Setup behind a firewall

Oneflow is hosted on Amazon Web Services in the eu-west-1 region (Ireland) on EC2 instances in multiple Availability Zones (AZs).

Inbound traffic to Oneflow

The API is load balanced behind a CDN, which means there are no static IPs to reach Oneflow. If your company requires a firewall whitelist to reach Oneflow, we recommend whitelisting on the FQDN instead of IP addresses.

Alternatively, you can set up an HTTP proxy inside your infrastructure and create special access rules based on FQDNs instead of IP addresses.

FQDN whitelisting

The Oneflow API is hosted at https://api.oneflow.com, and whitelisting this domain should be enough to communicate with the API.

Additionally, to access the Oneflow application, we recommend whitelisting https://oneflow.com (application) and https://dq0jg2l2e4b9m.cloudfront.net (CDN).

HTTP proxy

If your firewall supports only IP whitelisting, an alternative is to set up a machine placed outside of the firewall. This machine will act as a proxy for all traffic going to Oneflow. This solution gives you the same amount of control as proper FQDN whitelisting but might be easier to set up if you have strict firewall policies.

Outbound traffic from Oneflow

You can configure Oneflow to send webhooks to your systems. If you have a firewall on inbound traffic, you need to consider how to allow traffic from Oneflow. We recommend using a proxy outside your firewalls and filter the traffic from Oneflow based on the optional webhook sign key in the request body on each webhook.

SSL & TLS considerations

For security reasons, Oneflow supports TLS 1.2 and higher. To verify that you can connect to Oneflow, you could use the following command:

openssl s_client -connect app.oneflow.com:443 -tls1_2 -servername app.oneflow.com

On success, this command shows the public certificate.