How to allow only webhooks from Github to my internal server?

I created a Cloudflare Tunnel to my application hosted internally but I only want the endpoints /api/webook to be reachable by Github’s webhook IPs. I do not want to expose my entire application to the internet through Cloudflare. In additional to the Cloudflare Tunnel, I also tried adding an Access Application and created policies to Block all except for my IP and Github’s webook IPs but it asks for authentication via One One-time PIN. When deleting the login method, I get a page that ask me to create an Identity Provider. How do I not require authenticate for the /api/webhook endpoints for specific IPs?

You could just make a firewall rule to only allow those IPs. I’m not sure what IP ranges Github uses for webhooks though.

1 Like

According to GitHub Docs, you can obtain all GitHub IP ranges from this API endpoint. The hooks key specifies outgoing IP addresses for webhook invocations.

Note that however, limiting by IP addresses might not be the best idea as it could change from time to time. Even GitHub recommends:

however if you use these IP ranges we strongly encourage regular monitoring of our API.

The best solution is to identify GitHub webhook invocations by X-Hub-Signature or X-Hub-Signature-256 returned by GitHub. Depending on your repository layout this may or may not be a big job to configure.

Thanks, I created a rule and it seems to be working but instead of an And operator I had to use Or which seems confusing.

That seems it’d break the rest of your site, if there’s anything else there other than the /api/ path.

Yes that’s the intent since it’s a build server not intended to be reachable from the internet except from Github. I reach the app from my internal network.

edit: I see the issue if I were to have other subdomains on my site so changed the rule to use URI Full equals instead

1 Like