如何验证后收到钩请求实际上从GitHub来的? [英] How to verify a post-receive hook request actually came from github?
问题描述
Github上提供了一种方法让一个URL知道什么时候一期工程已使用网络挂接更新。
Github offers a way to let a URL know when a project has been updated using webhooks.
如何验证发送到我的服务器的后收到钩后竟从GitHub来的?
我应该检查发件人的IP地址,或者我可以什么地方发送AUTH检查?我想确保有人不会尝试欺骗请求pretending是从GitHub。
Should I check the IP address of the sender or can I send an auth check somewhere? I want to make sure someone doesn't try to spoof a request pretending to be from github.
一种选择是通过设置 PubSubHubbub通讯,并使用 hub.secret
选项创建后身体的SHA1 HMAC签名。然而,这需要我的服务器设置的要求,而不是等待用户设置后接收回调到我的网站时,他们希望。我宁愿只要求用户粘贴URL我给他们进入后的网址。
One option is to setup the hook through PubSubHubbub and use the hub.secret
option to create a SHA1 HMAC signature of the post body. However, that would require my server setting up the request rather than waiting for users to setup the post-receive callback to my site when they want to. I would rather just ask users to paste the URL I give them into the post url.
推荐答案
您可以尝试检查GitHub的请求后IP: 207.97.227.253,50.57.128.197,108.171.174.178 的
You can try to check Github's post-request IP : 207.97.227.253, 50.57.128.197, 108.171.174.178
这篇关于如何验证后收到钩请求实际上从GitHub来的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!