Propagating Set-Cookie header with Snowplow Collector Behind a CDN or Reverse Proxy

When you place a CDN or reverse proxy in front of your Snowplow collector, it is essential to ensure response headers—especially Set-Cookie—are forwarded from your origin to the browser. Here's how to configure major proxies:

Note: Configuring reverse proxies or Web Application Firewall (WAF) rules falls outside the scope of our support. These configurations should be fully managed by your internal teams or infrastructure providers.

✅ Option A: Cloudflare Workers

Create a Worker with a route (e.g. /sp) pointing to your collector.
Forward the client’s request to your Snowplow collector, including all headers.
Capture the collector response and copy all headers (including Set-Cookie).
Use response.headers.append('Set-Cookie', ...) to handle multiple cookies properly.

This ensures Set-Cookie isn’t removed or overwritten by Cloudflare caching.

⚙️ Option B: Page Rules + Cache Level

Configure a Page Rule or Cache Rule to set Cache Everything or “Eligible for cache.”
Ensure origin Cache-Control headers disable caching when cookies are involved.
Cloudflare will forward Set-Cookie on non-cached or bypassed responses.

Forward Cookies in Cache Behavior
Configure your distribution to “Forward all cookies” or explicitly whitelist tracking cookies like _sp_id and _sp_ses. This allows CloudFront to forward cookies and return Set-Cookie from the origin.
Control Caching of Responses with Cookies
CloudFront doesn’t cache Set-Cookie responses unless configured. Add a header like:
Cache‑Control: public, no‑cache="Set‑Cookie", max‑age=86400
Alternatively, use Lambda@Edge to modify response headers dynamically.
Why forward cookies?
Without forwarding, CloudFront strips cookies and blocks Set-Cookie, breaking client-side persistence.

Enable “Set Response Cookie” in Property Manager
Define which cookies to set (value, domain, path, expiry, HttpOnly, Secure, SameSite).
EdgeWorker Metadata
Add <edgeservices:cookie.pass-set-cookie-policy> to preserve Set-Cookie headers in onClientResponse.
Modify Outgoing Response Headers
Ensure no rules strip Set-Cookie. Use the behavior to pass along, not remove, these headers.

You can use other reverse proxies like Nginx, Envoy, HAProxy, Apache, or Traefik similarly:

Nginx

location /sp {
  proxy_pass         https://collector.example.com/com.snowplowanalytics.snowplow/tp2;
  proxy_set_header   Host collector.example.com;
  proxy_set_header   X-Real-IP $remote_addr;
  proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
}

This forwards all headers (including Set-Cookie) from the collector.

Envoy / HAProxy / Apache / Traefik

Forward path and headers unchanged.
Do not buffer or modify Set-Cookie.
Allow multiple Set-Cookie headers in responses.

Why This Matters

Snowplow relies on client-side cookies (e.g. _sp_id, _sp_ses) for consistent user tracking. If your proxy strips or alters Set-Cookie, those cookies won't persist—leading to duplicate user IDs or flattened session data. Browsers like Safari may clear cookies after 7 days of inactivity, making proper cookie handling even more critical

📘 Further Reading

First Party Tracking with Snowplow: support.snowplow.io
Safari ITP & Snowplow: Why reverse proxies are a workaround for persistent tracking snowplow .io

📍 Summary

Use Cloudflare Workers, CloudFront cookie forwarding, or Akamai's cookie behaviors to preserve Set-Cookie headers.
Ensure caching mechanisms do not strip or store cookie headers.
Test thoroughly across user agents to guarantee reliable tracking.