Canvas Whitelisting

Document created by Erin Hallmark Administrator on Mar 27, 2020Last modified by Erin Hallmark Administrator on Apr 23, 2020
Version 4Show Document
  • View in full screen mode
Canvas white logo

 

Many K12 schools and some higher ed institutions need to restrict the websites that students can visit while on campus and want to whitelist Canvas’s resources.

 

Future changes may require additional whitelisting. Institutions who use Canvas whitelists should thoroughly test their firewalls to avoid instability. 

 

 

Canvas Core Whitelist

Whenever possible, Canvas uses a subdomain of <domain>.instructure.com to host additional resources. This behavior allows institutions to whitelist *.instructure.com and cover a range of services that Canvas provides.

 

Some of the built-in functionality of Canvas is accessed via a separate URL that will also need to be whitelisted:

 

Browser Security

  • *.canvas-user-content.com

Canvas Guides

  • *.canvaslms.com

Canvas Images/File Storage (except Media)

  • *.inscloudgate.net/
  • instructure-uploads.s3.amazonaws.com
  • instructure-uploads-2.s3.amazonaws.com
  • instructure-uploads-eu.s3.amazonaws.com
  • instructure-uploads-apse1.s3.amazonaws.com
  • instructure-uploads-apse2.s3.amazonaws.com
  • instructure-uploads-fra.s3.amazonaws.com
  • instructure-uploads-pdx.s3.amazonaws.com
  • instructure-uploads-yul.s3.amazonaws.com

Canvas Media Storage

  • *.instructuremedia.com
  • notorious-prod.s3.amazonaws.com
  • notorious-prod-apse1.s3.amazonaws.com
  • notorious-prod-apse2.s3.amazonaws.com
  • notorious-prod-eu.s3.amazonaws.com
  • notorious-prod-fra.s3.amazonaws.com
  • notorious-prod-pdx.s3.amazonaws.com
  • notorious-prod-yul.s3.amazonaws.com

Conferences - BigBlueButton basic integration

  • *.blindsidenetworks.com
  • .bbb-iad-prod.instructure.com (Free for Teacher accounts only)

Course Content Images

  • unsplash.com

DocViewer

  • canvadocs.instructure.com

Gravatar Images (Profile Pictures)

  • *.gravatar.com

Google Analytics

  • Ssl.google-analytics.com

Google Docs Integration

  • docs.google.com

Google Drive Integration

  • drive.google.com

Import Scripts and Canvas Resources

  • *.cloudfront.net

Rich Content Editor Math Equations

  • Instructure.codecogs.com

Support Help

  • *.canvaslms.com

 

Quizzes and Outcomes Whitelist

Quizzes and Outcomes URLs follow a similar pattern to Canvas URLs with the addition of the Amazon Web Services (AWS) region (IAD, PDX, YUL, DUB, FRA, SYD, SIN). Also, Quizzes has two application URLs instead of just one.

 

For institutions unsure about which region to use for an account, please contact Canvas Support or a Customer Success Manager.

 

  • kinesis.*.amazonaws.com
  • *.cloudfront.net
  • *.learnosity.com
  • *.quiz-api-<region>-prod.instructure.com
  • *.quiz-lti-<region>-prod.instructure.com
  • *.quiz-api-<region>-beta.instructure.com
  • *.quiz-lti-<region>-beta.instructure.com
  • *.outcomes-<region>-prod.instructure.com

 

Email Notification IP Whitelist

SMTP allows any computer to send email claiming to be from any source address. Spammers and phishing often use this to forge email addresses, making it more difficult to trace a message back to its sender and easy for spammers to hide their identity in order to avoid responsibility; they even dupe users into disclosing private information in response to an email.

 

Verification Systems

Canvas uses SPF, which is an email validation system designed to prevent email SPAM and phishing by detecting and preventing email spoofing. SPF allows administrators to specify which hosts (IP addresses, computers) are allowed to send mail from a given domain by creating specific SPF records in the DNS. Mail exchangers then use the DNS to verify mail from a given domain is being sent by a sanctioned host.

 

Canvas also uses DomainKeys Identified Mail (DKIM) to sign mail. DKIM associates our domain name to an email message, thereby allowing Canvas to claim responsibility for the message (sign the message). The digital signature is validated by recipient. Responsibility is claimed by a signer (instructure.com), independently of the message's actual authors or recipients, by adding a DKIM-Signature: field to the message's header. The verifier recovers the signer's public key using the DNS, and then verifies that the signature matches the actual message's content. 

 

If customers cannot receive email notifications from Canvas, emails are typically being sent to the Spam folder. To correct this behavior, update spam settings to allow emails from instructure.com.

 

Email IP Addresses

If needed, institutions can whitelist all static Canvas IP addresses. Please see the list in Canvas Email IP addresses

Note: The IP list may be updated at any time. Updates to the list will be posted in the Canvas Deploy Notes.

 

LDAP

Most LDAP servers are not publicly available and are protected by firewalls. Canvas admins can create a whitelist of firewall exceptions to connect to their LDAP server. Canvas designates a set of servers and their associated static IP addresses to simplify these firewall exception rules. Please see the list in Canvas LDAP addresses.

Note: The IP list may be updated at any time. Updates to the list will be posted in the Canvas Deploy Notes.

Attachments

    Outcomes