Security
      Back to home
      1. Help Center
      2. Advanced
      3. Security

      Configure a CloudFront Proxy Distribution for Engagement Tracking

      Here are the steps required to set up an AWS CloudFront distribution in front of our engagement tracking endpoints. This setup assumes you are also using AWS Route 53 for DNS zone hosting.

      You must open a support case to disable tracking domain validation to use any proxy in front of the tracking servers.  You will be responsible for validating your configuration works properly before sending any messages. Failure to do so could result in broken redirect links.

      Configure CloudFront Distribution


      1. Navigate to the CloudFront service and click the Create Distribution button.

      2. Type a Distribution name (1) and enter the Domain name you will be using (2). 

      Note it detected we are using AWS Route 53 automatically (3), if you don't see this you may need to configure DNS records manually with your provider.


      3. Specify Origin type: Other and enter the Custom origin: tracking.socketlabs.com


      4. On Enable security select Do not enable security protections.

      Configure the Web Application Firewall (WAF) is outside the scope of this document.  While enabling the WAF should work, we recommend starting off in Use monitor mode to make sure there is no impact on your engagement tracking before setting it to active.


      5. If you don't have a matching certificate in AWS Certificate Manger (ACM), you can click the Create certificate button to have it set up automatically.


      6. On the final page Review and create click Create distribution.

      7. On the General page, click the Route domains to CloudFront

      8. Click Set up routing automatically


      9. Go to the Behaviors (1) tab, click the Origin (2), and select Edit (3) 


      10. Under Cache key and origin requests > Cache policy (1) select UseOriginCacheControlHeaders-QueryStrings. 

      To enable HTTP Strict Transport Security (HSTS) Change the Response headers policy (2). Select SecurityHeadersPolicy from the drop down. 

      Save Changes.

      11. After your changes are deployed to CloudFront, navigate to your domain name and verify you can see the default link error page: 

      If you can see an error page like this, then you have configured your proxy correctly.

      Configure your domain for engagement tracking

      1. Log into the portal and navigate the menu from Configuration > Advanced Authentication.

      2. Scroll down and click +Add Tracking Domain.

      3. Enter your domain you configured. Click Add Domain

      4. Once your Encrypted domain is set up, you should see the status go from Pending to Active.


      Your setup is now complete.