Are webhooks fired from Digital Ocean?
I setup a WAF in AWS to block bots and I am getting a bunch of requests to my RunPod Serverless Webhook blocked by
AWS#AWSManagedRulesBotControlRuleSet#SignalKnownBotDataCenter
. The IP address in these requests seems to be a Digital Ocean Data Center. I have disabled the WAF for my ALB for my RunPod webhooks temporarily, but hoping that someone can confirm whether these are legitimate requests or not, because I was under the impression that RunPod uses AWS and not Digital Ocean.23 Replies
Yeah they can use multiple clouds
@flash-singh can you confirm this
Obviously, but the question is DO they? 🙂
Wait ya, maybe support staffs can confirm
im not sure
yes we use DO, AWS and Cloudflare
Thanks for confirming, do you just have 2 IPs in DO or multiple?
Maybe you can give the IP range for whitelisting
I just removed my webhook load balancer from the WAF and added an auth token to the webhook receiver
many different ips, we don't recommend whitelisting them since they can and will change over time
we can introduce more security into the http request if it can help, rather avoid using ip filtering as a security measure since those change
Yeah it will be nice to add an auth token to the headers rather than in the query string as I am currently doing
why is that? something you can use to filter at load balancer level?
Just feels more secure putting the auth token in the header rather than in the query string. Do you use a specific user agent string for the requests or just the default of the library you use? Because then I can filter for user agent string at WAF level before it reaches the load balancer.
we can define specific one, right now its whatever is default in golang, can also define auth header
Thanks, this is useful indo, and auth header will be amazing 🫶
@flash-singh @digigoblin
Funny I was just implementing webhooks on our project today and the exact subject came up for us too. Putting auth tokens in a query param can be insecure and make the token highly visible if there are logs being generated within RunPod that log the url.
Adding as a header: Even better if we could add additional body params to the webhook: Scrap this idea
Given the current limitations, another way we were thinking we could do is just encrypt a single state param that contains a hash of a few things (incl. auth token).
Authorization: Bearer <token>
pattern would be standard and more secure.
This could either be set on the endpoint config in the console, or how it currently is in the initial run post:
Or maybe just headers field that we can customize, with some examples to use.. Like for Auth headers, and req. bodies are kind of useless here right?
@nerdylive True, a headers field would be the most versatile and simplest. Anything else might get muddied with the webhook post body.
thanks for the input, will dive into this more next week and how we can improve it
Hello, I'm receiving completed Webhook more than one time. Why it could be? I
I observed as it triggers webhook url when the process is completed. However it triggers 2rd or 3rd time after some time (like 30 secs) the same webhook for a single completed process.
You must return a successful response after receiving the web hook
Or else it will retry sending until the third time
Try reading the docs or maybe something like 200 http response
I'm already retuning http 200, however it takes about 40seconds. Maybe it's about timeout on Runpod side. Thank you. @nerdylive
Ah
Send a request | RunPod Documentation
Learn how to construct a JSON request body to send to your custom endpoint, including optional inputs for webhooks, execution policies, and S3-compatible storage, to optimize job execution and resource management.
@ibrahim if this is happening over and over, pm me details and ill take a look