Skip to content

Webhook source updates. #247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Webhook source updates. #247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f75e829
Addedd proper tls options and declaration without json.
zsoltgyulai94 Sep 24, 2025
5975425
Fixed one pasta typeo.
zsoltgyulai94 Sep 24, 2025
36bca75
Merge branch 'master' into doc-webhook-fix
zsoltgyulai94 Sep 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 54 additions & 6 deletions doc/_admin-guide/060_Sources/240_webhook/000_webhook_options.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,16 +82,64 @@ curl -H "X-Forwarded-FOR: 1.2.3.4" -X POST --data "{}" http://127.0.0.1:8080/
Note that {{ site.product.short_name }} only trusts the header that is specified in the `proxy_header()` option. If the request includes multiple headers with the specified name, the last one is used.
{: .notice--info}

{% include doc/admin-guide/options/ca-dir.md %}
## tls_ca_dir()

{% include doc/admin-guide/options/ca-file.md %}
|Type:| Directory name|
|Default:| |

*Description:* The name of a directory that contains a set of trusted CA certificates in PEM format. The CA certificate files have to be named after the 32-bit hash of the subject’s name. This naming can be created using the `c_rehash` utility in openssl. For an example, see Configuring TLS on the syslog-ng OSE clients. The {{ site.product.short_name }} application uses the CA certificates in this directory to validate the certificate of the peer.

This option can be used together with the optional `tls_ca_file()` option.

## tls_ca_file()

|Type:| File name|
|Default:| |

*Description:* Optional. The name of a file that contains a set of trusted CA certificates in PEM format. The {{ site.product.short_name }} application uses the CA certificates in this file to validate the certificate of the peer.

Configuration example:

```config
tls_ca_file("/etc/pki/tls/certs/ca-bundle.crt")
```

## tls_cert_file()

|Type:| File name|
|Default:| |

*Description:* For HTTPS endpoints, you can use the `tls_cert_file` and `tls_key_file` options. Set `tls_cert_file` to the name of a file that contains an `X.509` certificate (or a certificate chain) in PEM format, suitable as a TLS certificate, matching the private key set in the `tls_key_file()` option. The {{ site.product.short_name }} application shows this certificate to the clients sending data to the webhook endpoints. If the file contains a certificate chain, the file must begin with the certificate of the host, followed by the CA certificate that signed the certificate of the host, and any other signing CAs in order.

## tls_key_file()

|Type:| File name|
|Default:| |

*Description:* The name of a file that contains an unencrypted private key in PEM format, suitable as a TLS key. If properly configured, the {{ site.product.short_name }} application uses this private key with the matching certificate (set in the `tls_cert_file()` option).

## tls_peer_verify()

|Accepted values:| `yes`, `no`|
|Default:| `no` |

*Description:* Verification method of the peer. The table below summarizes the available options and their results depending on the certificate of the peer.

| | | no certificate on the remote peer | invalid certificate on the remote peer | valid certificate on the remote peer |
|-----------------------------|-----------------------------|-----------------------|---------------------------|-------------------|
| Local peer-verify() setting: | no (optional-untrusted) | TLS-encryption | TLS-encryption | TLS-encryption |
| | yes (required-trusted) | rejected connection | rejected connection | TLS-encryption |

For untrusted certificates only the existence of the certificate is checked, but it does not have to be valid — {{ site.product.short_name }} accepts the certificate even if it is expired, signed by an unknown CA, or its CN and the name of the machine mismatches.

{% include doc/admin-guide/options/cert-file.md %}
![]({{ site.baseurl}}/assets/images/caution.png) **WARNING:** When validating a certificate, the entire certificate chain must be valid, including the CA certificate. If any certificate of the chain is invalid, {{ site.product.short_name }} will reject the connection.
{: .notice--warning}

{% include doc/admin-guide/options/key-file.md %}
## tls_use_system_cert_store()

{% include doc/admin-guide/options/peer-verify.md %}
|Accepted values:| `yes`, `no`|
|Default:| `no` |

{% include doc/admin-guide/options/use-system-cert-store.md %}
*Description:* Use the certificate store of the system for verifying HTTPS certificates. For more information, see the [curl documentation](https://curl.se/docs/sslcerts.html).

> *Copyright © 2025 Axoflow*
11 changes: 11 additions & 0 deletions doc/_admin-guide/060_Sources/240_webhook/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,17 @@ description: >-

**Declaration**

```config
source s_webhook {
webhook(
port(8181)
paths(["/events","/events/(?P<HOST>.*)"])
);
};
```

**Declaration for webhook-json**

```config
source s_webhook {
webhook-json(
Expand Down