How to Self-Host a Domain
Introduction
This guide will explain how to set up a reverse proxy with Amazon Web Services (AWS), allowing you to source and self-host your own domains, for the purpose of generating opt-out links within your SUPPRESS account.
Self-hosting your own Opt-Out Domains is doable, but can be resource intensive in both fixed costs and maintenance requirements. OPTIZMO's Managed Domain services within SUPPRESS are inexpensive and provide:
- SSL signing of your Opt-Out pages
- High availability (99.999% uptime SLAs)
- Automatic scaling to meet traffic demands
- 24/7 monitoring, giving you peace of mind that you remain compliant
- DDoS protection should your opt-out domain be picked up by bad actors
- One Click provisioning
- ISP Abuse Report protection
Prerequisites
In order to begin provisioning your own self-hosted domains for use within SUPPRESS, you'll need:
- An AWS account with admin credentials
- A SUPPRESS account with a managed domain to proxy your Opt-Out requests to - Note this domain, as it will be required later on in the guide
- The new domain you've purchased that you want to use for collecting Opt-Out traffic
Procedure
- Log in to AWS and navigate to EC2 -> Load Balancers -> Create Load Balancer
- Select Network Load Balancer -> Create
- Choose a suitable name
- For Scheme select Internet Facing
- Add TCP and TLS listeners (port 80 and 443 respectively)
- For VPC select at least 1 AZ, 3 are selected here. The more AZ's the greater the redundancy
- Click Next: Configure Security Settings
- Click Request a new certificate from ACM -> Request a certificate -> Request a public certificate
- Enter your BYO self-hosted domain
- Enter the www subdomain
- There are different ways to prove to AWS that you own the domain. In this example, we selected DNS validation
- Click Request
- Click on the certificate to see the CNAME name and CNAME value fields you need to enter into your self-hosted domain's DNS provider.
- Enter these like so (this example is showing Constellix as the DNS provider)
- After a while, you should see that the certificate is issued by AWS.
- Back in the configure Load Balancer menu
- Select the Certificate you have created for the load balancer
- Click Next: Configure Routing. Note the Network Load Balancer can take more than one certificate should you have many self-hosted domains.
- In Configure Routing
- Choose New Target Group
- Choose a suitable name
- Choose TCP Port 80
- Click Next: Register Targets
- Next, create the instance(s) you wish to add to your target group. You should consider multiple instances spread across multiple AZs for some redundancy, this guide only creates one.
- Choose Instances -> Launch Instance
- Type a suitable Name
- Choose an instance type. We selected Ubuntu Server 22.04 LTS
- Choose a suitable Instance size - for our testing we selected a t2.micro
- Choose Instances -> Launch Instance
- At this point, we need to create an SSH key for administering our instances. Click Create new key pair
- In Create key pair
- Type a suitable Key pair name
- Choose whether you want RSA or ED22519 Encryption
- Choose your key format. We are using Linux/Mac so we chose a .pem format
- Click Create key pair
- Download the key
- Back on the Launch an instance screen
- Choose the key pair you just created
- Choose to Create security group
- Check Allow SSH traffic from -> My IP
- Click Launch Instance
- Once the instance has finished booting up
- Click on it and in the description tab, locate the Public DNS value and copy it to your clipboard
- Click on it and in the description tab, locate the Public DNS value and copy it to your clipboard
- On your local machine (assuming Linux/macOS)
- Change the permissions for the downloaded key
- Check you can SSH into your host
- Now we have an Ubuntu instance created, we can finally finish that Target Group we started to create earlier.
- Under EC2 -> Target Groups
- Click your Target Group
- Click Actions -> Register and deregister instance / ip targets
- In the Register and deregister targets window
- Select your instance
- Click Add to registered
- Click Save
- Back in EC2 -> Instances
- Select our instance and once again view the description tab
- Click on the Security Group that was created. We need to open some ports
- Select the Security Group
- Click Actions -> Edit inbound rules
- Click Actions -> Edit inbound rules
- Add HTTP from anywhere and click save
- At this point we have set up:
- An SSH key for authenticating with our EC2 instances
- A Security group allowing port SSH connections and port 80 to our instances
- A Ubuntu VM
- An AWS SSL certificate for signing 443 requests
- A Network load balancer
- Listening on port 80 and forwarding to our target group on port 80
- Listening and Terminating any 443 requests with our SSL certificate and then forwarding to the target group on port 80
- Next, we need to configure our Ubuntu VM to proxy these port 80 requests to your managed domain. For this, we will use NGINX. This part of the guide was heavily influenced by this great guide: How To Install Nginx on Ubuntu 20.04 | DigitalOcean
- First SSH back into the Instance
- Run:
# Install nginx
sudo apt update
sudo apt install nginx -y
# enable Nginx to start on boot
sudo systemctl enable nginx
# create a folder for our configuration
sudo mkdir -p /var/www/reverse_proxy/html
# Set the correct permissions
sudo chown -R $USER:$USER /var/www/reverse_proxy/html
sudo chmod -R 755 /var/www/reverse_proxy - Next, create and open the following file by typing:
sudo nano /etc/nginx/sites-available/reverse_proxy
- paste the following into that file
server {
listen 80;
# catch all
location / {
# Update the domain below with your complimentary managed domain in your account
proxy_pass https://www.example.com;
proxy_set_header Host www.example.com;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
}
} - Type the following to save and exit the nano editor:
ctrl+x Y Enter
- Create a symbolic link to this newly created nginx config file:
sudo ln -s /etc/nginx/sites-available/reverse_proxy /etc/nginx/sites-enabled/
- Remove the default server configuration symbolic link
sudo rm /etc/nginx/sites-enabled/default
- restart nginx to apply the changes
sudo systemctl restart nginx
- The final step is to add ANAME or A records from your DNS provider to point to the public IP address(es) of your Network LB
- If your DNS provider supports ANAME records you can simply create one that points to the public DNS of your LB
- First, find the public DNS of your LB by Navigating to EC2 -> Load Balancers -> and finding the DNS name
- Next, create ANAME records for the root and www subdomain that points to that DNS. Example shown is Constellix
- If you cannot create an ANAME record then you will have to create A records for the IP address your Network Load Balancer has.
- To find these IP addresses go to Network Interfaces
- Find those that have a description matching your Network Load Balancer and find their Public IPv4 Address
- If your DNS provider supports ANAME records you can simply create one that points to the public DNS of your LB
- If you have followed all the steps above correctly, you should be able to visit www.your-self-hosted-domain.com and it should proxy to your configured managed domain
If you have any further questions, please contact: support@optizmo.com