Drupal 10, the latest version of the open-source digital experience platform with even more features, is here.Hi,
I am having trouble getting the webhooks to work from a private Bitbucket repo. When it tries to deploy to the server I get
104.192.142.195 is not authorized to invoke a Pull Code request.
I can, however, do a Git Pull manually from the Aegir control panel and this works fine.
On BitBucket I have added the server SSH key.
What am I missing?
Thanks,
Chris
| Comment | File | Size | Author |
|---|---|---|---|
| #5 | ip-range-bitbucket.patch | 289 bytes | c_archer |
| Screen Shot 2018-06-22 at 12.55.13.png | 128.18 KB | c_archer | |
Comments
Comment #2
c_archer CreditAttribution: c_archer as a volunteer and at Upbeat Productions commentedI am currently using Omega8.cc infrastructure, if that helps
Comment #3
c_archer CreditAttribution: c_archer as a volunteer and commentedComment #4
c_archer CreditAttribution: c_archer as a volunteer and commentedPosting on behalf of Omega8.cc this was there findings:
OK, so I have looked at the default whitelisted IPs ranges again -- and they are the same on the old and migrated Aegir, of course:
204.232.175.64/27
192.30.252.0/22
104.192.143.192/28
104.192.143.208/28
Now, the IP reported as denied is 104.192.142.193
Can you notice the little but confusing difference?
Yes, it's from a previously not used/whitelisted range 104.192.142.192/28 and not the known/whitelisted 104.192.143.192/28
For reference:
http://jodies.de/ipcalc?host=104.192.143.192&mask1=28&mask2=
Address: 104.192.143.192 01101000.11000000.10001111.1100 0000
Netmask: 255.255.255.240 = 28 11111111.11111111.11111111.1111 0000
Wildcard: 0.0.0.15 00000000.00000000.00000000.0000 1111
=>
Network: 104.192.143.192/28 01101000.11000000.10001111.1100 0000 (Class A)
Broadcast: 104.192.143.207 01101000.11000000.10001111.1100 1111
HostMin: 104.192.143.193 01101000.11000000.10001111.1100 0001
HostMax: 104.192.143.206 01101000.11000000.10001111.1100 1110
Hosts/Net: 14
http://jodies.de/ipcalc?host=104.192.142.192&mask1=28&mask2=
Address: 104.192.142.192 01101000.11000000.10001110.1100 0000
Netmask: 255.255.255.240 = 28 11111111.11111111.11111111.1111 0000
Wildcard: 0.0.0.15 00000000.00000000.00000000.0000 1111
=>
Network: 104.192.142.192/28 01101000.11000000.10001110.1100 0000 (Class A)
Broadcast: 104.192.142.207 01101000.11000000.10001110.1100 1111
HostMin: 104.192.142.193 01101000.11000000.10001110.1100 0001
HostMax: 104.192.142.206 01101000.11000000.10001110.1100 1110
Hosts/Net: 14
I have whitelisted also 104.192.142.192/28 so it should work now, but please check and let's us know the updated list of IP ranges to configure, as they clearly changed recently, which apparently coincided with the Aegir migration, but was not related.
Obviously, it should be updated also in the hosting_git code where the default value is:
// These are github's Webhook callback IPs.
// This list grows occaisonally, update it as needed.
define('HOSTING_GIT_WEBHOOK_DEFAULT_ALLOWED_IPS', "
204.232.175.64/27
192.30.252.0/22
104.192.143.192/28
104.192.143.208/28
");
Comment #5
c_archer CreditAttribution: c_archer as a volunteer and commentedI've created a patch based on the above information.
Comment #6
c_archer CreditAttribution: c_archer as a volunteer and commentedComment #7
helmo CreditAttribution: helmo as a volunteer and at Initfour websolutions for Aegir Cooperative commentedThanks, but unfortunately these services switch IP's more then you'd like.
Maybe we can script or document the process ...
For BitBucket I found https://blog.bitbucket.org/2017/06/21/new-outbound-ip-addresses-webhooks/
For GitHub I now found: https://api.github.com/meta (doc)
GitLab does not offer a list, so you'd have to disable the whitelist :( : https://gitlab.com/gitlab-com/infrastructure/issues/1985
Comment #9
helmo CreditAttribution: helmo as a volunteer and at Initfour websolutions for Aegir Cooperative commentedI've committed your patch but will leave this open hoping that #7 will get some follow-up.
Comment #10
helmo CreditAttribution: helmo as a volunteer and at Initfour websolutions for Aegir Cooperative commented#3006600: Regression: cannot enter the Git URL when creating a new platform accidentally removed this again #5 again :( ... but that's now fixed.