{"id":13548318,"url":"https://github.com/lmammino/webhook-tunnel","last_synced_at":"2025-04-05T21:07:30.516Z","repository":{"id":40346714,"uuid":"110811727","full_name":"lmammino/webhook-tunnel","owner":"lmammino","description":"A little HTTP proxy suitable to create tunnels for webhook endpoints protected behind a firewall or a VPN","archived":false,"fork":false,"pushed_at":"2024-11-10T21:46:37.000Z","size":743,"stargazers_count":70,"open_issues_count":14,"forks_count":13,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-03-29T15:11:24.144Z","etag":null,"topics":["cli","command-line","command-line-tool","firewall","http","https","node","nodejs","proxy","server","tunnel","webhook"],"latest_commit_sha":null,"homepage":"https://lmammino.github.io/webhook-tunnel/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lmammino.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-11-15T09:20:30.000Z","updated_at":"2025-02-14T07:42:20.000Z","dependencies_parsed_at":"2024-01-28T03:43:22.176Z","dependency_job_id":"1d050225-883a-496d-a8a8-6e2bc142c5df","html_url":"https://github.com/lmammino/webhook-tunnel","commit_stats":{"total_commits":16,"total_committers":2,"mean_commits":8.0,"dds":0.3125,"last_synced_commit":"79a1e3b2e92f27bd4f8eb7ec3636ff75c799fb12"},"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lmammino%2Fwebhook-tunnel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lmammino%2Fwebhook-tunnel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lmammino%2Fwebhook-tunnel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lmammino%2Fwebhook-tunnel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lmammino","download_url":"https://codeload.github.com/lmammino/webhook-tunnel/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247399877,"owners_count":20932876,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","command-line","command-line-tool","firewall","http","https","node","nodejs","proxy","server","tunnel","webhook"],"created_at":"2024-08-01T12:01:08.791Z","updated_at":"2025-04-05T21:07:30.492Z","avatar_url":"https://github.com/lmammino.png","language":"JavaScript","funding_links":[],"categories":["JavaScript","\u003ca id=\"01e6651181d405ecdcd92a452989e7e0\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"9d6789f22a280f5bb6491d1353b02384\"\u003e\u003c/a\u003e隧道\u0026\u0026穿透"],"readme":"# webhook-tunnel\n\n\n[![npm version](https://badge.fury.io/js/webhook-tunnel.svg)](http://badge.fury.io/js/webhook-tunnel)\n[![CircleCI](https://circleci.com/gh/lmammino/webhook-tunnel.svg?style=shield)](https://circleci.com/gh/lmammino/webhook-tunnel)\n[![JavaScript Style Guide](https://img.shields.io/badge/code_style-standard-brightgreen.svg)](https://standardjs.com)\n[![Known Vulnerabilities](https://snyk.io/test/github/lmammino/webhook-tunnel/badge.svg)](https://snyk.io/test/github/lmammino/webhook-tunnel)\n\nA little HTTP proxy suitable to create tunnels for webhook endpoints protected behind a firewall or a VPN\n\n\n## Rationale\n\nIf you are doing security properly in your company, it's very likely that most of your resources will be\nprotected behind a firewall or a VPN, including things like Continuous Integration pipelines (e.g. Jenkins)\nor other tools with web based integrations.\n\nIn such scenarios, it becomes tricky to integrate external services (e.g. GitHub) with your internal tools\nthrough web hooks.\n\nFor example, it becomes hard to allow GitHub to notify your secured CI instance that there's a new push\non one of the projects that your CI is building.\n\nWebhook-tunnel allows you to create an HTTP tunnel that can be used for routing web hooks requests through your security layers.\n\nThis approach creates a connection channel from the outside to your internal infrastructure,\nso be sure to limit the access to the tunnel as much as you can.\n\nTo increase the security level of the tunnel, Webhook-tunnel can be configured to apply a number of diffent\nfilters over the HTTP requests and block them from getting into the internal network. Consult the section [filters](#filters) to know more about this aspect.\n\nHere's an example configuration that demonstrates how the tunnel can be used:\n\n![Example CI diagram](/images/ci-example.png)\n\n\n## Install\n\nFrom npm:\n\n```bash\nnpm install --global webhook-tunnel\n```\n\n(this requires [npm](https://www.npmjs.com/) and [Node.js](https://nodejs.org/) version \u003e= 8)\n\n\nOr you can simply download one of the binaries available in the [Releases](https://github.com/lmammino/webhook-tunnel/releases) section.\n\nNote: the compiled executable contains a full-blown version of the Node.js runtime\nembedded in it. So use this version only if you want to run the tunnel in an environment that\ndoes not have a supported version of Node.js already installed.\n\n\n## Execute\n\nTo execute the proxy in your server:\n\n```bash\nwebhook-tunnel \u003ctarget\u003e\n```\n\nWhere `target` is the full URL where every request will be proxied to.\n\nE.g.\n\n```bash\nwebhook-tunnel http://myprivatejenkins.tld/somepath/\n```\n\nBy default the server will be bound to `0.0.0.0:12345`.\n\n\n### Command line options\n\nThis is the full list of supported command line options:\n\n```plain\nOptions:\n  --help               Show help                                       [boolean]\n  --bind-address, -a   The bind address of the server\n                                                   [string] [default: \"0.0.0.0\"]\n  --port, -p           The port on which the server will be listening to\n                                                       [number] [default: 12345]\n  --expect-cidr, -C    Rejects the request if it is not coming from one of the\n                       specified IP ranges (CIDRs)                       [array]\n  --expect-path, -P    Rejects the request if it is not addressed to one of the\n                       specified path prefixes                           [array]\n  --expect-query, -Q   Rejects the request if it doesn't contain any of\n                       specified query parameters with a matching value (e.g.\n                       token=1234)                                       [array]\n  --expect-header, -H  Rejects the request if it doesn't contain any of\n                       specified headers with a matching value (e.g.\n                       x-token=1234)                                     [array]\n  --expect-method, -M  Rejects the request if it is not using one of the\n                       specified methods (e.g. `GET`)                    [array]\n  --log-level, -l      Logging level (one of 'fatal', 'error', 'warn', 'info',\n                       'debug', 'trace' or 'silent')  [string] [default: \"info\"]\n  --version            Show version number                             [boolean]\n```\n\n\n## Filters\n\nWebhook-tunnel supports a number of filters straight away.\nThe currently supported filters are:\n\n  - [Ip ranges (CIDR)](#ip-ranges)\n  - [Request Path prefixes](#request-path)\n  - [Query string parameters](#query-string)\n  - [Header parameters](#header)\n  - [HTTP methods](#method)\n\nBy default every filter is disabled, so every request can cross the tunnel.\nFor every filter you can specify one or more rules. As soon as you have a rule for a filter,\nNo request can pass the tunnel unless the request matches the rule.\n\nWe can recap the internal flow with the following statements:\n\n  1. if no filter is used (no rules in every filter), every request can cross the tunnel\n  2. if you have a rule under a filter, every request is blacklisted, unless it matches the rule\n  3. if you have a filter with more than one rule, then at least one rule per every filter should be matched to allow the request to cross the tunnel.\n\n\n### IP Ranges\n\nIf you want to accept requests that come only from a selected list of IPs you can run\nthe tunnel with the option `--expect-cidr`. This option allows you to add a rule under the CIDR filter.\nYou can create multiple rules by using the option multiple times.\n\nExample:\n\n```bash\nwebhook-tunnel http://somedonain.tld --expect-cidr 22.23.24.25/22 --expect-cidr 120.25.25.25/22\n```\n\nThis way the tunnel will accept **only** requests coming from `22.23.24.25/22` **or** `120.25.25.25/22`.\n\n\n### Request path\n\nYou can restrict the requests being tunneled by **path prefix** with the option `--expect-path`.\nBy default all the paths are accepted but you can add one or more path rules as in the following example:\n\n```bash\nwebhook-tunnel http://somedonain.tld --expect-path /path1 --expect-path /path2\n```\n\nWith this configuration requests with a prefix path of `/path1` and `/path2` (e.g. `/path1/producs` or `/path123`) will be allowed, while all the other requests will be rejected.\n\n\n### Query string\n\nYou can restrict the requests being tunneled by **query parameters** with the option `--expect-query`.\nThis option accepts arguments in the form `key=value`. You can specify multiple `--expect-query` options and the request will be tunneled only if at least one of the rules is matched.\n\nE.g.\n\n```bash\nwebhook-tunnel http://somedonain.tld --expect-query token=xyz --expect-query auth=admin\n```\n\nWith this configuration requests with a query string like `?token=xyz` **or** `?auth=admin` will be allowed, while all the other requests will be rejected.\n\n\n### Header\n\nHeaders filters behave exactly like query string, except that headers are used for the match.\nTo specify headers rules you have to use the `--expect-header` option.\n\n\n### Method\n\nYou can restrict the requests by HTTP method (`get`, `post`, `patch`, etc.).\n\nTo set the method rules you have to use the `--expect-method` option. You can specify the option\nmultiple times and the request will be tunneled only if at least one of the rules is matched.\n\nE.g.\n\n```bash\nwebhook-tunnel http://somedonain.tld --expect-method get --expect-method post\n```\n\nWill accept only `post` **or** `get` requests.\n\n\n## Contributing\n\nEveryone is very welcome to contribute to this project.\nYou can contribute just by submitting bugs or suggesting improvements by\n[opening an issue on GitHub](https://github.com/lmammino/webhook-tunnel/issues).\n\n\n## License\n\nLicensed under [MIT License](LICENSE). © Luciano Mammino.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flmammino%2Fwebhook-tunnel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flmammino%2Fwebhook-tunnel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flmammino%2Fwebhook-tunnel/lists"}