Webhook: Notabene

This article required by: https://generalbytes.atlassian.net/wiki/x/A4Ac5Q

Notabene communicates with CAS via a webhook. This article describes how to create a webhook endpoint for Notabene via NGINX. You’ll need to expose the CAS REST API to the Notabene servers.

Enable the webhook in CAS:

Create the file /batm/config/notabene
1. e.g. sudo nano /batm/config/notabene
Add this line to enable Notabene webhooks: webhooksEnabled=true
OPTIONAL: add automaticallyApproveOutgoingTransfers=true/false (default = false):
1. to override the automatic approval setting on the Notabene website.
2. When set to false, approval must be granted within 60 seconds or the BATM will timeout and the transaction will automatically fail!
3. This is also configured in your Notabene account on the Notabene website.
Save and exit nano (Ctrl+X, “y”, required name: notabene).

Setup the webhook endpoint in NGINX.

The Notabene webhook endpoint on the CAS server must be configured to be:

publicly visible on the internet (or at least to Notabene IP addresses), and
using a valid HTTPS certificate (not just self-signed), and
assigned to a FQDN hostname (not just an IP address), and
complies with the RFC 952 host naming conventions (letters, digits, and hyphens only).
The Notabene webhook CANNOT use a non-standard port (it must use port 443).

You have 2 options to expose the webhook:

Option A (free): NGINX with Let’s Encrypt

This free option requires you to only install and configure NGINX as a reverse proxy server. The CAS program batm-manage can handle most of the heavy lifting for this.

https://generalbytes.atlassian.net/l/cp/nfb1x7Xd

Option B (paid): NGINX with Cloudflare Zero Trust

Cloudflare offers Zero-Trust tunneling to those who use their paid Cloudflare DNS hosting.

Cloudflare Zero Trust for REST API
Use with NGINX to protect your server from URL traversal attacks.

NGINX configuration

This configuration block is different between the Cloudflare and Let’s Encrypt approaches.

Both (common) approaches:
- the webhook endpoint = https://notabene.yourcasdomain.com/

Choose one of these 2 methods:

Let’s Encrypt:
- Requires an “A” record to assign a dedicated subdomain for Notabene.
- Open port 443 in your firewall, see: Configuring Server Firewalls
Cloudflare:
- create a tunnel (and subdomain): notabene
- use: https://localhost:8740 in your tunnel.

Let’s Encrypt (only) server block

Create this server block specifically for Notabene webhooks exposed by a DNS “A” record:

sudo nano /etc/nginx/conf.d/notabene.conf

Enter this typical block in the file (modified as described here: NGINX server blocks):

server {
    listen       443 ssl;
    server_name notabene.yourcasdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourcasdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourcasdomain.com/privkey.pem;

    access_log /var/log/nginx/notabene_access.log;
    error_log /var/log/nginx/notabene_error.log;

    location / {
        proxy_pass https://10.3.2.1:7743/extensions/notabene/webhooks;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Replace yourcasdomain.com with your actual domain.
Save & exit with Ctrl+X, “y”, and don’t change the filename; it helps identify the purpose.

Cloudflare (only) server block

This NGINX server block will expose the webhooks to Cloudflare: https://localhost:8740

For specific NGINX instructions, see: NGINX as a Reverse Proxy Server

Create this server block specifically for Cloudflare tunnels:

sudo nano /etc/nginx/conf.d/8740-notabene.conf

Enter this typical block in the file (modified as described here: NGINX server blocks):

server {
    listen       8740 ssl;
    server_name notabene.yourcasdomain.com;

    access_log /var/log/nginx/notabene_access.log;
    error_log /var/log/nginx/notabene_error.log;

    location / {
        proxy_pass https://10.3.2.1:7743/extensions/notabene/webhooks;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Replace yourcasdomain.com with your actual domain.
Save & exit with Ctrl+X, “y”, and don’t change the filename; it helps identify the purpose.
Configure your Cloudflare tunnel to forward it as desired.

Further secure your your endpoint by restricting access to the endpoint from only these IPs:

Notabene server IPs: https://docs.svix.com/receiving/source-ips