Commit 055b60d4200aeee0eeab762f162c05305e58c41d
1 parent
c562d290
Exists in
master
and in
4 other branches
Add documentation to help section, rack_attack as example
Showing
9 changed files
with
61 additions
and
5 deletions
Show diff stats
.gitignore
app/views/help/_layout.html.haml
app/views/help/index.html.haml
| ... | ... | @@ -0,0 +1,15 @@ |
| 1 | += render layout: 'help/layout' do | |
| 2 | + %h3.page-title Security | |
| 3 | + | |
| 4 | + %p.slead | |
| 5 | + If your GitLab instance is visible from the internet chances are it will be 'tested' by bots sooner or later. | |
| 6 | + %br | |
| 7 | + %br | |
| 8 | + %br | |
| 9 | + .file-holder | |
| 10 | + .file-title | |
| 11 | + %i.icon-file | |
| 12 | + Dealing with bruteforcing | |
| 13 | + .file-content.wiki | |
| 14 | + = preserve do | |
| 15 | + = markdown File.read(Rails.root.join("doc", "security", "rack_attack.md")) | ... | ... |
config/application.rb
config/initializers/rack_attack.rb
| ... | ... | @@ -0,0 +1,16 @@ |
| 1 | +# To enable rack-attack for your GitLab instance do the following: | |
| 2 | +# 1. In config/application.rb find and uncomment the following line: | |
| 3 | +# config.middleware.use Rack::Attack | |
| 4 | +# 2. Rename this file to rack_attack.rb | |
| 5 | +# 3. Review the paths_to_be_protected and add any other path you need protecting | |
| 6 | +# 4. Restart GitLab instance | |
| 7 | +# | |
| 8 | + | |
| 9 | +paths_to_be_protected = [ | |
| 10 | + "#{Rails.application.config.relative_url_root}/users/password", | |
| 11 | + "#{Rails.application.config.relative_url_root}/users/sign_in", | |
| 12 | + "#{Rails.application.config.relative_url_root}/users" | |
| 13 | +] | |
| 14 | +Rack::Attack.throttle('protected paths', limit: 6, period: 60.seconds) do |req| | |
| 15 | + req.ip if paths_to_be_protected.include?(req.path) && req.post? | |
| 16 | +end | ... | ... |
config/routes.rb
| ... | ... | @@ -0,0 +1,19 @@ |
| 1 | +To prevent abusive clients doing damage GitLab uses rack-attack gem. | |
| 2 | +If you installed or upgraded GitLab by following the official guides this should be enabled by default. | |
| 3 | +If you are missing `config/initializers/rack_attack.rb` the following steps need to be taken in order to enable protection for your GitLab instance: | |
| 4 | + | |
| 5 | +1. In config/application.rb find and uncomment the following line: | |
| 6 | + config.middleware.use Rack::Attack | |
| 7 | +2. Rename config/initializers/rack_attack.rb.example to config/initializers/rack_attack.rb | |
| 8 | +3. Review the paths_to_be_protected and add any other path you need protecting | |
| 9 | +4. Restart GitLab instance | |
| 10 | + | |
| 11 | +By default, user sign-in, user sign-up(if enabled) and user password reset is limited to 6 requests per minute. | |
| 12 | +After trying for 6 times, client will have to wait for the next minute to be able to try again. | |
| 13 | +These settings can be found in `config/initializers/rack_attack.rb` | |
| 14 | + | |
| 15 | +If you want more restrictive/relaxed throttle rule change the `limit` or `period` values. For example, more relaxed throttle rule will be if you set limit: 3 and period: 1.second(this will allow 3 requests per second). You can also add other paths to the protected list by adding to `paths_to_be_protected` variable. If you change any of these settings do not forget to restart your GitLab instance. | |
| 16 | + | |
| 17 | +In case you find throttling is not enough to protect you against abusive clients, rack-attack gem offers IP whitelisting, blacklisting, Fail2ban style filter and tracking. | |
| 18 | + | |
| 19 | +For more information on how to use these options check out [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). | |
| 0 | 20 | \ No newline at end of file | ... | ... |