Skip to content

RiskIdent/ri-forward-webhook

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits

.github

.github

 
 

LICENSES

LICENSES

 
 

.dockerignore

.dockerignore

 
 

.editorconfig

.editorconfig

 
 

.gitignore

.gitignore

 
 

.goreleaser.yaml

.goreleaser.yaml

 
 

.markdownlint-cli2.yaml

.markdownlint-cli2.yaml

 
 

.markdownlint.yaml

.markdownlint.yaml

 
 

.yamllint

.yamllint

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

config.go

config.go

 
 

endpoint.go

endpoint.go

 
 

ginlogger.go

ginlogger.go

 
 

github.go

github.go

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

go.sum.license

go.sum.license

 
 

goreleaser.Dockerfile

goreleaser.Dockerfile

 
 

main.go

main.go

 
 

package.json

package.json

 
 

package.json.license

package.json.license

 
 

ri-forward-webhook.schema.json

ri-forward-webhook.schema.json

 
 

ri-forward-webhook.schema.json.license

ri-forward-webhook.schema.json.license

 
 

ri-forward-webhook.yaml

ri-forward-webhook.yaml

 
 

server.go

server.go

 
 

Repository files navigation

ri-forward-webhook

REUSE status

HTTP server that validates and forwards webhooks.

Implements GitHub webhook validation for SHA-256 based signatures (X-Hub-Signature-256 header).

Use case

Exposing Jira's webhook endpoint, but not exposing the entire Jira.

This application acts as a gateway from the public github.com over to our internal Jira. We expose ri-forward-webhook, and with the additional webhook signature validation we can feel safe on not letting bad actors sending arbitrary requests to our precious Jira.

In addition, in our infrastructure as code repo, we use Cloudflare Tunnels to expose ri-forward-webhook, so that nothing else in our Kubernetes cluster is accidentally exposed to the Internet.

Configuration

The service is configured using YAML.

Example:

endpoints:
  # Proxy all GET and POST requests to http://google.com
  /foo/bar:
    # Destination URI. Must be set.
    forwardTo: http://google.com
    # Which HTTP methods to forward. Default: [POST]
    methods: [GET, POST]
    # If set, then ri-forward-webhook does not follow any redirections.
    # By default, it will follow up to 10 redirects.
    noFollowRedirect: true
    # If set, then ignores all TLS certificate issues.
    insecureSkipVerifyTls: true

  # Proxy all POST requests to http://google.com,
  # but only if a valid X-Hub-Signature-256 header is supplied
  /foo/doo:
    forwardTo: http://google.com
    auth:
      githubWebhookSecret: mySecretKey

  # Proxy all POST requests to http://google.com,
  # but only if a valid X-Hub-Signature-256 header is supplied
  /foo/moo:
    forwardTo: http://google.com
    auth:
      # Reads secret from file
      githubWebhookSecretFile: /path/to/mysecretkey.txt

Development

Requires Go 1.21 (or later)

go run .

Building

podman build . -t ghcr.io/riskident/ri-forward-webhook

Releasing

  1. Create a new release on GitHub, with "v" prefix on version: https://github.com/RiskIdent/ri-forward-webhook/releases/new

  2. Write a small changelog, like so:

    ## Changes (since v0.3.0)

- Added some feature. (#123)

  3. Our GitHub Action with goreleaser will build and add artifacts to release

License

This repository complies with the REUSE recommendations.

Different licenses are used for different files. In general:

Please see each file's header or accompanied .license file for specifics.

About

Forwards and validates webhooks

Topics

go golang webhook

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 5

v0.1.4 Latest
May 13, 2024
+ 4 releases

Packages 1

 

Contributors 3

  •  
  •  
  •  

Languages