Adding a proxy to your Salesforce Communities
Running a community site might come with a number of interesting requirement:
- Scan uploaded files for maleware or copyright violations
- Filter language for profanities
- Comply with local data retention rules (e.g. local before cloud)
For most of these task AppExchange will be the goto place to find solution. However sometimes you want to process before data hits the platform. This is the moment where you need a proxy.
To be ready to proxy, there are a few steps involved. I went through a few loops, to come to this working sequence:
- Register a domain. You will use it to run your community. Using a custom domain is essential to avoid https headaches later on
- Obtain a SSL certificate for the custom domain. The easiest part, if you have access to a public host, is to use LetsEncrypt to obtain the cert and then transform it to JKS. The certs are only valid for 90 days, but we only need it for a short while in JKS. On e.g. Nginx one can auto renew the certs
- Upload the cert into Salesforce in
Security - Certificate and Key Management - Import from Keystore
- Follow the Steps 1 and 4 (you did 3 already). You need access to your DNS for that. The Domain needs to be fully qualified, you can't use your root (a DNS limitation). Let's say your base is
acme.comand you want your partner community to be reachable at
partners.acme.comand your Salesforce Org ID is
1234567890abcdefgh, then you need a
CNAMEentry that says
partners.acme.com.1234567890abcdefgh.live.siteforce.com.Important: The entry needs to end with a DOT (.) otherwise CNAME tries to link it back to your domain
- Test the whole setup. Make sure you can use all community functions using the URL
- Now back to the DNS. Point the CNAME entry to your host (e.g. Heroku or delete it and create a A record pointing to e.g. DigitalOcean
- Make sure the Proxy sends the HOST header has the value of your custom domain, not the force.com. Your proxy serves as your own CDN
Little boomer: You can't do this in a sandbox or a developer org, needs to be production or trial.
Next stop: discuss what proxy to use and options to consider. As usual YMMV.