Deploy a reverse proxy

A reverse proxy helps you capture more complete usage data. Ad blockers maintain lists of known analytics domains and block requests to them. A reverse proxy bypasses this by routing events through your own domain, which ad blockers haven't cataloged. This typically increases event capture by 10-30% depending on your user base.

A reverse proxy sends events to PostHog through your own subdomain (like e.yourdomain.com) instead of directly to PostHog's domain.

You don't need a reverse proxy to start using PostHog. We recommend setting one up before going to production for more reliable data capture.

Set up managed reverse proxy

PostHog's managed reverse proxy routes traffic through our infrastructure. We handle SSL certificates, routing, and maintenance automatically.

This option requires our platforms add-ons and access to your domain's DNS settings.

  1. Create your proxy

    1. Go to organization proxy settings
    2. Click new managed proxy
    3. Enter a subdomain you control. For example, if your app runs on myapp.com, use ph.myapp.com

    Choose a neutral subdomain that doesn't include words like analytics, tracking, or posthog. Ad blockers target obvious terms.

  2. Create a DNS record

    Go to your DNS provider and create a new CNAME record:

    1. Set the Name to your chosen subdomain (just the subdomain part, like ph)
    2. Set the Target to the proxy domain PostHog generated in the previous step. You'll see it in your proxy settings, it looks like 4854cf84789d8596ad01.proxy-us.posthog.com
    3. Save the record

    Note: If you're using Cloudflare, disable proxying on this CNAME record by clicking the cloud icon and set it to DNS only. Cloudflare's proxy interferes with PostHog's SSL certificate provisioning.

  3. Wait for provisioning

    Your proxy status will change from waitingissuinglive. This typically takes 2-5 minutes but can take up to 30 minutes if DNS propagation is slow.

    PostHog will automatically detect your DNS record and provision an SSL certificate. No further action needed.

    Note: If your proxy stays in issuing for more than 30 minutes, see troubleshooting.

  4. Update your PostHog SDK

    Update your PostHog initialization to use your new subdomain:

    posthog.init('<ph_project_api_key>', {
      api_host: 'https://ph.myapp.com',
      ui_host: 'https://us.posthog.com'
    })

    Replace ph.myapp.com with your actual subdomain, and provide your project API key.

    Always set both api_host (your proxy) and ui_host (PostHog's actual domain) so features like the toolbar work correctly.

  5. Verify your setup

    Checkpoint

    Confirm events are flowing through your proxy:

    1. Open your browser's developer tools and go to the Network tab
    2. Trigger an event in your app, like a page view
    3. Look for a request to your proxy subdomain (e.g., ph.myapp.com)
    4. Verify the response is 200 OK
    5. Check the PostHog app to confirm events appear

    If you see errors or events aren't appearing, see troubleshooting.

Deploy your own proxy

If the managed proxy doesn't work for your use case, you can deploy your own reverse proxy.

Self-hosted proxies

If you use a self-hosted proxy, PostHog can't help troubleshoot configuration issues.

Choose your platform and follow the setup guide:

Need help choosing?

Do you want a managed solution?

PostHog offers a managed reverse proxy as a product add-on with zero maintenance.

For technical requirements, routing configuration, and best practices when running your own proxy, see the self-hosted proxy reference.

FAQ

Why doesn't PostHog use its own proxy?

We do use our own infrastructure. But ad blockers specifically target well-known analytics domains. When they visit posthog.com, they catalog our tracking scripts and add them to block lists.

Your proxy works because ad blockers haven't visited your domain to catalog your setup. They don't know what to block.

Does PostHog provide static IP addresses?

No. Our domains use AWS infrastructure with load balancing, which rotates IPs for performance and reliability.

If your firewall requires IP allowlisting, you have two options:

Option 1: Use domain-based filtering

Allow outbound HTTPS traffic on port 443 to *.posthog.com, or allow specific domains: us.i.posthog.com and us-assets.i.posthog.com. Replace us with eu for EU region.

Option 2: Deploy a reverse proxy with a static IP

This is the recommended approach for enterprise environments with strict firewall policies.

  1. Deploy a reverse proxy in your infrastructure
  2. Assign your proxy a static IP address
  3. Allowlist only your proxy's IP in your firewall

This gives you full control over network routing without depending on PostHog's infrastructure.

Community questions

Was this page useful?

Questions about this page? or post a community question.