Lesson #1472
← Back to Knowledge Board
gitea-webhook-allowed-hosts-blocks-n8n
- ID
- 1472
- Author
- Agent
- agent-claude
- Reviewed
- ✓ Yes
- Source authority
- 75 / 100
- Source
- Gitea's default webhook.ALLOWED_HOST_LIST denies LAN-only n8n hostname — repo-issue-dispatch is broken host-wide
- Source issue
- —
- Created at
- 2026-05-12T10:45:52.123808+00:00
- Valid until
- —
- Deprecated at
- —
- Supersedes
- —
- Obsidian path
- /root/.claude/projects/-nvmetank1-projects/memory/feedback_gitea_webhook_allowed_hosts.md
- Obsidian hash
- 794ede5f465aa942f52fe1ac812042df
- Tags
- claude-memory,feedback
Content
**Rule:** Gitea's `webhook.ALLOWED_HOST_LIST` defaults to `external,loopback` and **denies LAN-only hostnames** that resolve to RFC1918 addresses (e.g. `n8n-auto.joelduss.xyz → 192.168.1.216`). All repo→n8n webhooks fail silently with `webhook can only call allowed HTTP servers`.
**Why:** Observed 2026-05-12 while wiring `ubuadmin/bugtest-stack` dispatch. yoga + glug repo webhooks (`yoga-issue-dispatch`, `glug-issue-dispatch`) ALSO error with the same message → host-wide outage. Handler-log entries in `/var/log/glug-agent-handler.log` end 2026-05-05 — matches when the host-list tightened (or DNS changed). [[feedback_gitea_issue_workflow]] entry assumed working dispatch, which is currently false.
**Status:** FULL FIX 2026-05-12.
**Was repariert wurde:**
- Gitea-Config: `ALLOWED_HOST_LIST = external,loopback,private` (war nur `external,loopback` + Hostnames → IP-Resolution killt LAN-Endpoints; jetzt mit `private`-Keyword)
- n8n-Workflow `03-Agent-Dispatch (Mention-Listener)`: 5× `__GLUG_WEBHOOK_SECRET__`-Platzhalter in `Trigger agent-{claude,gemini,qwen,codex,cursor}.headerParameters[X-Webhook-Token]` durch echten Secret aus `/etc/glug-webhook.token` ersetzt (SQL-Update via SQLite, n8n stop/start). DB-Backup vorher: `database.sqlite.bak.<unix-ts>`.
**Handler-Skripte wiederhergestellt 2026-05-12:**
- Ursprung des Verlusts: commit `dde4ef9 chore(wave-7-cleanup): remove governance scripts moved to rag-stack` löschte 6 agent-handler-*.sh in glug/bin/. Sie waren bereits nach `rag-stack/bin/` migriert (Wave-7), aber die glug-Versionen wurden zunächst nochmal restored — DUPLICATE.
- Final 2026-05-12: Konsolidiert → glug/bin/agent-handler-*.sh + glug/bin/glug-webhook.py **endgültig gelöscht** (glug commit `543dbc8`). rag-stack ist alleiniger Owner.
**Agent-dispatch-Infrastruktur final umgezogen 2026-05-12:**
- `rag-stack/bin/agent-handler-{claude,codex,cursor,gemini,or,qwen}.sh` — kanonische Versionen, `WORKDIR=$(resolve_workdir "$REPO")` aus `/usr/local/lib/agent-handler-common.sh` (generischer Fallback `/nvmetank1/projects/<basename>` deckt neue Repos wie bugtest-stack automatisch ab).
- `rag-stack/bin/agent-dispatch-receiver.py` — umbenannt von `glug-webhook.py`. HOST_ACTIONS map: `agent-*` zeigen jetzt nach `rag-stack/bin/`; glug-spezifische Actions (deploy-target, glug-promote-*, yoga-promote, auto-org-*) zeigen weiter auf `glug/bin/`.
- systemd-Unit: `glug-webhook.service` disabled+removed, neue Unit `/etc/systemd/system/agent-dispatch.service` aktiv (gleicher Port 8810, gleicher Secret-File `/etc/glug-webhook.token` — Name beibehalten weil n8n-Configs darauf zeigen; späterer Sweep kann umbenennen).
- End-to-end verifiziert 2026-05-12 13:40: codex spawned mit `WORKDIR=/nvmetank1/projects/bugtest-stack` auf bugtest-stack#2.
**hooks.joelduss.xyz repariert 2026-05-12:**
- GoDaddy DNS-Record extern erstellt (user).
- Pi-hole `/etc/pihole/hosts/custom.list`: `192.168.1.216 hooks.joelduss.xyz`.
- Caddy hat hooks.joelduss.xyz-vhost (reverse_proxy :8810 → glug-webhook), nach `systemctl reload caddy` LE-Cert via tls-alpn-01 erfolgreich.
- glug-webhook-Service läuft als systemd-Unit (Python Flask :8810), receive-log zeigt jetzt 200/401-Antworten statt 000.
**Fallback bis-zur-Reparatur (heute obsolet, aber für künftige Cases):** `or-loop` / `wf-survey-then-fix` / `wf-fix-loop` — diese bypassen n8n vollständig und rufen LLM-APIs direkt auf.
**How to apply (für künftige Repos / Hosts):**
1. Before relying on a Gitea→n8n webhook, check `/var/log/gitea/*` or `docker logs gitea` for `services/webhook/webhook.go ... unable to deliver`.
2. Fix in `/nvmetank1/docker/config/gitea/gitea/conf/app.ini`:
```
[webhook]
ALLOWED_HOST_LIST = external,loopback,n8n-auto.joelduss.xyz,hooks.joelduss.xyz
```
then `docker restart gitea`. Old failed deliveries do NOT auto-retry — manually click "Test Delivery" or wait for next event.
3. Two ENGINE-level URLs that need allowlisting on this host: `n8n-auto.joelduss.xyz`, `hooks.joelduss.xyz`.
4. Alternative when waiting for config fix: invoke handler directly via `/nvmetank1/projects/rag-stack/bin/agent-handler-codex.sh` (or `or-loop`/`wf-survey-then-fix`) against the issue — bypasses Gitea webhook entirely.
**Was 2026-05-12 zusätzlich repariert wurde:**
- glug repo-hook id=10 + yoga repo-hook id=9 zeigten auf 404-Endpoints (`/webhook/{glug,yoga}-issue-dispatch` — workflows weg). PATCHed auf den aktiven Endpoint `/webhook/agent-dispatch` (workflow `03-Agent-Dispatch (Mention-Listener)`).
- `hooks.joelduss.xyz/hook/{push,comment}` (glug-hook-12/14, yoga-hook-11/13) liefern HTTP 000 (DNS/TLS-Problem auf separater Stelle, NICHT durch ALLOWED_HOST_LIST mehr blockiert).
**Related:** The dead repo-specific webhook URLs (`yoga-issue-dispatch`, `glug-issue-dispatch`) returning 404 from n8n are a SEPARATE issue — those n8n workflows were deleted/renamed. The active universal endpoint is `/webhook/agent-dispatch` (workflow `03-Agent-Dispatch (Mention-Listener)`).
**Switch logic in 03-Agent-Dispatch:** routes on `$json.body.comment.body contains @agent-X` — so mentions must be in **issue comments**, not the issue body, to trigger.