Hi,

I am having trouble getting the webhooks to work from a private Bitbucket repo. When it tries to deploy to the server I get

104.192.142.195 is not authorized to invoke a Pull Code request.

I can, however, do a Git Pull manually from the Aegir control panel and this works fine.

On BitBucket I have added the server SSH key.

What am I missing?

Thanks,
Chris

CommentFileSizeAuthor
#5 ip-range-bitbucket.patch289 bytesc_archer
Screen Shot 2018-06-22 at 12.55.13.png128.18 KBc_archer

Comments

c_archer created an issue. See original summary.

c_archer’s picture

c_archer commented

I am currently using Omega8.cc infrastructure, if that helps

c_archer’s picture

c_archer commented
c_archer’s picture

c_archer commented

Posting on behalf of Omega8.cc this was there findings:

OK, so I have looked at the default whitelisted IPs ranges again -- and they are the same on the old and migrated Aegir, of course:

204.232.175.64/27
192.30.252.0/22
104.192.143.192/28
104.192.143.208/28

Now, the IP reported as denied is 104.192.142.193

Can you notice the little but confusing difference?

Yes, it's from a previously not used/whitelisted range 104.192.142.192/28 and not the known/whitelisted 104.192.143.192/28

For reference:

http://jodies.de/ipcalc?host=104.192.143.192&mask1=28&mask2=

Address: 104.192.143.192 01101000.11000000.10001111.1100 0000
Netmask: 255.255.255.240 = 28 11111111.11111111.11111111.1111 0000
Wildcard: 0.0.0.15 00000000.00000000.00000000.0000 1111
=>
Network: 104.192.143.192/28 01101000.11000000.10001111.1100 0000 (Class A)
Broadcast: 104.192.143.207 01101000.11000000.10001111.1100 1111
HostMin: 104.192.143.193 01101000.11000000.10001111.1100 0001
HostMax: 104.192.143.206 01101000.11000000.10001111.1100 1110
Hosts/Net: 14

http://jodies.de/ipcalc?host=104.192.142.192&mask1=28&mask2=

Address: 104.192.142.192 01101000.11000000.10001110.1100 0000
Netmask: 255.255.255.240 = 28 11111111.11111111.11111111.1111 0000
Wildcard: 0.0.0.15 00000000.00000000.00000000.0000 1111
=>
Network: 104.192.142.192/28 01101000.11000000.10001110.1100 0000 (Class A)
Broadcast: 104.192.142.207 01101000.11000000.10001110.1100 1111
HostMin: 104.192.142.193 01101000.11000000.10001110.1100 0001
HostMax: 104.192.142.206 01101000.11000000.10001110.1100 1110
Hosts/Net: 14

I have whitelisted also 104.192.142.192/28 so it should work now, but please check and let's us know the updated list of IP ranges to configure, as they clearly changed recently, which apparently coincided with the Aegir migration, but was not related.

Obviously, it should be updated also in the hosting_git code where the default value is:

// These are github's Webhook callback IPs.
// This list grows occaisonally, update it as needed.
define('HOSTING_GIT_WEBHOOK_DEFAULT_ALLOWED_IPS', "
204.232.175.64/27
192.30.252.0/22
104.192.143.192/28
104.192.143.208/28
");

c_archer’s picture

c_archer commented
StatusFileSize
new ip-range-bitbucket.patch289 bytes

I've created a patch based on the above information.

c_archer’s picture

c_archer commented
Status: Active » Needs review
helmo’s picture

helmo commented
Title: Git Pull does not work on Webhook from Bitbucket » Update IP ranges whitelist for webhook access

Thanks, but unfortunately these services switch IP's more then you'd like.

Maybe we can script or document the process ...

For BitBucket I found https://blog.bitbucket.org/2017/06/21/new-outbound-ip-addresses-webhooks/
For GitHub I now found: https://api.github.com/meta (doc)

GitLab does not offer a list, so you'd have to disable the whitelist :( : https://gitlab.com/gitlab-com/infrastructure/issues/1985

  • helmo committed 111f409 on 7.x-3.x authored by c_archer 
    Issue #2981195 by c_archer: Update IP ranges whitelist for BitBucket
helmo’s picture

helmo commented
Status: Needs review » Needs work

I've committed your patch but will leave this open hoping that #7 will get some follow-up.

helmo’s picture

helmo commented

#3006600: Regression: cannot enter the Git URL when creating a new platform accidentally removed this again #5 again :( ... but that's now fixed.