List of Netlify IP adresses for whitelisting

I currently host my site on Bitbucket and it is locked to only whitelisted IP addresses. When i try to deploy from Netlify, the build fails as Netlify IP is not whitelisted in my Bitbucket account. I get the following messages:

4:37:02 PM: Starting to prepare the repo for build

4:37:07 PM: git ref refs/heads/master does not exist or you do not have permission

4:37:07 PM: Failing build: Failed to prepare repo

4:37:07 PM: failed during stage ‘preparing repo’: git ref refs/heads/master does not exist

The deploy works fine if disable IP whitelisting in my Bitbucket account. So, i am wondering what IP addresses i should whitelist in Bitbucket for deploys to work in Netlify. Any help would be much appreciated. Thanks!

1 Like

Hi @akurudi !

Our build environment and our serving environment change frequently and there is no fixed netblock or addresses. You cannot use us directly to pull code from your repo if you cannot allow ALL access via SSH. I’d suggest a different deployment method in that case:

api
cli

I have added your voice to the feature request we have to create the ability to use a limited range of IP’s to contact your git host, but I do not have any commitment to implement it yet so this is mostly useful to you in knowing that we will inform you in case the situation changes.

@fool My use case is different but I still need a range of Netlify’s IPs. My Netlify web app calls a back-end server (elsewhere, not on Netlify). For security concerns, this back-end server only allow calls from a whitelist of known callers. So, I need to have the back-end server whitelist calls from my app on Netlify. Thus, I need a range of Netlify’s IPs to do that. The back-end server cannot just permit all IPs to make a call to it–that would be a huge and unacceptable security risk. Please consider this an urgent and important need. Thank you.

2 Likes

Hi Jay,

We have other provisions for guaranteeing the post comes from Netlify and we have no plans to change the way our infrastructure contacts yours, so I’d suggest investigating the available alternatives:

  1. using a function to gate access, and you can send whatever token you want from the function to prove that it was originated via your netlify site
  2. using the JWS that we can provide for proxy’d calls to your server: Rewrites and proxies | Netlify Docs
  3. setting a cookie on our side and verifying it on your backend

I’m trying to explore the JWS option. I’m reviewing the Netlify docs on signed proxy redirects that you mentioned and maybe I’m missing something here.

Question 1: The signed JSON document contains a field called context. How do I control what goes into context? I would need this data to be generated dynamically on-the-fly since the context would have to change on a per-request basis.

Question 2: netlify.toml “signed” directive. Does it have to be under a [[redirects]]? (I don’t need a redirect here, do I?)

As far as I know, the JWS is not controllable by you except in picking the encryption key. On your end, you decrypt the signature which would verify that we created it. That’s all there is to it.

You definitely need a redirect to use that feature; it ONLY applies to proxied routes! (200 status redirect)

@fool Where does the JWS data come in? I’ve added signed to a redirects in my netlify toml and created an environment variable

I dumped the proxied request Netlify is making and see a bunch of X-headers but no JWS to validate. There is also the JWT token set as a cookie as nf_jwt, but that came in before I enabled JWS and I can’t validate it with my SECRET_KEY environment variable or hash specified in the JWS doc.

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Accept: /
Accept-Encoding: br, gzip
Accept-Language: en-US,en;q=0.9
Cache-Control: no-cache
Client-Ip:
Cookie: nf_jwt=
Pragma:
Referer:
Sec-Fetch-Mode:
Sec-Fetch-Site:
X-Bb-Ab:
X-Bb-Client-Request-Uuid:
X-Bb-Ip:
X-Bb-Loop:
X-Country:
X-Datadog-Parent-Id:
X-Datadog-Sampling-Priority:
X-Datadog-Trace-Id:
X-Forwarded-For:
X-Language:
X-Nf-Account-Id:
X-Nf-Client-Connection-Ip:
X-Nf-Site-Id:

Could you share which netlify site you are working on and the redirect rule? Just want to check to see why the JWS might not have been passed along.

https://inspiring-ride-4bfe42.netlify.com/

You need to first click login and register an account. Then go to the protected tab which will make a fetch request against the proxy url. The proxy is set to a debug server URL which isn’t running right now.

Netlify.toml

    from = "/couchdb/*"
    to = "http://142.44.243.197:8000/:splat"
    status = 200
    force = true
    signed = "SECRET_KEY"```

It’s sent in a cookie, named after your site’s API ID.

There is no cookie being sent to the server, this is the contents being sent.

Client-Ip: 73.109.110.78
Cookie: nf_jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhcHBfbWV0YWRhdGEiOnsicHJvdmlkZXIiOiJlbWFpbCJ9LCJlbWFpbCI6Im1waHVpZUBnbWFpbC5jb20iLCJleHAiOjE1NzcxNTA5MzUsInN1YiI6IjY0OGUyMTllLTFlZGItNDRlMS04OTIxLWUyMmZjYWRhOWY3ZSIsInVzZXJfbWV0YWRhdGEiOnsiZnVsbF9uYW1lIjoiTWF0dGhldyBIVWllIn19.nPJUlrPQFtQ6FCnYpbktv8jXDyWFKZ5aDGVuoh5dBxQ
Referer: https://inspiring-ride-4bfe42.netlify.com/

If a user is not logged in, no cookie header is being passed

I do now see a X-Nf-Sign header being provided that I can validate with the secret key i set in an environment variable.

Did something change between my message 3 days ago? I pasted my complete list of headers received and I have not deployed since then…

No change that I am aware of. We’ve held off making any changes due to the holidays. Glad it’s working for you now but do let us know if something changes again so we can continue looking into the issue. Thanks for your patience.

@Dennis I just did a deploy (no config change to netlify.toml) and now there is no X-Nf-Sign header.

Could you please link us to the deploy in question? Starting to sound like there is some complicating factor like a split test without that config deployed and I’d like to look at the specific deploy in our system to see if I can see anything.