Guides
  1. Universal Tag

Reverse Proxy

Set up a reverse proxy to route Universal Tag requests through your own domain so the browser treats tracking as first-party.

📋Before You Implement
  • Your site must be served over HTTPS. All proxy requests require a secure connection.
  • You need access to modify your web server configuration files (Apache or NGINX).
  • The default proxy path is /proxydirectory/ — contact your CIE if this conflicts with your existing URL structure.
  • Restart your web server after applying any configuration changes before testing.
  • Schedule a verification session with your CIE before deploying to production.

Why you should add a reverse proxy to your CJ Universal Tag

The reverse proxy intercepts tag requests from the browser and forwards them to CJ's tracking server — without the browser ever making a direct third-party request.

Bypass Third-Party Cookie Restrictions
Tracking requests come from your domain, so tags fire successfully in Safari, iOS, and other browsers that block third-party cookies.
Server-Side Request Forwarding
Your web server forwards tracking requests to CJ at mczbf.com with the headers needed to preserve full attribution.
First-Party Cookie Persistence
Cookies are set as first-party on your domain, so they persist far longer than the 24-hour cap on script-set cookies in Safari.
Recover Lost Conversions
Reclaim attributed conversions from Safari and iOS traffic that would otherwise drop out of the funnel, leading to more accurate publisher payouts.

Implementation

Reverse Proxy Setup
5 steps
01
Configure Proxy PathSet up your web server to forward requests on your domain to https://www.mczbf.com/.
Step 1
02
Add Required HTTP HeadersConfigure your proxy to pass the five required X-Forwarded headers so CJ can correctly identify the originating request.
Step 2
03
Enable SSL ProxyEnable SSL proxy support so your server can securely forward requests to CJ's HTTPS endpoint.
Step 3
04
Update Tag ImplementationEnsure CJ's Universal Tag points to your proxy path rather than directly to CJ servers.
Step 4
05
Verify ConfigurationUse browser Developer Tools to confirm tag requests route through your domain with the correct headers and the Universal Tag functions as expected

Proxy Path Setup

Configure your reverse proxy to intercept requests at your proxy directory and forward them to CJ's tracking server.

Click any row to see type, format, and value examples.
Parameter
Description
Required
Incoming Path
The path on your domain that receives CJ tag requests from the browser.
Required
Type: String
Examples
https://www.yourdomain.com/proxydirectory/
Note: The /proxydirectory/ path is the default. If it conflicts with your existing URL structure, contact your CIE for an alternative.
Forwarding Target
CJ's tracking server that receives the forwarded requests from your proxy.
Required
Type: String
Examples
https://www.mczbf.com/
Note: The trailing slash is required. Removing it will cause the proxy to forward the full path including /proxydirectory/ to CJ's server.

Required HTTP Headers

Your proxy must pass the following five headers with every forwarded request. Missing or malformed headers will cause tracking to fail or attribution to be incorrect.

Click any row to see type, format, and value examples.
Parameter
Description
Required
X-Forwarded-For
The customer's originating IP address. Must be IPv4 format only.
Required
Type: StringFormat: IPv4
Examples
192.168.1.100
Note: IPv6 addresses are not supported. Ensure your server extracts and forwards the IPv4 address only.
X-Forwarded-Host
Your website's domain, without the protocol prefix.
Required
Type: String
Examples
www.yourdomain.com
X-Forwarded-Server
The hostname of the server handling the proxy request.
Required
Type: String
Examples
web-server-01
X-Forwarded-Request-Host
Your website's domain. Must match the value of X-Forwarded-Host exactly.
Required
Type: String
Examples
www.yourdomain.com
Note: A mismatch between X-Forwarded-Request-Host and X-Forwarded-Host may cause CJ to reject the request.
X-Forwarded-Request-Path
The full path of the incoming tag request, including the proxy directory.
Required
Type: String
Examples
/proxydirectory/tags/TAG_ID/tag.js
Note: Pass the complete request path — not just the proxy directory root. Passing only /proxydirectory/ will cause CJ to misidentify the request.

Server Configuration

Apache

This configuration uses mod_proxy and mod_proxy_http. Confirm both modules are enabled on your server before applying.

Apache
# Required Modules
LoadModule ssl_module          modules/mod_ssl.so
LoadModule proxy_module        modules/mod_proxy.so
LoadModule proxy_http_module   modules/mod_proxy_http.so

# SSL Proxy Support
SSLProxyEngine on

# Required Headers
RequestHeader add "X-Forwarded-Request-Path" "%{REQUEST_URI}s"
RequestHeader add "X-Forwarded-Request-Host" "%{HTTP_HOST}s"

# Proxy Forwarding
ProxyPass        "/proxydirectory/" "https://www.mczbf.com/"
ProxyPassReverse "/proxydirectory/" "https://www.mczbf.com/"
Parameter
Description
Required
SSLProxyEngine
Enables SSL support for outbound proxy connections to CJ's HTTPS server.
Required
ProxyPass
Forwards incoming requests from /proxydirectory/ to CJ's tracking server.
Required
ProxyPassReverse
Rewrites response headers from CJ's server so they correctly reference your domain on the way back to the browser.
Required

NGINX

This configuration uses NGINX's built-in proxy_pass directive. Replace YOUR_SERVER_HOST_NAME with your actual server hostname before deploying.

NGINX
server {
    server_name YOUR_SERVER_HOST_NAME;

    location /proxydirectory/ {
        proxy_ssl_server_name on;
        proxy_pass https://www.mczbf.com/;

        # Required Headers
        proxy_set_header X-Forwarded-For          $remote_addr;
        proxy_set_header X-Forwarded-Host         $host;
        proxy_set_header X-Forwarded-Server       $server_name;
        proxy_set_header X-Forwarded-Request-Host $host;
        proxy_set_header X-Forwarded-Request-Path $request_uri;
    }
}
Click any row to see type, format, and value examples.
Parameter
Description
Required
proxy_ssl_server_name
Enables SNI for outbound SSL connections so NGINX can correctly establish a secure connection to mczbf.com.
Required
proxy_pass
Forwards the request to CJ's tracking server. The trailing slash strips /proxydirectory/ from the forwarded path.
Required
Note: Do not remove the trailing slash from https://www.mczbf.com/ — without it, NGINX forwards the full /proxydirectory/ path to CJ's server, which will break tracking.

Need help?

Submit a support ticket for account-specific support.

How to submit a ticket →

Updated 11 days ago