TR-4678 Update guides on setting up HTTPS ET (#752)

content/docs/tech-resources/deep-links-self-serve.md

@@ -1,5 +1,5 @@
 ---
-lastUpdated: "02/24/2021"
+lastUpdated: "09/30/2023"
 title: "Using Mobile Universal and App Links with SparkPost"
 description: "A guide to including iOS universal links and Android App Links in your SparkPost-delivered email"
 ---
@@ -444,19 +444,20 @@ To get Android to [auto-verify](#auto-verify) your app's domains (skipping the u
 #
 <VirtualHost _default_:80>
   ServerName yourtrackingdomain.example.com
-  ProxyPass "/f/" "http://spgo.io/f/"
+  # The backend IPs can change, so disablereuse=On is required
+  ProxyPass "/f/" "http://spgo.io/f/" disablereuse=On
   ProxyPassReverse "/f/" "http://spgo.io/f/"
-  ProxyPass "/q/" "http://spgo.io/q/"
+  ProxyPass "/q/" "http://spgo.io/q/" disablereuse=On
   ProxyPassReverse "/q/" "http://spgo.io/q/"
 
   Alias "/.well-known" "/var/www/html/securetrack/.well-known"
 </VirtualHost>
 
 <VirtualHost _default_:443>
   ServerName yourtrackingdomain.example.com
-  ProxyPass "/f/" "http://spgo.io/f/"
+  ProxyPass "/f/" "http://spgo.io/f/" disablereuse=On
   ProxyPassReverse "/f/" "http://spgo.io/f/"
-  ProxyPass "/q/" "http://spgo.io/q/"
+  ProxyPass "/q/" "http://spgo.io/q/" disablereuse=On
   ProxyPassReverse "/q/" "http://spgo.io/q/"
 
   Alias "/.well-known" "/var/www/html/securetrack/.well-known"
@@ -488,6 +489,8 @@ To check your files are served correctly and Android auto-verify is working - se
 1. Add `location` blocks to your config to declare the spec files on your tracking domain, which will allow Android to [auto-verify](#android-testing-auto-verify). Here is a complete example, including the engagement-tracking `proxy-pass` block done in step 1.
 
     ```
+    resolver 10.0.0.2 valid=10s;
+
     server {
         listen 80;
         listen 443 ssl http2;
@@ -513,7 +516,9 @@ To check your files are served correctly and Android auto-verify is working - se
 
         # pass all other requests through to SparkPost engagement tracking
         location / {
-            proxy_pass      https://spgo.io;
+            set $backend "spgo.io";
+            proxy_pass      https://$backend;
+            proxy_set_header Host $host;
             proxy_set_header X-Forwarded-For $remote_addr; # pass the client IP to the open & click tracker
             server_tokens off; # suppress NGINX giving version/OS information on error pages
         }

content/docs/tech-resources/enabling-https-engagement-tracking-on-sparkpost.md

@@ -1,5 +1,5 @@
 ---
-lastUpdated: "07/10/2023"
+lastUpdated: "09/27/2023"
 title: "Enabling HTTPS Engagement Tracking on SparkPost"
 description: "SparkPost supports HTTPS engagement tracking for customers via self-service for all SparkPost customers. To enable SSL engagement tracking for a domain, additional configuration for SSL keys is required."
 ---
@@ -37,7 +37,7 @@ This document includes step by step guides for the following CDNs.
         * (Cloudflare certificates are auto-issued)
 * AWS CloudFront:
     * [Create a Domain](#step-by-step-guide-with-aws-cloudfront)
-    * [Issue a Certificate](#using-aws-certificate-manager-acm-to-issue-a-certificate-for-your-domains)
+    * [Issue a Certificate](#using-aws-certificate-manager-acm-to-issue-a-certificate-for-your-domain)
 * Fastly:
     * [Create a Domain](#step-by-step-guide-with-fastly)
     * [Issue a Certificate](#issue-a-certificate-with-fastly)
@@ -181,6 +181,8 @@ For up to date information on creating a distribution via CloudFront, please ref
 
    * Optionally, change the name (you can leave this at default).
 
+   * Under "Add custom header", click "Add header". Enter `X-Forwarded-Host` as the header name and your custom tracking domain as the header value.
+
    * Leave "Enable Origin Shield" disabled.
 
    * Skip the "Additional settings".
@@ -246,14 +248,14 @@ For up to date information on creating a distribution via CloudFront, please ref
     * Enable forwarding of the `User-Agent` header. Type in `User-Agent` and click "Add". This allows `User-Agent` data to be present in your engagement events received from SparkPost.
 
       ![](media/enabling-https-engagement-tracking-on-sparkpost/cloudfront_cache5.png)
-
-    * Enable forwarding of the `Host` header. Type in `Host` and click "Add". This allows `Host` data to be present in your engagement events received from SparkPost.
 
-      ![](media/enabling-https-engagement-tracking-on-sparkpost/cloudfront_cache6.png)
+    * Under "Query strings", select "Include the following query strings".
 
-    * Leave Query string and Cookies set to defaults (None). Your origin request settings should now look like this.
+    * Under "Add query string", enter `target`.
 
-      ![](media/enabling-https-engagement-tracking-on-sparkpost/cloudfront_cache7.png)
+    * Leave Cookies set to default (None). Your origin request settings should now look like this.
+
+      ![](media/enabling-https-engagement-tracking-on-sparkpost/cloudfront_cache6.png)
 
     * Click "Create" (on first time) / "Save Changes" (if modifying).
 
@@ -277,15 +279,15 @@ For up to date information on creating a distribution via CloudFront, please ref
 
     * Under "Custom SSL Certificate", select **Custom SSL Certificate** - Upload certificates as needed.
 
-        > If you want to have AWS create a new certificate within AWS instead of importing an existing one, click "Request certificate" and follow the steps [here](#using-aws-certificate-manager-acm-to-issue-a-certificate-for-your-domains) before continuing.
+        > If you want to have AWS create a new certificate within AWS instead of importing an existing one, click "Request certificate" and follow the steps [here](#using-aws-certificate-manager-acm-to-issue-a-certificate-for-your-domain) before continuing.
 
     * Leave the other settings at default / recommended values.
 
     * At the bottom of the page, press **Create Distribution**. This returns you to the main CloudFront Distributions list.
 
         ![](media/enabling-https-engagement-tracking-on-sparkpost/cloudfront_created_new_dist.png)
 
-1. Create, or update, a CNAME record with your DNS service to route queries for tracking domain(s) with your CloudFront distribution ID. This will be specific to your DNS service.
+1. Create, or update, a CNAME record with your DNS service so that requests to your tracking domain are routed to your CloudFront distribution. This will be specific to your DNS service.
 
    * Get the "Domain Name" for your distribution from the Distributions page. You can use the square "copy" button.
 
@@ -309,21 +311,21 @@ For up to date information on creating a distribution via CloudFront, please ref
 1. Follow [these steps](#switch-tracking-domain-to-secure-and-validate) to update and verify your tracking domain.
 
 ---
-### Using AWS Certificate Manager (ACM) to issue a certificate for your domain(s)
+### Using AWS Certificate Manager (ACM) to issue a certificate for your domain
 
-Once your CNAME is set up with your DNS provider, instead of providing an existing certificate, you can have AWS issue a certificate for your custom tracking domain(s).
+Once your CNAME is set up with your DNS provider, instead of providing an existing certificate, you can have AWS issue a certificate for your custom tracking domain.
 
 1. Navigate to the AWS Certificate Manager (ACM). Choose Request a Certificate, then select Request a public certificate.
 
-    Add your domain name(s), select Next.
+    Add your domain name, select Next.
 
     ![](media/enabling-https-engagement-tracking-on-sparkpost/cloudfront_request_cert.png)
 
 1. Choose DNS validation. Add tags if you wish. Select Review, then Confirm and Request.
 
     ![](media/enabling-https-engagement-tracking-on-sparkpost/cloudfront_request_cert2.png)
 
-1. On your DNS provider, create the CNAME records that are used to by AWS to validate that these domain(s) are yours.
+1. On your DNS provider, create the CNAME records that are used by AWS to validate that the domain is yours.
 
     ![](media/enabling-https-engagement-tracking-on-sparkpost/cloudfront_validate_cert.png)
 
@@ -337,7 +339,7 @@ Once your CNAME is set up with your DNS provider, instead of providing an existi
 
     ![](media/enabling-https-engagement-tracking-on-sparkpost/cloudfront_edit.png)
 
-1. Enter your domain names, select "Custom SSL certificate", and select from the drop-down list.
+1. Enter your domain name, select "Custom SSL certificate", and select from the drop-down list.
 
     ![](media/enabling-https-engagement-tracking-on-sparkpost/cloudfront_select_cert.png)
 

content/docs/tech-resources/using-proxy-https-tracking-domain.md

@@ -1,5 +1,5 @@
 ---
-lastUpdated: "05/03/2023"
+lastUpdated: "09/29/2023"
 title: "Using a Reverse Proxy for HTTPS Tracking Domain"
 description: "SparkPost supports HTTPS engagement tracking for customers via self-service for all SparkPost customers. To enable SSL engagement tracking for a domain, additional configuration for SSL keys is required.  This resource outlines the use of a reverse proxy to host SSL certificates"
 ---
@@ -56,18 +56,20 @@ On a Debian distribution, this command will install nginx with a sample configur
 
 Note: you must store `spgo.io` in a variable so that nginx re-resolves the domain when its TTL expires. You also have to include the `resolver` directive to explicitly specify a DNS server to resolve the hostname. By including the `valid` parameter to the directive, you can tell nginx to ignore the TTL and to re‑resolve names at a specified frequency. In the sample below, nginx re‑resolves names every 10 seconds.
 
+Note: as shown in the sample configuration file below, you should forward the `Host` header so that SparkPost can determine the tracking domain used in a request.
+
 ```apacheconf
 resolver 10.0.0.2 valid=10s;
 
 server { # simple reverse-proxy
    listen       80;
-   listen       443 ssl;
    server_name  click.nddurant.com;
 
    # pass requests for dynamic content to rails/turbogears/zope, et al
    location / {
      set $backend "spgo.io";
      proxy_pass https://$backend;
+     proxy_set_header Host $host;
    }
 }
 ```
@@ -234,6 +236,7 @@ server { # simple reverse-proxy
     location / {
         set $backend "spgo.io";
         proxy_pass https://$backend;
+        proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $remote_addr; # pass the client IP to the open & click tracker
         server_tokens off; # suppress NGINX giving version/OS information on error pages
     }
@@ -270,7 +273,8 @@ Add the following configuration (putting your own tracking domain into the `Serv
 <VirtualHost _default_:80>
   ServerName yourtrackingdomain.example.com
   ServerPath "/"
-  ProxyPass "/" "http://spgo.io/"
+  # The backend IPs can change, so disablereuse=On is required
+  ProxyPass "/" "http://spgo.io/" disablereuse=On
   ProxyPassReverse "/" "http://spgo.io/"
 </VirtualHost>
 ```
@@ -291,7 +295,7 @@ Create an additional port 443 proxy configuration as follows. Set the  certifica
   SSLCertificateFile "/opt/apache2/conf/server.crt"
   SSLCertificateKeyFile "/opt/apache2/conf/server.key"
   ServerPath "/"
-  ProxyPass "/" "https://spgo.io/"
+  ProxyPass "/" "https://spgo.io/" disablereuse=On
   ProxyPassReverse "/" "https://spgo.io/"
   SSLProxyEngine on
 </VirtualHost>