Skip to content

RiskIdent/ri-forward-webhook

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

50 Commits
.github
.github
 
 
LICENSES
LICENSES
 
 
.dockerignore
.dockerignore
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
.goreleaser.yaml
.goreleaser.yaml
 
 
.markdownlint-cli2.yaml
.markdownlint-cli2.yaml
 
 
.markdownlint.yaml
.markdownlint.yaml
 
 
.yamllint
.yamllint
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
config.go
config.go
 
 
endpoint.go
endpoint.go
 
 
ginlogger.go
ginlogger.go
 
 
github.go
github.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
go.sum.license
go.sum.license
 
 
goreleaser.Dockerfile
goreleaser.Dockerfile
 
 
main.go
main.go
 
 
package.json
package.json
 
 
package.json.license
package.json.license
 
 
ri-forward-webhook.schema.json
ri-forward-webhook.schema.json
 
 
ri-forward-webhook.schema.json.license
ri-forward-webhook.schema.json.license
 
 
ri-forward-webhook.yaml
ri-forward-webhook.yaml
 
 
server.go
server.go
 
 

Repository files navigation

ri-forward-webhook

REUSE status

HTTP server that validates and forwards webhooks.

Implements GitHub webhook validation for SHA-256 based signatures (X-Hub-Signature-256 header).

Use case

Exposing Jira's webhook endpoint, but not exposing the entire Jira.

This application acts as a gateway from the public github.com over to our internal Jira. We expose ri-forward-webhook, and with the additional webhook signature validation we can feel safe on not letting bad actors sending arbitrary requests to our precious Jira.

In addition, in our infrastructure as code repo, we use Cloudflare Tunnels to expose ri-forward-webhook, so that nothing else in our Kubernetes cluster is accidentally exposed to the Internet.

Configuration

The service is configured using YAML.

Example:

endpoints:
  # Proxy all GET and POST requests to http://google.com
  /foo/bar:
    # Destination URI. Must be set.
    forwardTo: http://google.com
    # Which HTTP methods to forward. Default: [POST]
    methods: [GET, POST]
    # If set, then ri-forward-webhook does not follow any redirections.
    # By default, it will follow up to 10 redirects.
    noFollowRedirect: true
    # If set, then ignores all TLS certificate issues.
    insecureSkipVerifyTls: true

  # Proxy all POST requests to http://google.com,
  # but only if a valid X-Hub-Signature-256 header is supplied
  /foo/doo:
    forwardTo: http://google.com
    auth:
      githubWebhookSecret: mySecretKey

  # Proxy all POST requests to http://google.com,
  # but only if a valid X-Hub-Signature-256 header is supplied
  /foo/moo:
    forwardTo: http://google.com
    auth:
      # Reads secret from file
      githubWebhookSecretFile: /path/to/mysecretkey.txt

Development

Requires Go 1.21 (or later)

go run .

Building

podman build . -t ghcr.io/riskident/ri-forward-webhook

Releasing

  1. Create a new release on GitHub, with "v" prefix on version: https://github.com/RiskIdent/ri-forward-webhook/releases/new

  2. Write a small changelog, like so:

    ## Changes (since v0.3.0)

- Added some feature. (#123)

  3. Our GitHub Action with goreleaser will build and add artifacts to release

License

This repository complies with the REUSE recommendations.

Different licenses are used for different files. In general:

Please see each file's header or accompanied .license file for specifics.

About

Forwards and validates webhooks

Topics

go golang webhook

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 7

v0.1.6 Latest
Jul 8, 2024
+ 6 releases

Packages

 
 
 

Contributors 3

  •  
  •  
  •  

Languages