caddy-git: 403 on Webhook

I’m having issues getting my web hook to work. On Caddy start it does pull the latest code from bitbucket as expected. But for some reason pulling using the webhook is not working. I’m thinking that the webhook should never reach the rewrite rule, no? The key file should be working because it is pulling on container start, just not on code push.

Any help would be much appreciated. Here is my info:

CADDYFILE VERSION 0.8.2:

mydomain
tls myemail
#browse
fastcgi / 127.0.0.1:9000 php # php variant only
startup php-fpm # php variant only

git {
       repo    git@bitbucket.org:mygitrepo.git
       branch   master
       key      /root/.ssh/id_rsa
       path     ../../src
       hook     /_webhook
       then    cp -pR /srv/src/laravel /srv/
       then    sh -c "cd /srv/laravel && composer update"
       then    sh -c "cd /srv && chown -R nobody.nobody laravel"
}

root /srv/laravel/public

log access.log
errors error.log

rewrite {
    if {file} not favicon.ico
    to {path} {path}/ /index.php?{query}
}

BITBUCKET SET:

Under integrations and Webhook i have the following hook: https://mydomain/_webhook

ERROR from bitbucket:

Response from https://mydomain/_webhook HTTP status: 403 Elapsed time: 1590ms Request time: 7 minutes ago (Tuesday, April 26th 2016, 3:56:10 pm)

About this issue

Original URL
State: open
Created 8 years ago
Comments: 25 (9 by maintainers)

Most upvoted comments

@SeaLife since yours is self hosted, that means your IP will not be included in Atlassian’s (https://ip-ranges.atlassian.com).

Looks like we’d have to either allow users to specify IPs or make IP verification optional.

abiosoft on Apr 18, 2019

This has been fixed with https://github.com/abiosoft/caddy-git/issues/94.

abiosoft on Feb 5, 2019

Hi,

I’m running into the same 403 error as well when using bitbucket. I’ve tried with Cloudflare and without Cloudflare, even accessing just the IP of the server and it still fails. The error I get is:

1/23/2017 11:15:10 PM104.192.143.194 - [24/Jan/2017:05:15:10 +0000] "POST /update HTTP/1.1" 403 38

EDIT: I’ve found the fix for myself after accidentally stumbling across the “realip” plugin. I’ve updated my Caddyfile below to reflect what I changed to get it working.

@diegobernardes @bc24fl @saward can you try with the realip plugin? https://caddyserver.com/docs/realip

My Proxy Caddyfile:

http://staging.<domain>.com http://<ip>/site {
    proxy / staging-test:80 {
transparent
}
    gzip
    tls off
    log stdout
    errors stderr
    header / Cache-Control "max-age=0"

    #### THE FIX ####    
    realip cloudflare
    ###############
}

My site Caddyfile:

0.0.0.0:80
root /var/www/html
gzip
fastcgi / phpfpm:9000 php
log stdout
errors stderr

#### THE FIX ####
realip {
    from 10.0.0.0/8
}
###############  My docker network manager creates containers on the 10.x range

status 403 /forbidden

git {
    repo https://<username>@bitbucket.org/<path>.git
    path /var/www/repo
    key /deployment_key.rsa
    hook /update
    hook_type bitbucket
}

# Begin - Security
# deny all direct access for these folders
rewrite {
    if {path} match /(.git|cache|bin|logs|backups|tests)/.*$
    to /forbidden
}
# deny running scripts inside core system folders
rewrite {
    if {path} match /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$
    to /forbidden
}
# deny running scripts inside user folder
rewrite {
    if {path} match /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$
    to /forbidden
}
# deny access to specific files in the root folder
rewrite {
    if {path} match /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess)
    to /forbidden
}
## End - Security

# global rewrite should come last.
rewrite {
    to  {path} {path}/ /index.php?_url={uri}
}

TotalLag on Feb 6, 2017