如何验证后收到钩请求实际上从GitHub来的? [英] How to verify a post-receive hook request actually came from github?

查看:117
本文介绍了如何验证后收到钩请求实际上从GitHub来的?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

Github上提供了一种方法让一个URL知道什么时候一期工程已使用网络挂接更新。

Github offers a way to let a URL know when a project has been updated using webhooks.

如何验证发送到我的服务器的后收到钩后竟从GitHub来的?

我应该检查发件人的IP地址,或者我可以什么地方发送AUTH检查?我想确保有人不会尝试欺骗请求pretending是从GitHub。

Should I check the IP address of the sender or can I send an auth check somewhere? I want to make sure someone doesn't try to spoof a request pretending to be from github.

一种选择是通过设置 PubSubHubbub通讯,并使用 hub.secret 选项创建后身体的SHA1 HMAC签名。然而,这需要我的服务器设置的要求,而不是等待用户设置后接收回调到我的网站时,他们希望。我宁愿只要求用户粘贴URL我给他们进入后的网址。

One option is to setup the hook through PubSubHubbub and use the hub.secret option to create a SHA1 HMAC signature of the post body. However, that would require my server setting up the request rather than waiting for users to setup the post-receive callback to my site when they want to. I would rather just ask users to paste the URL I give them into the post url.

推荐答案

您可以尝试检查GitHub的请求后IP: 207.97.227.253,50.57.1​​28.197,108.171.174.178

You can try to check Github's post-request IP : 207.97.227.253, 50.57.128.197, 108.171.174.178

这篇关于如何验证后收到钩请求实际上从GitHub来的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆