Commit 055b60d4200aeee0eeab762f162c05305e58c41d
1 parent
c562d290
Exists in
master
and in
4 other branches
Add documentation to help section, rack_attack as example
Showing
9 changed files
with
61 additions
and
5 deletions
Show diff stats
.gitignore
| @@ -20,6 +20,7 @@ Vagrantfile | @@ -20,6 +20,7 @@ Vagrantfile | ||
| 20 | config/gitlab.yml | 20 | config/gitlab.yml |
| 21 | config/database.yml | 21 | config/database.yml |
| 22 | config/initializers/omniauth.rb | 22 | config/initializers/omniauth.rb |
| 23 | +config/initializers/rack_attack.rb | ||
| 23 | config/unicorn.rb | 24 | config/unicorn.rb |
| 24 | config/resque.yml | 25 | config/resque.yml |
| 25 | config/aws.yml | 26 | config/aws.yml |
app/views/help/_layout.html.haml
| @@ -30,5 +30,8 @@ | @@ -30,5 +30,8 @@ | ||
| 30 | %li | 30 | %li |
| 31 | %strong= link_to "Public Access", help_public_access_path | 31 | %strong= link_to "Public Access", help_public_access_path |
| 32 | 32 | ||
| 33 | + %li | ||
| 34 | + %strong= link_to "Security", help_security_path | ||
| 35 | + | ||
| 33 | .span9.pull-right | 36 | .span9.pull-right |
| 34 | = yield | 37 | = yield |
app/views/help/index.html.haml
| @@ -79,3 +79,7 @@ | @@ -79,3 +79,7 @@ | ||
| 79 | %li | 79 | %li |
| 80 | %strong= link_to "Public Access", help_public_access_path | 80 | %strong= link_to "Public Access", help_public_access_path |
| 81 | %p Learn how you can allow public access to a project. | 81 | %p Learn how you can allow public access to a project. |
| 82 | + | ||
| 83 | + %li | ||
| 84 | + %strong= link_to "Security", help_security_path | ||
| 85 | + %p Learn what you can do to secure your GitLab instance. |
| @@ -0,0 +1,15 @@ | @@ -0,0 +1,15 @@ | ||
| 1 | += render layout: 'help/layout' do | ||
| 2 | + %h3.page-title Security | ||
| 3 | + | ||
| 4 | + %p.slead | ||
| 5 | + If your GitLab instance is visible from the internet chances are it will be 'tested' by bots sooner or later. | ||
| 6 | + %br | ||
| 7 | + %br | ||
| 8 | + %br | ||
| 9 | + .file-holder | ||
| 10 | + .file-title | ||
| 11 | + %i.icon-file | ||
| 12 | + Dealing with bruteforcing | ||
| 13 | + .file-content.wiki | ||
| 14 | + = preserve do | ||
| 15 | + = markdown File.read(Rails.root.join("doc", "security", "rack_attack.md")) |
config/application.rb
| @@ -78,7 +78,7 @@ module Gitlab | @@ -78,7 +78,7 @@ module Gitlab | ||
| 78 | # | 78 | # |
| 79 | # config.relative_url_root = "/gitlab" | 79 | # config.relative_url_root = "/gitlab" |
| 80 | 80 | ||
| 81 | - # Enable rack attack middleware | ||
| 82 | - config.middleware.use Rack::Attack | 81 | + # Uncomment to enable rack attack middleware |
| 82 | + # config.middleware.use Rack::Attack | ||
| 83 | end | 83 | end |
| 84 | end | 84 | end |
config/initializers/rack_attack.rb
| @@ -0,0 +1,16 @@ | @@ -0,0 +1,16 @@ | ||
| 1 | +# To enable rack-attack for your GitLab instance do the following: | ||
| 2 | +# 1. In config/application.rb find and uncomment the following line: | ||
| 3 | +# config.middleware.use Rack::Attack | ||
| 4 | +# 2. Rename this file to rack_attack.rb | ||
| 5 | +# 3. Review the paths_to_be_protected and add any other path you need protecting | ||
| 6 | +# 4. Restart GitLab instance | ||
| 7 | +# | ||
| 8 | + | ||
| 9 | +paths_to_be_protected = [ | ||
| 10 | + "#{Rails.application.config.relative_url_root}/users/password", | ||
| 11 | + "#{Rails.application.config.relative_url_root}/users/sign_in", | ||
| 12 | + "#{Rails.application.config.relative_url_root}/users" | ||
| 13 | +] | ||
| 14 | +Rack::Attack.throttle('protected paths', limit: 6, period: 60.seconds) do |req| | ||
| 15 | + req.ip if paths_to_be_protected.include?(req.path) && req.post? | ||
| 16 | +end |
config/routes.rb
| @@ -39,6 +39,7 @@ Gitlab::Application.routes.draw do | @@ -39,6 +39,7 @@ Gitlab::Application.routes.draw do | ||
| 39 | get 'help/web_hooks' => 'help#web_hooks' | 39 | get 'help/web_hooks' => 'help#web_hooks' |
| 40 | get 'help/workflow' => 'help#workflow' | 40 | get 'help/workflow' => 'help#workflow' |
| 41 | get 'help/shortcuts' | 41 | get 'help/shortcuts' |
| 42 | + get 'help/security' | ||
| 42 | 43 | ||
| 43 | # | 44 | # |
| 44 | # Global snippets | 45 | # Global snippets |
| @@ -0,0 +1,19 @@ | @@ -0,0 +1,19 @@ | ||
| 1 | +To prevent abusive clients doing damage GitLab uses rack-attack gem. | ||
| 2 | +If you installed or upgraded GitLab by following the official guides this should be enabled by default. | ||
| 3 | +If you are missing `config/initializers/rack_attack.rb` the following steps need to be taken in order to enable protection for your GitLab instance: | ||
| 4 | + | ||
| 5 | +1. In config/application.rb find and uncomment the following line: | ||
| 6 | + config.middleware.use Rack::Attack | ||
| 7 | +2. Rename config/initializers/rack_attack.rb.example to config/initializers/rack_attack.rb | ||
| 8 | +3. Review the paths_to_be_protected and add any other path you need protecting | ||
| 9 | +4. Restart GitLab instance | ||
| 10 | + | ||
| 11 | +By default, user sign-in, user sign-up(if enabled) and user password reset is limited to 6 requests per minute. | ||
| 12 | +After trying for 6 times, client will have to wait for the next minute to be able to try again. | ||
| 13 | +These settings can be found in `config/initializers/rack_attack.rb` | ||
| 14 | + | ||
| 15 | +If you want more restrictive/relaxed throttle rule change the `limit` or `period` values. For example, more relaxed throttle rule will be if you set limit: 3 and period: 1.second(this will allow 3 requests per second). You can also add other paths to the protected list by adding to `paths_to_be_protected` variable. If you change any of these settings do not forget to restart your GitLab instance. | ||
| 16 | + | ||
| 17 | +In case you find throttling is not enough to protect you against abusive clients, rack-attack gem offers IP whitelisting, blacklisting, Fail2ban style filter and tracking. | ||
| 18 | + | ||
| 19 | +For more information on how to use these options check out [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). | ||
| 0 | \ No newline at end of file | 20 | \ No newline at end of file |