Commit ac6180bcb04d3f7486b87bf1a950e8250c6e27a5
Exists in
master
and in
4 other branches
Merge branch 'rack_attack' of /home/git/repositories/gitlab/gitlabhq
Showing
12 changed files
with
175 additions
and
0 deletions
Show diff stats
.gitignore
Gemfile
Gemfile.lock
| ... | ... | @@ -334,6 +334,8 @@ GEM |
| 334 | 334 | rack (1.4.5) |
| 335 | 335 | rack-accept (0.4.5) |
| 336 | 336 | rack (>= 0.4) |
| 337 | + rack-attack (2.2.1) | |
| 338 | + rack | |
| 337 | 339 | rack-cache (1.2) |
| 338 | 340 | rack (>= 0.4) |
| 339 | 341 | rack-mini-profiler (0.1.31) |
| ... | ... | @@ -608,6 +610,7 @@ DEPENDENCIES |
| 608 | 610 | poltergeist (~> 1.4.1) |
| 609 | 611 | pry |
| 610 | 612 | quiet_assets (~> 1.0.1) |
| 613 | + rack-attack | |
| 611 | 614 | rack-mini-profiler |
| 612 | 615 | rails (= 3.2.13) |
| 613 | 616 | rails-dev-tweaks | ... | ... |
app/views/help/_layout.html.haml
app/views/help/index.html.haml
| ... | ... | @@ -0,0 +1,15 @@ |
| 1 | += render layout: 'help/layout' do | |
| 2 | + %h3.page-title Security | |
| 3 | + | |
| 4 | + %p.slead | |
| 5 | + If your GitLab instance is visible from the internet chances are it will be 'tested' by bots sooner or later. | |
| 6 | + %br | |
| 7 | + %br | |
| 8 | + %br | |
| 9 | + .file-holder | |
| 10 | + .file-title | |
| 11 | + %i.icon-file | |
| 12 | + Dealing with bruteforcing | |
| 13 | + .file-content.wiki | |
| 14 | + = preserve do | |
| 15 | + = markdown File.read(Rails.root.join("doc", "security", "rack_attack.md")) | ... | ... |
config/application.rb
| ... | ... | @@ -0,0 +1,16 @@ |
| 1 | +# To enable rack-attack for your GitLab instance do the following: | |
| 2 | +# 1. In config/application.rb find and uncomment the following line: | |
| 3 | +# config.middleware.use Rack::Attack | |
| 4 | +# 2. Rename this file to rack_attack.rb | |
| 5 | +# 3. Review the paths_to_be_protected and add any other path you need protecting | |
| 6 | +# 4. Restart GitLab instance | |
| 7 | +# | |
| 8 | + | |
| 9 | +paths_to_be_protected = [ | |
| 10 | + "#{Rails.application.config.relative_url_root}/users/password", | |
| 11 | + "#{Rails.application.config.relative_url_root}/users/sign_in", | |
| 12 | + "#{Rails.application.config.relative_url_root}/users" | |
| 13 | +] | |
| 14 | +Rack::Attack.throttle('protected paths', limit: 6, period: 60.seconds) do |req| | |
| 15 | + req.ip if paths_to_be_protected.include?(req.path) && req.post? | |
| 16 | +end | ... | ... |
config/routes.rb
doc/install/installation.md
| ... | ... | @@ -195,6 +195,13 @@ You can change `6-1-stable` to `master` if you want the *bleeding edge* version, |
| 195 | 195 | # Ex. change amount of workers to 3 for 2GB RAM server |
| 196 | 196 | sudo -u git -H editor config/unicorn.rb |
| 197 | 197 | |
| 198 | + # Copy the example Rack attack config | |
| 199 | + sudo -u git -H cp config/initializers/rack_attack.rb.example config/initializers/rack_attack.rb | |
| 200 | + | |
| 201 | + # Enable rack attack middleware | |
| 202 | + # Find and uncomment the line 'config.middleware.use Rack::Attack' | |
| 203 | + sudo -u git -H editor config/application.rb | |
| 204 | + | |
| 198 | 205 | # Configure Git global settings for git user, useful when editing via web |
| 199 | 206 | # Edit user.email according to what is set in gitlab.yml |
| 200 | 207 | sudo -u git -H git config --global user.name "GitLab" | ... | ... |
| ... | ... | @@ -0,0 +1,19 @@ |
| 1 | +To prevent abusive clients doing damage GitLab uses rack-attack gem. | |
| 2 | +If you installed or upgraded GitLab by following the official guides this should be enabled by default. | |
| 3 | +If you are missing `config/initializers/rack_attack.rb` the following steps need to be taken in order to enable protection for your GitLab instance: | |
| 4 | + | |
| 5 | +1. In config/application.rb find and uncomment the following line: | |
| 6 | + config.middleware.use Rack::Attack | |
| 7 | +2. Rename config/initializers/rack_attack.rb.example to config/initializers/rack_attack.rb | |
| 8 | +3. Review the paths_to_be_protected and add any other path you need protecting | |
| 9 | +4. Restart GitLab instance | |
| 10 | + | |
| 11 | +By default, user sign-in, user sign-up(if enabled) and user password reset is limited to 6 requests per minute. | |
| 12 | +After trying for 6 times, client will have to wait for the next minute to be able to try again. | |
| 13 | +These settings can be found in `config/initializers/rack_attack.rb` | |
| 14 | + | |
| 15 | +If you want more restrictive/relaxed throttle rule change the `limit` or `period` values. For example, more relaxed throttle rule will be if you set limit: 3 and period: 1.second(this will allow 3 requests per second). You can also add other paths to the protected list by adding to `paths_to_be_protected` variable. If you change any of these settings do not forget to restart your GitLab instance. | |
| 16 | + | |
| 17 | +In case you find throttling is not enough to protect you against abusive clients, rack-attack gem offers IP whitelisting, blacklisting, Fail2ban style filter and tracking. | |
| 18 | + | |
| 19 | +For more information on how to use these options check out [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). | |
| 0 | 20 | \ No newline at end of file | ... | ... |
| ... | ... | @@ -0,0 +1,100 @@ |
| 1 | +# From 6.1 to 6.2 | |
| 2 | + | |
| 3 | +# You should update to 6.1 before installing 6.2 so all the necessary conversions are run. | |
| 4 | + | |
| 5 | +### 0. Backup | |
| 6 | + | |
| 7 | +It's useful to make a backup just in case things go south: | |
| 8 | +(With MySQL, this may require granting "LOCK TABLES" privileges to the GitLab user on the database version) | |
| 9 | + | |
| 10 | +```bash | |
| 11 | +cd /home/git/gitlab | |
| 12 | +sudo -u git -H RAILS_ENV=production bundle exec rake gitlab:backup:create | |
| 13 | +``` | |
| 14 | + | |
| 15 | +### 1. Stop server | |
| 16 | + | |
| 17 | + sudo service gitlab stop | |
| 18 | + | |
| 19 | +### 2. Get latest code | |
| 20 | + | |
| 21 | +```bash | |
| 22 | +cd /home/git/gitlab | |
| 23 | +sudo -u git -H git fetch | |
| 24 | +sudo -u git -H git checkout 6-2-stable | |
| 25 | +``` | |
| 26 | + | |
| 27 | +### 3. Update gitlab-shell | |
| 28 | + | |
| 29 | +```bash | |
| 30 | +cd /home/git/gitlab-shell | |
| 31 | +sudo -u git -H git fetch | |
| 32 | +sudo -u git -H git checkout v1.7.1 | |
| 33 | +``` | |
| 34 | + | |
| 35 | +### 4. Install libs, migrations, etc. | |
| 36 | + | |
| 37 | +```bash | |
| 38 | +cd /home/git/gitlab | |
| 39 | + | |
| 40 | +# MySQL | |
| 41 | +sudo -u git -H bundle install --without development test postgres --deployment | |
| 42 | + | |
| 43 | +#PostgreSQL | |
| 44 | +sudo -u git -H bundle install --without development test mysql --deployment | |
| 45 | + | |
| 46 | + | |
| 47 | +sudo -u git -H bundle exec rake db:migrate RAILS_ENV=production | |
| 48 | +sudo -u git -H bundle exec rake migrate_iids RAILS_ENV=production | |
| 49 | +sudo -u git -H bundle exec rake assets:clean RAILS_ENV=production | |
| 50 | +sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production | |
| 51 | +sudo -u git -H bundle exec rake cache:clear RAILS_ENV=production | |
| 52 | +``` | |
| 53 | + | |
| 54 | +### 5. Update config files | |
| 55 | + | |
| 56 | +* Make `/home/git/gitlab/config/gitlab.yml` same as https://github.com/gitlabhq/gitlabhq/blob/6-2-stable/config/gitlab.yml.example but with your settings. | |
| 57 | +* Make `/home/git/gitlab/config/unicorn.rb` same as https://github.com/gitlabhq/gitlabhq/blob/6-2-stable/config/unicorn.rb.example but with your settings. | |
| 58 | +* Copy rack attack middleware config | |
| 59 | +```bash | |
| 60 | +sudo -u git -H cp config/initializers/rack_attack.rb.example config/initializers/rack_attack.rb | |
| 61 | +``` | |
| 62 | +* Uncomment `config.middleware.use Rack::Attack` in `/home/git/gitlab/config/application.rb` | |
| 63 | + | |
| 64 | +### 6. Update Init script | |
| 65 | + | |
| 66 | +```bash | |
| 67 | +sudo rm /etc/init.d/gitlab | |
| 68 | +sudo curl --output /etc/init.d/gitlab https://raw.github.com/gitlabhq/gitlabhq/6-2-stable/lib/support/init.d/gitlab | |
| 69 | +sudo chmod +x /etc/init.d/gitlab | |
| 70 | +``` | |
| 71 | + | |
| 72 | +### 7. Start application | |
| 73 | + | |
| 74 | + sudo service gitlab start | |
| 75 | + sudo service nginx restart | |
| 76 | + | |
| 77 | +### 8. Check application status | |
| 78 | + | |
| 79 | +Check if GitLab and its environment are configured correctly: | |
| 80 | + | |
| 81 | + sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production | |
| 82 | + | |
| 83 | +To make sure you didn't miss anything run a more thorough check with: | |
| 84 | + | |
| 85 | + sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production | |
| 86 | + | |
| 87 | +If all items are green, then congratulations upgrade complete! | |
| 88 | + | |
| 89 | +## Things went south? Revert to previous version (6.1) | |
| 90 | + | |
| 91 | +### 1. Revert the code to the previous version | |
| 92 | +Follow the [`upgrade guide from 6.0 to 6.1`](6.0-to-6.1.md), except for the database migration | |
| 93 | +(The backup is already migrated to the previous version) | |
| 94 | + | |
| 95 | +### 2. Restore from the backup: | |
| 96 | + | |
| 97 | +```bash | |
| 98 | +cd /home/git/gitlab | |
| 99 | +sudo -u git -H RAILS_ENV=production bundle exec rake gitlab:backup:restore | |
| 100 | +``` | ... | ... |