "";
        ssi on;

        proxy_set_header X-HS-Public-Host https://client-domain-portal.rexx-systems.com;


        proxy_ssl_server_name on;
        proxy_ssl_name https://client-domain-portal.rexx-systems.com;



       proxy_set_header X-HubSpot-Trust-Forwarded-For true;
       proxy_set_header X-Real-IP $proxy_protocol_addr;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-HubSpot-Client-IP $proxy_protocol_addr;
    }
}

Should I change $http_host to the content host domain?

Is it right to have X-HS-Public-Host and proxy_ssl_name set to the same domain?

For testing purposes, I am using an Nginx Docker image for reverse proxying. I am wondering if this could be the source of the current issues? It is worth noting that the reverse proxy operates as expected when I direct client-domain-portal.rexx-systems.com to localhost.

My initial plan was to deploy the Docker image on Google Cloud Run. However, based on some recent findings, I am now considering Amazon CloudFront or AWS EC2/ELB as possible alternatives. Google Cloud CDN or Google Cloud Load Balancing are also on the table, but cost considerations will be a deciding factor.

If anything is unclear, please do not hesitate to ask me.

Thank you in advance for your time and assistance. I look forward to your expert guidance on this matter.

Best regards,

Abdalrohman Alsalkhadi

@robertainslie

CarsenRojas · ‎Dec 17, 2023

Sounds like a reverse proxy puzzle you've got. Considering your setup, have you explored Proxy solutions? They're pretty handy for handling distinct domain challenges like yours. In situations similar to yours, their configurations often streamline the process, making reverse proxy connections smoother.

robertainslie · ‎Jun 30, 2023

Hi @AAlsalkhadi - based on my understanding of what you're trying to accomplish, this is not feasible and/or doesn't require HubSpot be part of the equation OR that you'll have to significantly alter how you're thinking about this.

When setting up a reverse proxy, think of your HubSpot hosted content as one of the destinations of traffic and origins of content.

In this circumstance, there are 2 content origins: the job portal and the HubSpot CMS hosted pages.

You both describe a subdomain scenario and a 'main domain' scenario, but I'm going to assume your desired behavior is:

A visitor requests a page of client-domain.com
The page could originate from client-subdomain.rexx-systems.com OR from HubSpot CMS
The visitor sees client-domain.com/some-HS-page in their browser OR the client sees client-domain.com/some-job-post-page

Assuming this is the desired behavior, you will need to set up a proxy so that all traffic to client-domain.com first hits a CDN or nginx server. Nginx then determines if the traffic should be routed to the HubSpot CMS or to the job portal.

Traffic does not hit HubSpot's servers and then get proxied, rather, traffic hits your nginx server and that proxies to HubSpot OR to your secondary content origin.

To set this up, you would have to disconnect your DNS from HubSpot's provided CNAME and instead point it at your proxy server.

As such, if you attempt to do this, I would HIGHLY recommend contacting your HubSpot Customer Success Manger to discuss purchasing a Professional Services Techincal Consulting package to help with the specific details in planning this.

Feel free to drop me a DM if you need assistance with finding who your Customer Success Manager is.

Let me know if I've understood your desired behavior properly.

AAlsalkhadi · ‎Jul 3, 2023

Hello @robertainslie,

thank you for the detailed reply.

Based on the information you provided, it would be fine, if we use a subdomain instead of the domain already connected to Hubspot. I am trying to make it work for jobs.client-domain.com.

I was able to connect this domain and verify the Domain ownership via pre-provisioning.
Now I am wondering, How nginx.conf would look like, considering, that I am not sure yet, whether I should use Nginx in a Docker Container deployed on Google Cloud Run. I am also trying to configure it using Amazon CloudFront.

Can you please provide more information about that.
I am not sure yet, how to reverse proxy client-domain-portal.rexx-systems.com to the "added to HubSpot but not directly connected" domain.

You mentioned in one of your replies:

"In HubSpot, I have the domain tc.robertpainslie.com added to my Domain Manager - this is the exact domain I want to proxy! DO NOT create a new subdomain that is added to HubSpot - you want the initiating domain to be the exact same that you add to HubSpot. When connecting, the domain should already be live and hosting content over a secure connection. When this happens, HubSpot will detect the existing secure connection and ask you to pre-provision SSL - take the CNAME and TXT record and verify in your DNS."

And you also mentioned, that the "added to HubSpot but not directly connected" domain is also the domain, which will be displayed on hubspot.

What am I doing wrong?

CMS Development