如何验证后收到钩请求实际上从GitHub来的？ [英] How to verify a post-receive hook request actually came from github?

问题描述

Github上提供了一种方法让一个URL知道什么时候一期工程已使用网络挂接更新。

Github offers a way to let a URL know when a project has been updated using webhooks.

如何验证发送到我的服务器的后收到钩后竟从GitHub来的？

我应该检查发件人的IP地址，或者我可以什么地方发送AUTH检查？我想确保有人不会尝试欺骗请求pretending是从GitHub。

Should I check the IP address of the sender or can I send an auth check somewhere? I want to make sure someone doesn't try to spoof a request pretending to be from github.

一种选择是通过设置 PubSubHubbub通讯，并使用 hub.secret 选项创建后身体的SHA1 HMAC签名。然而，这需要我的服务器设置的要求，而不是等待用户设置后接收回调到我的网站时，他们希望。我宁愿只要求用户粘贴URL我给他们进入后的网址。

One option is to setup the hook through PubSubHubbub and use the hub.secret option to create a SHA1 HMAC signature of the post body. However, that would require my server setting up the request rather than waiting for users to setup the post-receive callback to my site when they want to. I would rather just ask users to paste the URL I give them into the post url.

推荐答案

您可以尝试检查GitHub的请求后IP： 207.97.227.253，50.57.1​​28.197，108.171.174.178 的

You can try to check Github's post-request IP : 207.97.227.253, 50.57.128.197, 108.171.174.178

这篇关于如何验证后收到钩请求实际上从GitHub来的？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！