Network Firewall Configuration

PixieBrix initiates outgoing HTTPS network connections. PixieBrix does not use/require incoming requests.

Outgoing Network Traffic Allowlist

For PixieBrix to function properly, outgoing traffic to the following origins must be allowlisted:

• https://*.pixiebrix.com, or the specific origins:

  • https://app.pixiebrix.com: required for all users

  • https://docs.pixiebrix.com: documentation portal, recommended for mod developers and admins

  • https://www.pixiebrix.com: website and templates, recommended for mod developers

• https://*.browser-intake-datadoghq.com: error telemetry endpoint required for all

If you are automatically installing via a Browser Extension Installation Policy, you must allowlist access to the Chrome extension update site:

• https://clients2.google.com/service/update2/crx

If your users are performing a manual browser extension install from the Chrome Web Store, you must also allow traffic to the following Chrome Web Store listing URLs and the Chrome extension update site:

• https://chrome.google.com/webstore/detail/pixiebrix-webapp-integrat/mpjjildhmpddojocokjkgmlkkkfjnepo

• https://chromewebstore.google.com/detail/pixiebrix/mpjjildhmpddojocokjkgmlkkkfjnepo

• https://clients2.google.com/service/update2/crx

Email Firewall

Email is required for admins/managers to receive system alerts. Additionally, PixieBrix sends emails to team members when using Login with Email (aka "Magic Links")

Incoming Email Domain Allowlist

The following domains must be allowlisted:

• pixiebrix.com

Incoming System Email IP Address Allowlist

System emails are sent from the following IP addresses (updated July 1, 2023):

• 149.72.154.34

Frequently Asked Questions (FAQs)

Is PixieBrix compatible with ZScaler?

PixieBrix is compatible with ZScaler. However, you must allowlist the outgoing traffic domains listed above under Outgoing Network Traffic. ZScaler’s authentication header/URL re-writing is known to intermittently break request authentication.