# Webhook 安装
apt-get install webhook
# Webhook Yaml 配置
vim /data/webhook/hooks.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| - id: hexo-blog-deploy
execute-command: /data/webhook/deploy_blog.sh
command-working-directory: /data/webhook/
pass-environment-to-command:
- source: header
envname: GTIMESTAMP
name: X-Gitee-Timestamp
- source: string
envname: GSECRET
name: <这里是签名密钥,可以用 pwgen -s 64 生成,这个要填在 Gitee 配置里>
- source: header
envname: GTOKEN
name: X-Gitee-Token
response-message: Receive request!
trigger-rule:
and:
- match:
type: value
value: refs/heads/master
parameter:
source: payload
name: ref
- match:
type: value
value: git-oschina-hook
parameter:
source: header
name: User-Agent
- match:
type: value
value: <这里配自己的 gitee 邮箱>
parameter:
source: payload
name: pusher.email
|
Webhook 调用的脚本
vim /data/webhook/deploy_blog.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
| #!/bin/bash
python gitee_auth.py
result=$?
if [ $result -eq 0 ]; then
cd <这里自己配>
git fetch origin
git reset --hard origin/master
echo "成功执行"
else
echo "签名验证失败"
fi
|
Gitee 签名验证脚本
vim /data/webhook/gitee_auth.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| import time
import hmac
import hashlib
import base64
import urllib.parse
import sys
import os
def generate_signature(timestamp, secret):
secret_enc = secret.encode('utf-8')
string_to_sign = f'{timestamp}\n{secret}'
string_to_sign_enc = string_to_sign.encode('utf-8')
hmac_code = hmac.new(secret_enc, string_to_sign_enc, digestmod=hashlib.sha256).digest()
sign = urllib.parse.quote_plus(base64.b64encode(hmac_code))
return sign
def compare_signatures(token, generated_sign):
decoded_token = urllib.parse.unquote_plus(generated_sign)
return token == decoded_token
if __name__ == "__main__":
timestamp = os.environ.get('GTIMESTAMP')
secret = os.environ.get('GSECRET')
token = os.environ.get('GTOKEN')
if not timestamp or not secret or not token:
print("Error: Missing environment variables. Please set GTIMESTAMP, GSECRET, and GTOKEN.")
sys.exit(1)
generated_sign = generate_signature(timestamp, secret)
comparison_result = compare_signatures(token, generated_sign)
print("Signatures match:" if comparison_result else "Signatures do not match:", comparison_result)
if not comparison_result:
sys.exit(1)
|
测试命令(调试时使用,最后配置成开机启动服务之后,无需这样启动)
webhook -hooks /data/webhook/hooks.yml -verbose
# Nginx 反向代理配置
vim /etc/nginx/conf.d/hook.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| server {
listen 80;
server_name hook.mingrr.cn;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name hook.mingrr.cn;
ssl_certificate /etc/nginx/cert/mingrr.cn.pem;
ssl_certificate_key /etc/nginx/cert/mingrr.cn.key;
location / {
proxy_pass http://127.0.0.1:9000;
proxy_redirect default;
}
client_max_body_size 100m;
}
|
nginx -t
nginx -s reload
# Gitee 配置
- 打开项目
- 管理 -> 仓库挂件下 WebHooks
- 添加 WebHook
- 填写你的 Webhook URL < 例:https://hook.mingrr.cn/hooks/hexo-blog-deploy>
- 选择 签名秘钥,填写刚才配置里的 <签名密钥>
- 选择事件里勾选:Push
- 勾选激活
- 点击添加
添加完成后,回到 WebHooks 页面,可以点击测试进行调试
# 配置开机启动
vim /etc/systemd/system/webhook.service
1
2
3
4
5
6
7
8
9
10
11
12
13
| [Unit]
Description=Webhook Service
After=network.target
[Service]
User=root
WorkingDirectory=/data/webhook
ExecStart=/usr/bin/webhook -hooks /data/webhook/hooks.yml -verbose
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
|
systemctl daemon-reload
systemctl start webhook
systemctl enable webhook