Can I set up a reverse proxy on HubSpot?

Last updated: October 14, 2016

No. Setting up the HubSpot COS with a SSL reverse proxy is absolutely not supported and it is not recommended to be attempted.

A SSL reverse proxy on the HubSpot COS compromises our delivery system and it will not work when/if traffic volume grows. We will only support SSL with COS when it is provisioned via one of the HubSpot SSL Offerings.

The HubSpot Content Optimization System (COS) is fully integrated with Akamai’s content delivery network, global web acceleration and firewall technologies.  SSL is an integrated, though optional component to that system.  When certificates are added to the system, they are distributed globally across hundreds of servers and IP addresses in order to ensure we continue to deliver at Internet scale, performance and security.

If it worked, a proxy would introduce a single point of failure or attack vector that is rooted in a single geographic location.  In addition to being incompatible, a proxy will fundamentally compromise the COS systems architecture. 

Why a SSL reverse proxy should not be setup:

  • It will break authoritative DNS checks. The likely result will be an unauthorized response.
  • It will compromise Performance.  With a proxy, performance is directly dependent on the proxy itself as well as how physically distant the end user is from the location of the proxy.  Even on a good day, the farther away the user is from the proxy, the lesser their performance will be.
  • It will compromise Service Level.  If there is an issue with a proxy, then the site will be impacted or will be down.
  • It will compromise Security.  By its nature a proxy exposes the site to direct IP DoS with few mitigation options.  It will also invalidate much of the functionality in our integrated Web Application Firewall which allows us to automatically and easily defend our customer sites.
  • It will significantly limit Scalability.  All traffic would be funneled through a proxy thereby negating our distributed design and massive scale.  With a proxy we could not deliver a highly performing COS site through significant traffic spikes (legitimate or due to DoS).
  • Traffic via reverse proxy will be subject to rate limits and will be automatically blocked when rate is exceeded.

In short, don't do it.