Setup behind a firewall
Oneflow is hosted on Amazon Web Services in the eu-west-1 region (Ireland) on EC2 instances in multiple Availability Zones (AZs).
Inbound traffic to Oneflow
The API is load balanced behind a CDN, which means there are no static IPs to reach Oneflow. If your company requires a firewall whitelist to reach Oneflow, we recommend whitelisting on the FQDN instead of IP addresses.
Alternatively, you can set up an HTTP proxy inside your infrastructure and create special access rules based on FQDNs instead of IP addresses.
The Oneflow API is hosted at https://api.oneflow.com, and whitelisting this domain should be enough to communicate with the API.
Additionally, to access the Oneflow application, we recommend whitelisting https://oneflow.com (application) and https://dq0jg2l2e4b9m.cloudfront.net (CDN).
If your firewall supports only IP whitelisting, an alternative is to set up a machine placed outside of the firewall. This machine will act as a proxy for all traffic going to Oneflow. This solution gives you the same amount of control as proper FQDN whitelisting but might be easier to set up if you have strict firewall policies.
Outbound traffic from Oneflow
You can configure Oneflow to send webhooks to your systems. If you have a firewall on inbound traffic, you need to consider how to allow traffic from Oneflow. We recommend using a proxy outside your firewalls and filter the traffic from Oneflow based on the optional webhook sign key in the request body on each webhook.
SSL & TLS considerations
For security reasons, Oneflow supports TLS 1.2 and higher. To verify that you can connect to Oneflow, you could use the following command:
openssl s_client -connect app.oneflow.com:443 -tls1_2 -servername app.oneflow.com
On success, this command shows the public certificate.
Updated about 1 year ago