Developer CommunityGitHub
Guides
Partner Application

Webhook Listeners on Private Servers

Using Reverse SSH Tunnels

Suggest Edits

Overview

When working with webhook integrations, it's common to require a publicly accessible endpoint. However, some environments—particularly on-premises or secured networks—do not allow direct public IP exposure. This guide walks through how to use reverse SSH tunneling to expose a webhook listener running on a private server without requiring a public IP or VPN.

Use Case

This method is ideal when:

  • Your server is behind a NAT/firewall and cannot have a public IP.
  • You need to receive webhook POST requests from Rhombus or any third-party service.
  • You want a secure and simple way to forward traffic to your local webhook listener.

Architecture Overview

ComponentRole
Private ServerRuns the webhook listener (e.g., localhost:8080)
Public RelayA small public cloud instance (e.g., EC2, Linode)
Webhook SenderSends HTTP POST requests (e.g., Rhombus cloud)

The reverse SSH tunnel connects the public relay back to the local server, forwarding external traffic securely to the webhook listener.

Step-by-Step Implementation

1. Provision a Public Relay Server

Set up a lightweight Linux server (e.g., Ubuntu) on a cloud provider like AWS, GCP, or DigitalOcean.

  • Assign a public IP or domain name (e.g., relay.yourdomain.com).
  • Open inbound ports (e.g., 80 or 443) for HTTP/HTTPS traffic.

2. Configure SSH for Remote Tunneling

On the relay server, modify the SSH daemon config:

sudo nano /etc/ssh/sshd_config

Ensure the following options are set:

GatewayPorts yes
AllowTcpForwarding yes
PermitOpen any

Restart SSH:

sudo systemctl restart ssh

3. Set Up SSH Key Authentication

On your private server (where the webhook listener runs):

ssh-keygen -t rsa -b 4096 -C "[email protected]"
ssh-copy-id -i ~/.ssh/id_rsa.pub user@<RELAY_PUBLIC_IP>

Verify passwordless SSH access:

ssh user@<RELAY_PUBLIC_IP>

4. Establish the Reverse SSH Tunnel

Run the following command on your private server:

ssh -Nf -R 80:localhost:8080 user@<RELAY_PUBLIC_IP>

Explanation:

  • 80 is the external port exposed by the relay.
  • localhost:8080 points to your local webhook listener.

5. Make the Tunnel Persistent (autossh)

Install autossh:

sudo apt install autossh

Run with:

autossh -M 0 -Nf -R 80:localhost:8080 user@<RELAY_PUBLIC_IP>

This ensures the tunnel auto-reconnects if interrupted.

6. Test the Setup

  1. Start your webhook listener (e.g., a C# app listening on localhost:8080).
  2. Use curl or a browser to test:
curl http://<RELAY_PUBLIC_IP>/your-webhook-endpoint

  1. You should see the request hit your local webhook service.

  2. Provide the public relay URL to Rhombus or any external service:

http://<RELAY_PUBLIC_IP>/your-webhook-endpoint

Optional: HTTPS with NGINX

For secure connections:

  • Install NGINX on the relay server.
  • Use Let's Encrypt to generate TLS certificates.
  • Forward HTTPS traffic to the SSH tunnel port.

Security Recommendations

  • Use key-based SSH authentication only.
  • Restrict traffic on the relay server with firewall rules or ufw.
  • Monitor the tunnel connection with logging tools or health checks.

Benefits of This Approach

  • ✅ Works behind NAT or corporate firewalls
  • ✅ Requires no VPN
  • ✅ Easy to automate with autossh
  • ✅ Fully outbound connection—safe for most enterprise networks
  • ✅ Maintains full control over your environment

Conclusion

Reverse SSH tunneling is a powerful and secure way to receive webhooks on private infrastructure. With a minimal setup and zero dependency on public IPs or VPNs, it provides flexibility for teams with strict network constraints.

Updated 18 days ago