We have a similar setup, where we have one internet-exposed host which receives webhooks from our various git providers, does some rewriting if necessary, and then forwards the hook internally to Jenkins (or wherever).
This is done with a very simple nginx config:
# Allow *only* the notifyCommit endpoint, and don't expose any other info
location = /git/notifyCommit {
proxy_pass http://jenkins.int.example.com:8080/git/notifyCommit
proxy_hide_header X-Powered-By;
proxy_intercept_errors on;
error_page 500 /;
}
The use of the location =
syntax, means that only that exact URL (plus query parameters) is matched. Everything else will throw a 404 error.
Alternatively, you could try running git-webhook-proxy on an exposed host; it's a webserver I created that will intercept webhooks and then cache the repositories locally before forwarding the webhooks via the internal network to Jenkins.