Commanders Tag Gateway (closed beta)
This document is for users who want to deploy Google Tag Gateway (via Commanders Act) or its equivalent for other partners (Meta, Bing, Snapchat, Awin, etc.).
If your goal is to implement Google Tag Gateway, you are in the right place: Commanders Gateway follows the exact same setup principles as Google Tag Gateway, but extends them to all major advertising and analytics partners.
Why use Commanders Gateway?
1. Advantages of using a gateway
A gateway setup improves data collection quality and completeness across your marketing stack.
Vendor scripts are served from your own domain, which redauces the likelihood of being blocked by adblockers.
Browser restrictions (such as Safari’s ITP) often limit or block third-party cookies and some 1st party javascript cookies, but with a first-party server-side setup, measurement remains more reliable.
This ensures more accurate tracking, providing partners with higher-quality signals for measurement, attribution, and optimization.
2. Advantages of using Commanders Gateway
On top of the benefits of any gateway approach, Commanders Gateway adds unique advantages:
Not limited to Google Tag Gateway — the same durable setup applies to all your partners (Meta, Snapchat, Bing, Awin, etc.).
Unified setup: a single path (
/metrics) serves and proxies all vendor libraries.Obfuscated JavaScript filenames are automatically provided by Commanders Act, making detection by blocking lists far more difficult.
With the same simple path, you can also activate other first-party hosting and tracking features such as: hosting your tag management containers, server-side event tracking, or anonymous CMP statistics. A single setup powers your whole first‑party hosting and tracking system.
A centralized configuration simplifies deployment and maintenance while remaining future-proof against upcoming browser restrictions.
Overview
Commanders Gateway lets you deploy marketing and measurement tags using your own first-party infrastructure, hosted on your website’s domain. This infrastructure sits between your website and your partners’ services (Google, Meta, Bing, Snapchat, Awin, etc.).
With Commanders Gateway:
Google libraries (gtag.js / gtm.js) are loaded directly from your first-party domain.
Other vendor libraries are served from
/metrics/js/using obfuscated filenames.All measurement requests are proxied through your domain before being forwarded to the respective partner endpoints.
Architecture
With Commanders Gateway, you reserve a single path on your domain, for example:
https://example.com/metrics/Google scripts (gtag.js / gtm.js) are loaded directly from
/metrics/.Other vendor scripts (Meta, Snapchat, Bing, Awin, etc.) are served from
/metrics/js/with an obfuscated filename generated by Commanders Act.
Example:
https://example.com/metrics/js/f4558899203.jsThe mapping between each vendor and its obfuscated script filename is provided in the Commanders Act First-Party Hosting interface.
Diagram (conceptual):
Website → example.com/metrics/ (Google tags)
→ example.com/metrics/js/f4558899203.js (Meta, Snap, Bing…)
→ Commanders Gateway → Vendor endpointBefore you begin
This guide assumes your website is already configured with:
A tag management system (Commanders Act, Google Tag Manager, or equivalent).
A CDN or load balancer (Cloudflare, Akamai, Fastly, Nginx, etc.) that can forward requests to external endpoints.
Step 1: Choose the tag serving path
You must reserve one path on your website domain.
Example:
/metricsCaution: This setup reroutes all traffic with the chosen path. To avoid affecting your website, choose a path that's not already in use.
Step 2: Route traffic
To serve your tag in Commanders Gateway, you will create a CNAME entry for a new subdomain, create an Origin Rule to forward requests, and create a Transform Rule to include geolocation information. To complete this setup, you will need to have a Cloudflare Enterprise plan. If you don't have an Enterprise plan, consider using the Cloudflare automated setup instead.
Create CNAME entry
Note: Tags won't use this CNAME entry; Cloudflare uses it to route requests internally.
Choose a subdomain to reserve for the CNAME entry. This CNAME is never exposed outside your Cloudflare configuration, so the name is arbitrary.
CNAME subdomain: metrics
Target: s1234.commander4.comIn the DNS tab, open the Records section.
Add a new record with:
Type: CNAME
Name: metrics
Target: s1234.commander4.com => replace 1234 by your site (aka workspace) id
Save the CNAME record.
Create the Origin Rule
In the Rules tab, open Origin Rules and create a new rule.
Enter a rule name, such as Route measurement.
Match incoming requests based on a custom filter expression:
(http.host eq "example.com" and starts_with(http.request.uri.path, "/metrics"))Update the Host Header → Rewrite to:
s1234.commander4.com.Update the DNS Record → Override to:
metrics.example.com.Save the Origin Rule.
Include geolocation information (optional)
In the Rules tab, open Settings.
Enable the Add visitor location headers option.
Wait a few minutes for propagation.
You can verify by navigating to:
https://example.com/metrics/healthyIt should return ok.
When using Cloudflare Free, the setup relies on a simple Worker that proxies all traffic from your chosen path (e.g. /metrics) to Commanders Gateway infrastructure.
Step 1: Create the Worker
In the Cloudflare dashboard, go to Workers & Pages → Create application → Worker.
Copy/paste the following code:
const prefix = "/metrics"; // Example path, replace with the path you choose in the previous step
const sid = "12345"; // Example workspace ID (aka site ID), replace with your own ID
addEventListener("fetch", event => {
event.respondWith(handleRequest(event.request));
});
async function handleRequest(request) {
const url = new URL(request.url);
if (url.pathname.startsWith(prefix)) {
// Construct target URL (it replaces ${sid} with your workspace/site ID above)
const targetUrl = `https://s${sid}.commander4.com${url.pathname}${url.search}`;
// Clone request headers
const newHeaders = new Headers(request.headers);
newHeaders.set("X-Forwarded-Host", url.host);
const country = request.cf?.country || "";
const region = request.cf?.region || "";
if (country) newHeaders.set("X-Forwarded-Country", country);
if (region) newHeaders.set("X-Forwarded-Region", region);
if (country && region) {
newHeaders.set("X-Forwarded-CountryRegion", `${country}-${region}`);
}
// Remove Host header to avoid conflicts
newHeaders.delete("host");
// Proxy request to Commanders Gateway infra
const proxyRequest = new Request(targetUrl, {
method: request.method,
headers: newHeaders,
body: request.body,
redirect: "follow"
});
return fetch(proxyRequest);
}
return new Response("Not Found", { status: 404 }); // Return 404 if request path does not match prefix
}This Worker proxies requests while adding extra headers (X-Forwarded-Host, X-Forwarded-Country, X-Forwarded-Region).
Step 2: Bind the Worker to the path
In Cloudflare, open your domain settings.
Navigate to Workers Routes.
Add a new route with:
URL pattern:
www.example.com/metrics*Worker: select the Worker created in step 1.
Once saved, all requests to /metrics will be proxied to Commanders Gateway.
Commanders Gateway with Akamai is in beta. If you have a question or issue with your setup, reach out the support
Create the redirect rule
Create a new version of your delivery configuration in Property Manager.
Under the Property Configuration Settings section, add a new Rule:
Name it: Route measurement
Add a new Match:
Match type:
PathCondition: is one of
Value:
/metrics/*
Add a new Behavior:
Select Standard Property Behavior and choose Origin Server behavior.
Set Origin Server Hostname to
s1234.commander4.com.Set Forward Host Header to Origin Hostname.
Save the new rule and deploy your changes.
⚠️ Test the redirect rule in your staging environment before rolling out to production.
Ensure no other rules modify/remove outgoing response headers (e.g., Content-Type) as this may break scripts.
Include geolocation information
Navigate to the Property Variables section and add the following variables:
USER_REGION
Hidden
USER_COUNTRY
Hidden
Choose your Redirect rule (created above) under Property Configuration Settings.
Add two new Set Variable behaviors (one per variable):
PMUSER_USER_REGION
Extract
Edgescape Data
Region Code
None
PMUSER_USER_COUNTRY
Extract
Edgescape Data
Country Code
None
Add two new Modify Outgoing Request Header behaviors:
Add
Other...
X-Forwarded-Region
{{user.PMUSER_USER_REGION}}
Add
Other...
X-Forwarded-Country
{{user.PMUSER_USER_COUNTRY}}
Save the new rule and deploy your changes.
Verify the setup:
Navigate to:
https://example.com/metrics/healthy→ should displayok.Test geolocation headers:
https://example.com/metrics/?validate_geo=healthy→ should also displayok.
Soon
Step 3: Update the scripts in your tag management system or your website
Replace vendor script URLs with the new first-party paths.
Examples:
Google
<!-- Instead of -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-12345"></script>
<!-- Use -->
<script async src="/metrics/"></script>Meta (Facebook Pixel)
<!-- Instead of -->
<script src="https://connect.facebook.net/en_US/fbevents.js"></script>
<!-- Use (obfuscated path provided in the Commanders Act interface) -->
<script src="/metrics/js/f4558899203.js"></script>Snapchat
<script src="/metrics/js/a82b99df732.js"></script>Bing (UET)
<script src="/metrics/js/c77ac91be11.js"></script>Each obfuscated filename is automatically generated and available in the Commanders Act First-Party Hosting interface.
Step 4: Verify setup
For the global path, check the health endpoint:
https://example.com/metrics/healthy→ should returnok
Use browser DevTools to verify that:
Google scripts are loaded from
/metrics/Other vendor scripts are loaded from
/metrics/js/{obfuscated}.jsRequests are made to your first-party domain.
Ensure events appear in the respective partner dashboards (Google Analytics, Facebook Events Manager, etc.).
Benefits
Durability: Tracking continues to work even with Safari ITP and third-party cookie restrictions.
Resilience: Serving scripts from your domain with obfuscated filenames makes it more difficult for blocking rules to interfere.
Centralized setup: A single path (
/metrics) manages all vendors.Future-proof: Adapts to privacy sandbox and upcoming browser restrictions.
Last updated
Was this helpful?