githubGitHub
Published on

Receive Webhooks Behind the Firewall With Svix Bridge

Authors
  • avatar
    Name
    Jonas Platte
    Twitter

Cover image

Svix is the enterprise ready webhooks sending service. With Svix, you can build a secure, reliable, and scalable webhook platform in minutes. Looking to send webhooks? Give it a try!

Webhooks are a great way to notify your users of real-time events, but they assume the user receiving the notification has a server that can accept HTTP requests on the public internet. We've previously covered how this can be a problem when there are security rules prohibiting this, and how Polling Endpoints can help bridge this gap in our Ingest + Polling Endpoints tutorial. This article will explain how your users are able to do the same thing without Ingest, and even without writing any code themselves, if you use Svix for sending webhooks.

Preparation

There is only one prerequisite, and that is enabling Polling Endpoints, which is a part of the "Advanced endpoint types" setting.

Screenshot of the general settings in the Svix dashboard, With "Advanced endpoint types" toggled on

The remaining setup is done on the receiving side, in the App Portal:

Setting up a Polling Endpoint

With advanced endpoint types enabled, when creating a new endpoint, your customers will be able to select the Polling Endpoint option from this dropdown:

Screenshot highlighting the top-right endpoint type dropdown on the new endpoint pageScreenshot highlighting the Polling Endpoint type in the dropdown once opened

Once the endpoint is created, they will see usage instructions, including for Svix Bridge. In addition to the http output shown there, they can also forward messages from the Polling Endpoint to other destinations, like for example a Kafka instance:

receivers:
  - name: 'msg-poller-to-kafka'
    input:
      type: 'svix-message-poller'
      consumer_id: 'svix-bridge-1'
      app_id: 'app_xxxxxxxxxxxxxxxxxxxxxxxxxxx'
      sink_id: 'poll_yyy'
      token: 'sk_poll_*****.eu'
    output:
      type: 'kafka'
      kafka_bootstrap_brokers: 'kafka.local:9094'
      kafka_topic: 'my_bridged_events'
      kafka_security_protocol: 'sasl_ssl'
      kafka_sasl_username: 'user'
      kafka_sasl_password: 'pass'

A docker image for bridge is available on Docker Hub, to make it easy to deploy.

What if outgoing HTTP requests are also restricted?

Using our Polling Endpoint, your customers can avoid exposing any part of their private network to the open internet. However, what if there is also a proxy in place that any requests to the public internet have to go through? This, too, is just a matter of configuration. Taking the previous kafka example, here is how it would look with the polling endpoint requests going through an HTTP proxy:

receivers:
  - name: 'msg-proxied-poller-to-kafka'
    input:
      type: 'svix-message-poller'
      consumer_id: 'svix-bridge-1'
      app_id: 'app_xxxxxxxxxxxxxxxxxxxxxxxxxxx'
      sink_id: 'poll_yyy'
      token: 'sk_poll_*****.eu'
      # New: Svix API client configuration
      svix_options:
        proxy_address: 'http://my-proxy.local:8080'
    output:
      type: 'kafka'
      kafka_bootstrap_brokers: 'kafka.local:9094'
      kafka_topic: 'my_bridged_events'
      kafka_security_protocol: 'sasl_ssl'
      kafka_sasl_username: 'user'
      kafka_sasl_password: 'pass'

In addition to HTTP proxies, SOCKS5 proxies are also supported through a socks5:// URL, or socks5h:// to also delegate hostname resolution to the proxy.

Conclusion

Networks with high security requirements can make it hard to receive real-time notifications from outside the network. Svix gives you all the tools you need to tackle this challenge without compromising security.

For more content like this, make sure to follow us on Twitter, Github, RSS, or our newsletter for the latest updates for the Svix webhook service, or join the discussion on our community Slack.