Use AWS as a Reverse Proxy for gating the QR Code Platform

This article will guide you on how to use Amazon Web Services (AWS) as a Reverse Proxy to manage the access of users to your instance of our QR Code platform. You stay in full control and can configure everything (firewall, SSL certificates, etc.). This feature is only available for enterprise customers.

This post contains technical details for IT Admins or your IT department managing the infrastructure. Please get in touch with an IT expert on your end to help you setting this up.

When a visitor scans your QR Code or opens your custom domain, the incoming request is first routed to your reverse proxy running in your AWS infrastructure. This gives you a customer-controlled layer in front of the QR Code Application Platform.

At this layer, you can apply your own security and routing configuration, including Firewall/WAF rules, IP blocking, TLS certificates, logging, and request routing. After your controls have been applied, approved traffic is forwarded to our QR Code Platform Infrastructure, where the QR Code Application Platform handles the request.

In order to use this Integration Setup the following AWS Services need to be available on your end:

• AWS Cloudfront Business Plan for the required features ($200/month)
  
• AWS Route 53 for the domain
• AWS Certificate Manager for handling the HTTPS certificate
• AWS Cloudfront as the Reverse Proxy

That means that the QR Codes will use it and the QR Code platform will be reachable via that domain.

For that domain you will also set up your AWS Reverse Proxy via the AWS CloudFront service.

Please log into your administrator account on our QR Platform.

Once logged in copy the domain in the address bar of your browser.

It is usually something like yourcompany.qrplanet.com. This is the username that you have chosen when creating your account with us.

We will need this later. We will refer to it as the alternative domain.

 As a next step we need to take care of the SLL/TLS certificate.

Therefore log into your AWS Console via https://console.aws.amazon.com

After the login open the service Certificate Manager.

Click on the button Request a certificate.

Click on Request a public certificate and the button Next.

In the field Fully qualified domain name enter the domain you want to use (in our example we use yukode.com). Leave the other values as they are. Click on the button Request.

Click on the button Create records in Route 53.

Select the domain in the list and click on the button Create records.

Now the success message should appear that the DNS record has been created.

Open the service CloudFront.

We will now go through the steps together.

For the necessary configurations you need the Business plan. Choose the Business plan and click on Next.

Next fill out the fields Distribution name and Domain with the domain you have chosen, choose Single website or app.

Then click on Check Domain. You should get a green confirmation message that the domain works.

Then click on Next.

On the next screen (Specify origin) select the Origin type Other and as the Custom origin enter the alternative domain you copied before - in our example yourcompany.qrplanet.com.

Scroll down to Settings.

For the Origin settings choose Customize origin settings.

Click on the button Add header to add a header.

Enter X-forwarded-for as the Header name and for the Value enter the alternative domain you copied before - in our example yourcompany.qrplanet.com

Scroll down to Cache settings and choose Customize cache settings.

For the Cache Policy choose CachingDisabled and for the Origin request policy click on Create origin request policy, name it eg MyOriginRequestPolicyWithoutHost and after creating it choose it.

Create a Origin request policy, named eg MyOriginRequestPolicyWithoutHost, with the following settings:

• Headers - All viewer headers except: Host
• Cookies - All
• Query strings - All
• Distributions: None​

Next select the security settings that you want. This is purely based on your organizations needs to log, filter and protect the traffic.

On the next screen Get TLS certificate choose the certificate you created before. You maybe need to click on Refresh certificates to load the latest changes.

Once you have chosen the certificate click on Next.

After you click on the button Next you reach the Review and create screen.

There you see a summary of the configuration we just put together. Double check if everything looks good.

Then click on Create distribution.

Be aware that this may lead to additional costs in your AWS account.

The last step on the AWS side is to assign the Route 53 domain to the just created CloudFront distribution.

If it does not already exist create a public hosted zone.

Next create a new record in the hosted zone.

As the Record type choose A - Routes traffic to an IPv4 address and some AWS ressources.

Then enable Alias.

For Route traffic to pick Alias to CloudFront distribution.

In the field below pick the CloudFront distribution you just created.

Finally click on the button Create records.

After we set everything up in AWS its time to finish our setup on the QR White Label Platform.

Please be aware that you cannot finish the whole setup on your own. Because this is an enterprise feature we also need to make some configuration on our end.

So, when you reached this point in this guide please contact our support so we can set up the last mile for you.

Once you got our feedback that its being set up please do the following.

Please log into your administrator account on our QR Platform.

If not please let us know so we can double-check.

In any case DO NOT click on the Set ShourtURL Domain button as this does not work for this reverse Proxy scenario because the domain is not pointing to our servers but to your AWS machines.

Thats it! Your QR Codes should now be reachable via the Short-URL Domain you just specified.