This tutorial will cover how to configure HSTS-compatible click tracking,
links.[YOUR_DOMAIN].com go through SSL/TLS.
https://links.[YOUR_TOP_LEVEL_DOMAIN].com needs to reroute to
https://links.iterable.com, where we set cookies on the URL for tracking
purposes before redirecting back to your domain.
The reason for this setup is that
links.iterable.com lives behind an
AWS ELB. Currently the only way to support SSL on ELB is via a custom
CloudFront Distribution, because it supports SNI
and is able to proxy dynamic content to any origin server. Another option
might be a server-less API Gateway + Lambda setup, but that won't be explored
in this tutorial.
Table of contents
1. Generate an SSL certificate
Generate an SSL certificate for the domain (i.e.
links.YOUR_DOMAIN.com) which you want to CNAME to
links.iterable.com. We recommend doing this through AWS Certificate Manager due to the convenience, but you can use another service as well. You can learn about how to do that in Amazon's documentation.
Continue to the next step once you've approved the certificate.
2. Create a new CloudFront distribution
Go to https://console.aws.amazon.com/cloudfront/ and click Create Distribution
Select Web as your delivery method
- Origin Domain Name:
- Origin Path: leave blank
- Origin ID:
- Origin SSL Protocols: check only TLS1.2
- Origin Protocol Policy: HTTPS Only
- HTTP Port:
- HTTPS Port:
- Origin Domain Name:
Default Cache Behavior
If using Iterable's unsubscribe page, allow POST as well (otherwise resubscribe requests from the page will fail)
- Viewer Protocol Policy: HTTP and HTTPS (default)
- Allowed HTTP Methods:
- Cache Based on Selected Request Headers: All
- Minimum TTL:
- Maximum TTL:
- Default TTL:
- Forward Cookies: All
- Query String Forwarding and Caching: Forward all, cache based on all
- Smooth Streaming: No (default)
- Restrict Viewer Access: No (default)
- Lambda Function Associations: leave blank
- Choose the certificate that you created through ACM or through another service
- Price Class: Use All Edge Locations (default)
- AWS WAF Web ACL: None (default)
- Alternate Domain Names (CNAMEs):
links.[YOUR_DOMAIN].com. For example,
- SSL Certificate: Custom SSL Certificate
- Custom SSL Client Support: Only Clients that Support Server Name Indication (SNI)
- Security Policy: TLSv1.2
- Supported HTTP Versions: HTTP/2, HTTP/1.1, HTTP/1.0 (default)
- Default Root Object: leave blank
- Logging: Off (default)
- Bucket for Logs: leave blank
- Log Prefix: leave blank
- Cookie Logging: Off (default)
- Enable IPv6: Enable
- Distribution State: Enabled (default)
- Click Create Distribution once everything looks good.
3. Wait for your CloudFront distribution to deploy
On the CloudFront Distributions page, your distribution should have an In Progress status, with a spinning arrow.
Once that changes to Deployed, copy the URL of your CloudFront distribution from Domain Name under the General tab of your distribution. You will need this when updating your DNS.
4. Confirm the configuration of your CloudFront distribution
openssl command line tool to confirm correct configuration:
openssl s_client -servername [CNAME] -connect [CLOUDFRONT_DISTRO_URL]:443
If you don't see an output that contains your certificate, double-check your CloudFront distribution settings.
5. Update your DNS
Set a CNAME record in your DNS settings, using this pattern:
links.[YOUR_DOMAIN].com CNAME [YOUR_CF_URL].
links.mysite.com CNAME d49jhgak555.cloudfront.net.
- If you are using Amazon Route 53, it is possible to use an alias record (A record) instead of a CNAME record as noted in this documentation. If you plan to use an alias record (A record) instead of a CNAME record, you will need to ensure that you are passing through the User-Agent header. This will allow you to track and record device information.
- You will need to set up a custom CloudFront distribution for each tracking domain in your project.
6. Set up a tracking domain in Iterable
Navigate to Settings > Mail Domains and add
links.[YOUR_DOMAIN].comas a tracking domain.
Set that tracking domain as the default.
Edit the new tracking domain and toggle on Enable HTTPS.
For more information, read Sending Domains, Tracking Domains and Deep Links.