DOC-3506 - Add firewall whitelist instructions to AI and Doc Converters documentation#4141
DOC-3506 - Add firewall whitelist instructions to AI and Doc Converters documentation#4141kemister85 wants to merge 4 commits into
Conversation
| === Step 4: Forward proxy configuration | ||
|
|
||
| Ensure that the following URLs are accessible via this proxy if the network has a forward proxy that controls access to the internet. | ||
| If the network has a forward proxy that controls access to the internet, ensure that the following URLs are accessible: |
There was a problem hiding this comment.
forward proxy or firewall?? I'm not an expert though to be sure
There was a problem hiding this comment.
Good call — updated the section title to "Forward proxy and firewall configuration" and the body to mention both. See dea7fb0.
| [[firewall-and-proxy-allowlisting]] | ||
| == Firewall and proxy allowlisting | ||
|
|
||
| Organizations operating behind a firewall or forward proxy that restricts outbound internet access must allowlist {cloudname} domains for cloud-hosted {productname} features to function. |
There was a problem hiding this comment.
just outbound or outbound and inbound?
There was a problem hiding this comment.
Outbound only. The browser makes standard outbound HTTPS requests to *.tiny.cloud and responses return on the same connection. No inbound allowlisting is needed. Updated the text to make this explicit: "Cloud-hosted TinyMCE features require the browser to make outbound HTTPS requests to these domains; no inbound access from Tiny Cloud is required." See dea7fb0.
| * Link checking (`+hyperlinking.tiny.cloud+`) | ||
| * Spell checking (`+spelling.tiny.cloud+`) | ||
|
|
||
| NOTE: Self-hosted deployments that do not connect to any {cloudname} services do not require this allowlisting. For self-hosted services such as on-premises document converters or AI, allowlist the domain where the self-hosted service is running instead. |
There was a problem hiding this comment.
Checked the license key docs — self-hosted deployments validate the license key locally with no server contact (reference). Billing applies to cloud/hybrid setups. The NOTE already covers this: "Self-hosted deployments that do not connect to any Tiny Cloud services do not require this allowlisting." Hybrid setups (self-hosted editor + cloud AI/doc converters) still need *.tiny.cloud for those services, which is covered by the rest of the page.
2 participants
Ticket: DOC-3506
Site:
Changes:
tinymce-and-csp.adoc) as a single source of truth, documenting the*.tiny.cloudwildcard domain, individual service subdomains, and required HTTP headers (tiny-api-key,tinymce-api-key).admon-cloud-firewall.adoc) for cross-referencing the firewall guidance from plugin pages.tinymceai.adoc), Import from Word (importword.adoc), Export to Word (exportword.adoc), and Export to PDF (exportpdf.adoc) plugin pages, inside their cloud setup sections.editor-and-features.adocandfeatures-only.adocto use the*.tiny.cloudwildcard domain instead of listing only three specific service URLs, and added a cross-reference to the CSP page.Pre-checks:
Branch is correctly prefixed:
Hotfix:
hotfix/8/DOC-3506modules/ROOT/nav.adochas been updated (if applicable). N/A, no new pages added.Files have been included where required (if applicable).
Files removed have been deleted, not just excluded from the build (if applicable). N/A, no files removed.
Files added for New product features include a
release noteentry. N/A, documentation improvement only.Major or minor version changes have updated the
supported-versions.adoctable. N/A.Build passes without console errors, warnings, or issues.
Review: