From 409126c891a40cb104e91d76e6ef99a327602bb4 Mon Sep 17 00:00:00 2001
From: Reuben Pereira <rpereira@gitlab.com>
Date: Thu, 8 Aug 2019 16:54:52 +0000
Subject: Add docs for local requests whitelist

- Add documentation under security/webhooks since similar docs are
present there.
---
 doc/raketasks/web_hooks.md       |   5 +++++
 doc/security/img/whitelist.png   | Bin 0 -> 10650 bytes
 doc/security/webhooks.md         |  30 ++++++++++++++++++++++++++++++
 doc/system_hooks/system_hooks.md |   5 +++++
 4 files changed, 40 insertions(+)
 create mode 100644 doc/security/img/whitelist.png

(limited to 'doc')

diff --git a/doc/raketasks/web_hooks.md b/doc/raketasks/web_hooks.md
index a498e9793c1..cc1166a04cc 100644
--- a/doc/raketasks/web_hooks.md
+++ b/doc/raketasks/web_hooks.md
@@ -53,3 +53,8 @@ sudo gitlab-rake gitlab:web_hook:list NAMESPACE=acme
 # source installations
 bundle exec rake gitlab:web_hook:list NAMESPACE=acme RAILS_ENV=production
 ```
+
+## Local requests in webhooks
+
+[Requests to local network by webhooks](../security/webhooks.md) can be allowed
+or blocked by an administrator.
diff --git a/doc/security/img/whitelist.png b/doc/security/img/whitelist.png
new file mode 100644
index 00000000000..897000e804d
Binary files /dev/null and b/doc/security/img/whitelist.png differ
diff --git a/doc/security/webhooks.md b/doc/security/webhooks.md
index 7ece9407ac0..e39bc9a9626 100644
--- a/doc/security/webhooks.md
+++ b/doc/security/webhooks.md
@@ -45,6 +45,36 @@ NOTE: **Note:**
 set up by administrators. However, you can turn this off by disabling the
 **Allow requests to the local network from system hooks** option.
 
+## Whitelist for local requests
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/44496) in GitLab 12.2
+
+You can allow certain domains and IP addresses to be accessible to both *system hooks*
+and *webhooks* even when local requests are not allowed by adding them to the
+whitelist. Navigate to **Admin Area > Settings > Network** (`/admin/application_settings/network`)
+and expand **Outbound requests**:
+
+![Outbound local requests whitelist](img/whitelist.png)
+
+The whilelist entries can be separated by semicolons, commas or whitespaces
+(including newlines) and be in different formats like hostnames, IP addresses and/or
+IP ranges. IPv6 is supported. Hostnames that contain unicode characters should
+use IDNA encoding.
+
+The whitelist can hold a maximum of 1000 entries. Each entry can be a maximum of
+255 characters.
+
+Example:
+
+```text
+example.com;gitlab.example.com
+127.0.0.1,1:0:0:0:0:0:0:1
+127.0.0.0/8 1:0:0:0:0:0:0:0/124
+```
+
+NOTE: **Note:**
+Wildcards (`*.example.com`) and ports (`127.0.0.1:3000`) are not currently supported.
+
 <!-- ## Troubleshooting
 
 Include any troubleshooting steps that you can foresee. If you know beforehand what issues
diff --git a/doc/system_hooks/system_hooks.md b/doc/system_hooks/system_hooks.md
index e8bd35fba5c..1e9eb15533a 100644
--- a/doc/system_hooks/system_hooks.md
+++ b/doc/system_hooks/system_hooks.md
@@ -644,6 +644,11 @@ X-Gitlab-Event: System Hook
 }
 ```
 
+## Local requests in system hooks
+
+[Requests to local network by system hooks](../security/webhooks.md) can be allowed
+or blocked by an administrator.
+
 <!-- ## Troubleshooting
 
 Include any troubleshooting steps that you can foresee. If you know beforehand what issues
-- 
cgit v1.2.3