webhooksgithub-webhook

Github webhook fails with "EOF"?

I've setup a Webhook event for Github, but whenever I send an event, I get the error:

We couldn’t deliver this payload: EOF

I made a quick script to simulate a Github event by copying the payload shown in the "Recent Deliveries" tab of Github, as follow:

#!/usr/bin/python
from hmac import HMAC
from hashlib import sha256
import requests, json

GITHUB_WEBHOOK_KEY = b'webhook_key'
# payload is the payload displayed in the "Recent deliveries" tab.

body_str = json.dumps(payload).encode()

r = requests.post(
    'https://my.server:8085/webhook/github/push',
    headers={
        'X-Hub-Signature-256': 'sha256={}'.format(HMAC(key=GITHUB_WEBHOOK_KEY', msg=body_str, digestmod=sha256).hexdigest()),
        'X-Github-Event': 'push'
    },
    json=payload
)

print(r.status_code)
print(r.content)

This works perfectly fine (status code is 200).

Something is done at Github that isn't done in my code that causes Github to fail with a "EOF" (whatever that is).

The server is run by a Haproxy instance, with the following configuration:

frontend deploy
    mode http
    bind :::8085 v4v6 ssl crt /etc/ssl/certificate.pem alpn http/1.1,h2

    timeout client 30s

    # Enforce https
    http-request redirect scheme https code 301 unless { ssl_fc }

    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }

    option forwardfor
    default_backend deploy_backend

backend deploy_backend
    mode http
    timeout connect 5s
    timeout server 30s

    server "deploy-server" 127.0.0.1:8086 check maxconn 1000

I tried by disabling SSL Verification at Github with no luck neither.

I have the exact same code running behind a Caddy instance on another server, and it works perfectly fine with Github. The issue seems to be related between HaProxy and Github.

There is no logs at all on Haproxy.

Solution

  • I found the solution. I'll share it in case it might help someone else.

    The EOF error was triggered by an SSL configuration issue. What caused me some troubles is that the SSL was working fine when trying to load the URL in a browser.

    It turns out that I was querying the browser via IPv6 while Github was querying via IPv4.

    HaProxy, someone, isn't working properly on delivering a SSL certificate for IPv4, so I had to change the bind parameter to this:

    frontend deploy
    mode http
    bind :8085 ssl crt /etc/ssl/certificate.pem alpn http/1.1,h2
    bind :::8085 ssl crt /etc/ssl/certificate.pem alpn http/1.1,h2

    ...

    Reloaded Haproxy, and it works!