2

I'm following this guide on: How to set up CI/CD Pipeline for a node.js app with Jenkins

I've installed Jenkins on a VPS and I can access the Web UI over an SSH Tunnel. Then I saw this: http://JENKINS.SERVER.IP:8080/github-webhook/

In order for GitHub to communicate with Jenkins it makes POST requests on such URL. I've already seen, how I can an issue an SSL certificate with Let's Encrypt, but without being a security expert this solution seems to me like an invitation for attacks. I would like to avoid exposing a Web UI in the public.

Another option would be to use Smee, but:

Should I use this in production?

No! Smee is not designed for production use - it is a development and testing tool. Note that channels are not authenticated, so if someone has your channel ID they can see the payloads being sent, so it is not secure for production use.

A third option would be to install Gitlab CE on a VPS and use the according plugin: gitlab-hook, but #SECURITY-263:

Gitlab API token stored and displayed in plain text Enables Gitlab web hooks to be used to trigger SMC polling on Gitlab projects

A fourth option would be to install Gitlab CE on a VPS and use the CI/CD of GitLab itself (haven't tried), which seems to me to be more secure that the other three options.

Am I right that 4th option is better than the others? Am I missing something? Are there any other options to make such a Webhook secure?

1 Answers1

2

The GitHub payloads can be validated. As long as you're validating the posted payloads and keep Jenkins up to date you should be fine.

If you wanted additional security, then you could set your firewall to only accept connections to that port from GitHub IPs. You can lookup the GitHub IPs via the meta API.

Daisetsu
  • 5,110
  • 1
  • 14
  • 24