webhook proxy for jenkins in internally visible jenkins instance

Question

I'm running an Jenkins instance inside my private network at home. This instance polls (hourly) various repositories at github for changes and acts on those changes.

To reduce load both on my network and on github, I would like to implement webhooks, but don't feel too happy about opening up my Jenkins installation to the internet, or even to the specific few IP addresses from where I can expect webhook calls.

Is there a kind of proxy which I could install on a sacrificial host which forwards the request to the real server inside my network? Call parameter sanitation would be a nice extra.

Answer 1

We have a similar setup, where we have one internet-exposed host which receives webhooks from our various git providers, does some rewriting if necessary, and then forwards the hook internally to Jenkins (or wherever).

This is done with a very simple nginx config:

# Allow *only* the notifyCommit endpoint, and don't expose any other info
location = /git/notifyCommit {
  proxy_pass              http://jenkins.int.example.com:8080/git/notifyCommit
  proxy_hide_header       X-Powered-By;
  proxy_intercept_errors  on;
  error_page              500 /;
}

The use of the location = syntax, means that only that exact URL (plus query parameters) is matched. Everything else will throw a 404 error.

---

Alternatively, you could try running git-webhook-proxy on an exposed host; it's a webserver I created that will intercept webhooks and then cache the repositories locally before forwarding the webhooks via the internal network to Jenkins.