{"section":"tutorials","requestedLocale":"en","requestedSlug":"insert-reverse-proxy-in-front-of-vtex-services","locale":"en","slug":"insert-reverse-proxy-in-front-of-vtex-services","path":"docs/en/tutorials/infrastructure/cdn-service/insert-reverse-proxy-in-front-of-vtex-services.md","branch":"main","content":"> ❗ This guide addresses a practice that is **not recommended** for most stores and should only be applied in extreme cases. Implementing a reverse proxy replaces all perimeter services (CDN) managed and optimized by VTEX. This means that the store will be responsible for effective site provisioning, including configuring, monitoring, and managing aspects such as header passing, cookies, and caching. VTEX doesn't provide support or documentation for this specific configuration and is not responsible for any issues that may arise. VTEX is not responsible for problems with this system, whether related to our CDN, WAF service, or any other resource in front of our servers. We will not have visibility into the operation, and therefore, the solution is **not** covered under our SLA agreements.\n\nTo point your own CDN to the VTEX CDN, you need to insert a reverse proxy in front of VTEX services. The traffic flow follows this path:\n\n1. Store: Point of origin of traffic.\n2. Reverse proxy: Intermediary set up by you.\n3. CDN used by VTEX: Default CDN used by VTEX.\n4. VTEX: End servers used by VTEX.\n\nFollow the guidelines below to implement the reverse proxy:\n\n- [TXT record](#txt-record)\n- [Traffic routing](#traffic-routing)\n- [SSL certificate responsibilities](#ssl-certificate-responsibilities)\n\n## TXT record\n\nTo correctly direct your domain to the VTEX CDN, create a TXT record in `_{hostname}` format using the `{hostname}.cdn.vtex.com` value in the DNS zone of your domain.\n\nReplace `{hostname}` with the [subdomain, domain, and top-level domain](/docs/tutorials/configuring-the-store-domain) of your store. Example: `www.mystore.com`. Make sure to include the underscore `_` before the hostname.\n\nFormat:\n\n```\nName: _{hostname}\nType: TXT\nValue: {hostname}.cdn.vtex.com\n```\n\nExample:\n\n```\nName: _www.mystore.com\nType: TXT\nValue: www.mystore.com.cdn.vtex.com\n```\n\n## Traffic routing\n\nIn the reverse proxy configuration file, configure traffic routing to VTEX. Make sure that the `Host` header contains the original domain. Use the format below for HTTP requests from the reverse proxy to VTEX:\n\n```curl\ncurl http://{hostname}.cdn.vtex.com/ -H 'Host: {hostname}'\n```\n\nExample:\n\n```curl\ncurl http://www.mystore.com.cdn.vtex.com/ -H 'Host: www.mystore.com'\n```\n\nThe traffic routing configuration and the HTTP request format may vary depending on the reverse proxy software solution you use.\n\n## SSL certificate responsibilities\n\nResponsibilities for SSL certificates are organized as follows when a reverse proxy is used:\n\n- The external CDN (reverse proxy) manages the SSL certificate for communication between the client and the reverse proxy.\n- VTEX manages the SSL certificate for communication between the reverse proxy (external CDN) and VTEX servers.\n\nTo use the automatic SSL certificate (Let's Encrypt) provided by VTEX, you must make sure that the proxy doesn't block ACME validation and that the DNS is configured correctly. Make sure that all HTTP traffic to `/.well-known/acme-challenge/*` reaches VTEX without changes, meaning without internal redirects (HTTP → HTTPS), traffic blocks, or modifications.\n\nSome reverse proxies may intercept this route, preventing VTEX from issuing or renewing the SSL certificate.\n\n### Certificate validation requirements\n\n- Route `/.well-known/acme-challenge/*` directly to the VTEX origin `{hostname}.cdn.vtex.com` (example: `www.mystore.com.cdn.vtex.com`) preserving the original `Host` header (example: `Host: www.mystore.com`).\n- Do not apply barriers (CAPTCHA, login redirects, error pages, or custom HTML) to this route.\n- Do not cache this route.\n\n### Certificate options\n\nIf you prefer not to rely on the automatic validation of Let's Encrypt, there are two options:\n\n#### Continue using the automatic certificate (Let's Encrypt) provided by VTEX\n\n- Requires stable proxy configuration as described above.\n- Advantage: Issuing and renewing are completely automatic as long as the DNS and ACME routes are correct.\n\n#### Migrate to a custom certificate (VTEX Shield)\n\n- The merchant issues the certificate with their preferred CA (example: DigiCert, GlobalSign) and uploads it using the [Custom SSL certificates](https://help.vtex.com/docs/tutorials/custom-ssl-certificates) feature available in [VTEX Shield](https://help.vtex.com/docs/tutorials/vtex-shield).\n- In this model, there is no ACME/Let's Encrypt flow on VTEX, so the proxy doesn't interfere with generating the certificate. You only need to ensure timely renewal and a new upload.\n\n> ⚠️ VTEX only provides navigation if: <ul><li>There is a TXT record configured correctly.</li><li>SSL certificates can be issued and renewed for the host.</li></ul>If both conditions are not met, navigation will fail, and the site will be down."}