How to Set-up HTTPS for Links for Click Tracking

Background

This tutorial will cover how to configure HSTS-compatible click tracking, meaning links.[YOUR_DOMAIN].com go through SSL/TLS. https://links.[YOUR_TOP_LEVEL_DOMAIN].com needs to reroute to https://links.iterable.com, where we set cookies on the URL for tracking purposes before redirecting back to your domain.

The reason for this setup is that links.iterable.com lives behind an AWS ELB. Currently the only way to support SSL on ELB is via a custom CloudFront Distribution, because it supports SNI and is able to proxy dynamic content to any origin server. Another option might be a server-less API Gateway + Lambda setup, but that won't be explored in this tutorial. 

Setup

Generate an SSL Certificate

1. Generate an SSL certificate for the domain which you want to CNAME to links.iterable.com. We recommend doing this through AWS Certificate Manager due to the convenience, but you can use another service as well. You can learn about how to do that here.
2. Continue to the next step once you've approved the certificate

Create a new CloudFront Distribution

1. Go to https://console.aws.amazon.com/cloudfront/ and click “Create Distribution”
2. Select “Web” as your delivery method
3. Origin Settings
1. Origin Domain Name: links.iterable.com
2. Origin Path: leave blank
3. Origin ID: Custom-links.iterable.com
4. Origin SSL Protocols: check all but SSLv3 (don't select this due to POODLE vulnerability) (default)
5. Origin Protocol Policy: HTTPS Only
6. HTTP Port: 80 (default)
7. HTTPS Port: 443(default)
4. Default Cache Behavior
   • If using Iterable's unsubscribe page, allow POST as well (otherwise resubscribe requests from the page will fail)
1. Viewer Protocol Policy: HTTP and HTTPS (default)
2. Allowed HTTP Methods: GET, HEAD (default)
3. Forward Headers: All
4. Object Caching: Use Origin Cache Headers
5. Minimum TTL: 0 (default)
6. Maximum TTL: 31536000 (default)
7. Default TTL: 86400
8. Forward Cookies: All
9. Query String Forwarding and Caching: Forward all, cache based on all
10. Smooth Streaming: No (default)
11. Restrict Viewer Access: No (default)
12. Lambda Function Associations: leave blank
5. Distribution Settings
   1. Choose the certificate that you created through ACM or through another service
1. Price Class: Use All Edge Locations (default)
2. AWS WAF Web ACL: None (default)
3. Alternate Domain Names (CNAMEs): links.[YOUR_DOMAIN].com (i.e. links.mysite.com)
4. SSL Certificate: Custom SSL Certificate
5. Supported HTTP Versions: HTTP/2, HTTP/1.1, HTTP/1.0 (default)
6. Default Root Object: leave blank
7. Logging: Off (default)
8. Bucket for Logs: leave blank
9. Log Prefix: leave blank
10. Cookie Logging: Off (default)
11. Enable IPv6: Enable
12. Distribution State: Enabled (default)
13. Click “Create Distribution” once everything looks good.
6. Wrap up
1. On the “CloudFront Distributions” page, you should see your distribution in an “In Progress” status with a spinning arrow.
2. Once that changes to “deployed”, copy the URL of your CloudFront distribution from “Domain Name” under the “General” tab of your distribution. You will need this for the “Deploy” step.
3. Go to https://app.iterable.com/settings/mailDomains and add links.YOUR_DOMAIN.com as a tracking domain.  Also be sure to toggle "Use HTTPS" on, and set that tracking domain as default.

Confirm correct configuration

1. Use the openssl command line tool to confirm correct configuration
2. openssl s_client -servername [CNAME] -connect [CLOUDFRONT_DISTRO_URL]:443
3. If you don't see an output that contains your certificate, double-check your CloudFront Distribution settings.

Deploy

1. Set a CNAME record in your DNS settings
1. links.[YOUR_DOMAIN].com CNAME [YOUR_CF_URL]
2. i.e.: links.mysite.com CNAME d49jhgak555.cloudfront.net
2. After about 1 hour, navigating to https://links.mysite.com should redirect to the Iterable app.