Menu
 

Setting Up HTTPS Link Tracking

By default, tracked links that use your custom subdomain as specified with the CNAME record will be generated as non-secure HTTP links. We support using secure HTTPS tracking links within Customer.io once you’ve configured your link tracking subdomain with a valid SSL certificate. We have more detailed guides to setting up secure link tracking in our Universal Links documentation. However, if you don’t need to configure iOS or Android app links and only want to enable HTTPS on regular links, here are two simpler configurations using either Amazon CloudFront or NGINX.

  1. Navigate to Amazon CloudFront. Once you have created an account or are logged into your existing account, navigate to the AWS Certificate Manager

  2. Request a new certificate for the domain your link whitelabel is configured for (e.g. links.example.com)

  3. AWS will send an email to the appropriate domain owners, requesting them to approve the certificate

HTTPS Links - AWS Certificate Manager

  1. Ensure that the certificate is approved and issued

  2. Navigate to AWS CloudFront

  3. Create a new Distribution that is a Web delivery method

  4. Under the Origin Settings section, set the fields as follows:

HTTPS Links - Cloudfront Origin Settings

  • Origin Domain Name: track.customer.io
  • Origin ID: track.customer.io
  • Origin SSL Protocols: only TLSv1.2
  • Origin Protocol Policy: HTTPS Only
  1. Under the Default Cache Behavior Settings section, set the fields as follows:

HTTPS Links - Cloudfront Cache Behavior Settings

  • Allowed HTTP Methods: GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
  • Cache Based on Selected Request Headers: All
  • Forward Query Strings: Forward all, cache based on all
  1. Under the Distribution Settings section, set the fields as follows:

HTTPS Links - Cloudfront Distribution Settings

  • Alternate Domain Names: links.example.com (replace with whatever your link tracking domain is)
  • SSL Certificate: Custom SSL Certificate, pointing to the appropriate ACM certificate
  1. Click Create Distribution

  2. Wait for the distribution to deploy

  3. Verify that the distribution serves the Customer.io API via HTTPS. Do this using the Cloudfront Domain Name and without changing the real DNS to avoid causing any issues with existing links.

HTTPS Links - Cloudfront Distribution Overview

HTTPS Links - Cloudfront Verification

  1. Once you’ve verified your Cloudfront distribution is serving the Customer.io API via HTTPS update your DNS record to change the CNAME record for links.example.com to send traffic to your Cloudfront Domain Name which is shown on the General overview tab of your Cloudfront distribution.
  • CNAME record name: links.example.com
  • CNAME record value: CHANGEME.cloudfront.net
  1. Finally, back in Customer.io on your deliverability settings page, enter the domain you configured for HTTPS (e.g. links.example.com) in the CNAME field and click the Check now button to re-validate the domain. You should now pass the HTTPS check and tracking links will use HTTPS by default.

Email - Verification Status

Alternatively you can use your own server to serve HTTPS tracked links from. The following instructions will guide you through setting up NGINX, however it’s possible to use other server software to accomplish this.

  1. Request a new SSL certificate for the domain your link whitelabel is configured for (e.g. links.example.com)

  2. Place the certificate chain into the file named /etc/pki/tls/certs/links.example.com.crt

  3. Place the private key into the file named /etc/pki/tls/private/links.example.com.key

  4. Create the file /etc/nginx/conf.d/links.example.com.conf, with the following content:

server {
  listen 80;
  listen 443 ssl;
  server_name 'links.example.com';
  ssl_certificate '/etc/pki/tls/certs/links.example.com.crt';
  ssl_certificate_key '/etc/pki/tls/private/links.example.com.key';
  location / {
    proxy_pass 'https://track.customer.io';
    proxy_set_header 'Host' 'links.example.com';
  }
}
  1. Update your DNS record to change the CNAME record for links.example.com to send traffic to your NGINX server. If you’re specifying the IP address of your server this will need to be an A record instead of a CNAME record.
  • A record name: links.example.com
  • A record value: IP Address of your NGINX server
  1. Finally, back in Customer.io on your deliverability settings page, enter the domain you configured for HTTPS (e.g. links.example.com) into the CNAME field and click the Check now button to re-validate the domain. You should now pass the HTTPS check and tracking links will use HTTPS by default.

Email - Verification Status