diff --git a/README.md b/README.md index 913fdfb..51d1750 100644 --- a/README.md +++ b/README.md @@ -109,6 +109,11 @@ In either case, the given file part will be parsed as JSON and added to the `pay TLS version and cipher suite selection flags are available from the command line. To list available cipher suites, use the `-list-cipher-suites` flag. The `-tls-min-version` flag can be used with `-list-cipher-suites`. +## Running behind a reverse proxy +[webhook][w] may be run behind a "reverse proxy" - another web-facing server such as [Apache httpd](https://httpd.apache.org) or [Nginx](https://nginx.org) that accepts requests from clients and forwards them on to [webhook][h]. You can have [webhook][w] listen on a regular TCP port or on a Unix domain socket (with the `-socket` flag), then configure your proxy to send requests for a specific host name or sub-path over that port or socket to [webhook][w]. + +Note that when running in this mode the [`ip-whitelist`](docs/Hook-Rules.md#match-whitelisted-ip-range) trigger rule will not work as expected, since it will be checking the address of the _proxy_, not the _client_. Client IP restrictions will need to be enforced within the proxy, before it decides whether to forward the request to [webhook][w]. + ## CORS Headers If you want to set CORS headers, you can use the `-header name=value` flag while starting [webhook][w] to set the appropriate CORS headers that will be returned with each response. diff --git a/docs/Hook-Rules.md b/docs/Hook-Rules.md index 911e198..84914ca 100644 --- a/docs/Hook-Rules.md +++ b/docs/Hook-Rules.md @@ -269,6 +269,8 @@ The IP can be IPv4- or IPv6-formatted, using [CIDR notation](https://en.wikipedi } ``` +Note this does not work if webhook is running behind a reverse proxy, as the "client IP" will either not be available at all (if webhook is using a Unix socket or named pipe) or it will be the address of the _proxy_, not of the real client. You will probably need to enforce client IP restrictions in the reverse proxy itself, before forwarding the requests to webhook. + ### Match scalr-signature The trigger rule checks the scalr signature and also checks that the request was signed less than 5 minutes before it was received.