Download as
Browse Code »

Commit ac6180bcb04d3f7486b87bf1a950e8250c6e27a5

Authored by Dmitriy Zaporozhets
2 parents 9ffabc6d 775aa5ba
Exists in master and in 4 other branches 6-8-stable, 7-0-stable, 7-0-stable-spb, spb-stable

Merge branch 'rack_attack' of /home/git/repositories/gitlab/gitlabhq

Showing 12 changed files with 175 additions and 0 deletions   Show diff stats
@@ -20,6 +20,7 @@ Vagrantfile @@ -20,6 +20,7 @@ Vagrantfile
20 config/gitlab.yml 20 config/gitlab.yml
21 config/database.yml 21 config/database.yml
22 config/initializers/omniauth.rb 22 config/initializers/omniauth.rb
  23 +config/initializers/rack_attack.rb
23 config/unicorn.rb 24 config/unicorn.rb
24 config/resque.yml 25 config/resque.yml
25 config/aws.yml 26 config/aws.yml
@@ -120,6 +120,9 @@ gem "underscore-rails", "~> 1.4.4" @@ -120,6 +120,9 @@ gem "underscore-rails", "~> 1.4.4"
120 # Sanitize user input 120 # Sanitize user input
121 gem "sanitize" 121 gem "sanitize"
122 122
  123 +# Protect against bruteforcing
  124 +gem "rack-attack"
  125 +
123 group :assets do 126 group :assets do
124 gem "sass-rails" 127 gem "sass-rails"
125 gem "coffee-rails" 128 gem "coffee-rails"
@@ -334,6 +334,8 @@ GEM @@ -334,6 +334,8 @@ GEM
334 rack (1.4.5) 334 rack (1.4.5)
335 rack-accept (0.4.5) 335 rack-accept (0.4.5)
336 rack (>= 0.4) 336 rack (>= 0.4)
  337 + rack-attack (2.2.1)
  338 + rack
337 rack-cache (1.2) 339 rack-cache (1.2)
338 rack (>= 0.4) 340 rack (>= 0.4)
339 rack-mini-profiler (0.1.31) 341 rack-mini-profiler (0.1.31)
@@ -608,6 +610,7 @@ DEPENDENCIES @@ -608,6 +610,7 @@ DEPENDENCIES
608 poltergeist (~> 1.4.1) 610 poltergeist (~> 1.4.1)
609 pry 611 pry
610 quiet_assets (~> 1.0.1) 612 quiet_assets (~> 1.0.1)
  613 + rack-attack
611 rack-mini-profiler 614 rack-mini-profiler
612 rails (= 3.2.13) 615 rails (= 3.2.13)
613 rails-dev-tweaks 616 rails-dev-tweaks
app/views/help/_layout.html.haml
  Diff comments   View file @ac6180b
@@ -30,5 +30,8 @@ @@ -30,5 +30,8 @@
30 %li 30 %li
31 %strong= link_to "Public Access", help_public_access_path 31 %strong= link_to "Public Access", help_public_access_path
32 32
  33 + %li
  34 + %strong= link_to "Security", help_security_path
  35 +
33 .span9.pull-right 36 .span9.pull-right
34 = yield 37 = yield
app/views/help/index.html.haml
  Diff comments   View file @ac6180b
@@ -79,3 +79,7 @@ @@ -79,3 +79,7 @@
79 %li 79 %li
80 %strong= link_to "Public Access", help_public_access_path 80 %strong= link_to "Public Access", help_public_access_path
81 %p Learn how you can allow public access to a project. 81 %p Learn how you can allow public access to a project.
  82 +
  83 + %li
  84 + %strong= link_to "Security", help_security_path
  85 + %p Learn what you can do to secure your GitLab instance.
app/views/help/security.html.haml 0 → 100644
  Diff comments   View file @ac6180b
@@ -0,0 +1,15 @@ @@ -0,0 +1,15 @@
  1 += render layout: 'help/layout' do
  2 + %h3.page-title Security
  3 +
  4 + %p.slead
  5 + If your GitLab instance is visible from the internet chances are it will be 'tested' by bots sooner or later.
  6 + %br
  7 + %br
  8 + %br
  9 + .file-holder
  10 + .file-title
  11 + %i.icon-file
  12 + Dealing with bruteforcing
  13 + .file-content.wiki
  14 + = preserve do
  15 + = markdown File.read(Rails.root.join("doc", "security", "rack_attack.md"))
config/application.rb
  Diff comments   View file @ac6180b
@@ -77,5 +77,8 @@ module Gitlab @@ -77,5 +77,8 @@ module Gitlab
77 # 3) In your unicorn.rb: ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab" 77 # 3) In your unicorn.rb: ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab"
78 # 78 #
79 # config.relative_url_root = "/gitlab" 79 # config.relative_url_root = "/gitlab"
  80 +
  81 + # Uncomment to enable rack attack middleware
  82 + # config.middleware.use Rack::Attack
80 end 83 end
81 end 84 end
config/initializers/rack_attack.rb.example 0 → 100644
  Diff comments   View file @ac6180b
@@ -0,0 +1,16 @@ @@ -0,0 +1,16 @@
  1 +# To enable rack-attack for your GitLab instance do the following:
  2 +# 1. In config/application.rb find and uncomment the following line:
  3 +# config.middleware.use Rack::Attack
  4 +# 2. Rename this file to rack_attack.rb
  5 +# 3. Review the paths_to_be_protected and add any other path you need protecting
  6 +# 4. Restart GitLab instance
  7 +#
  8 +
  9 +paths_to_be_protected = [
  10 + "#{Rails.application.config.relative_url_root}/users/password",
  11 + "#{Rails.application.config.relative_url_root}/users/sign_in",
  12 + "#{Rails.application.config.relative_url_root}/users"
  13 +]
  14 +Rack::Attack.throttle('protected paths', limit: 6, period: 60.seconds) do |req|
  15 + req.ip if paths_to_be_protected.include?(req.path) && req.post?
  16 +end
config/routes.rb
  Diff comments   View file @ac6180b
@@ -39,6 +39,7 @@ Gitlab::Application.routes.draw do @@ -39,6 +39,7 @@ Gitlab::Application.routes.draw do
39 get 'help/web_hooks' => 'help#web_hooks' 39 get 'help/web_hooks' => 'help#web_hooks'
40 get 'help/workflow' => 'help#workflow' 40 get 'help/workflow' => 'help#workflow'
41 get 'help/shortcuts' 41 get 'help/shortcuts'
  42 + get 'help/security'
42 43
43 # 44 #
44 # Global snippets 45 # Global snippets
doc/install/installation.md
  Diff comments   View file @ac6180b
@@ -195,6 +195,13 @@ You can change `6-1-stable` to `master` if you want the *bleeding edge* version, @@ -195,6 +195,13 @@ You can change `6-1-stable` to `master` if you want the *bleeding edge* version,
195 # Ex. change amount of workers to 3 for 2GB RAM server 195 # Ex. change amount of workers to 3 for 2GB RAM server
196 sudo -u git -H editor config/unicorn.rb 196 sudo -u git -H editor config/unicorn.rb
197 197
  198 + # Copy the example Rack attack config
  199 + sudo -u git -H cp config/initializers/rack_attack.rb.example config/initializers/rack_attack.rb
  200 +
  201 + # Enable rack attack middleware
  202 + # Find and uncomment the line 'config.middleware.use Rack::Attack'
  203 + sudo -u git -H editor config/application.rb
  204 +
198 # Configure Git global settings for git user, useful when editing via web 205 # Configure Git global settings for git user, useful when editing via web
199 # Edit user.email according to what is set in gitlab.yml 206 # Edit user.email according to what is set in gitlab.yml
200 sudo -u git -H git config --global user.name "GitLab" 207 sudo -u git -H git config --global user.name "GitLab"
doc/security/rack_attack.md 0 → 100644
  Diff comments   View file @ac6180b
@@ -0,0 +1,19 @@ @@ -0,0 +1,19 @@
  1 +To prevent abusive clients doing damage GitLab uses rack-attack gem.
  2 +If you installed or upgraded GitLab by following the official guides this should be enabled by default.
  3 +If you are missing `config/initializers/rack_attack.rb` the following steps need to be taken in order to enable protection for your GitLab instance:
  4 +
  5 +1. In config/application.rb find and uncomment the following line:
  6 + config.middleware.use Rack::Attack
  7 +2. Rename config/initializers/rack_attack.rb.example to config/initializers/rack_attack.rb
  8 +3. Review the paths_to_be_protected and add any other path you need protecting
  9 +4. Restart GitLab instance
  10 +
  11 +By default, user sign-in, user sign-up(if enabled) and user password reset is limited to 6 requests per minute.
  12 +After trying for 6 times, client will have to wait for the next minute to be able to try again.
  13 +These settings can be found in `config/initializers/rack_attack.rb`
  14 +
  15 +If you want more restrictive/relaxed throttle rule change the `limit` or `period` values. For example, more relaxed throttle rule will be if you set limit: 3 and period: 1.second(this will allow 3 requests per second). You can also add other paths to the protected list by adding to `paths_to_be_protected` variable. If you change any of these settings do not forget to restart your GitLab instance.
  16 +
  17 +In case you find throttling is not enough to protect you against abusive clients, rack-attack gem offers IP whitelisting, blacklisting, Fail2ban style filter and tracking.
  18 +
  19 +For more information on how to use these options check out [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md).
0 \ No newline at end of file 20 \ No newline at end of file
doc/update/6.1-to-6.2.md 0 → 100644
  Diff comments   View file @ac6180b
@@ -0,0 +1,100 @@ @@ -0,0 +1,100 @@
  1 +# From 6.1 to 6.2
  2 +
  3 +# You should update to 6.1 before installing 6.2 so all the necessary conversions are run.
  4 +
  5 +### 0. Backup
  6 +
  7 +It's useful to make a backup just in case things go south:
  8 +(With MySQL, this may require granting "LOCK TABLES" privileges to the GitLab user on the database version)
  9 +
  10 +```bash
  11 +cd /home/git/gitlab
  12 +sudo -u git -H RAILS_ENV=production bundle exec rake gitlab:backup:create
  13 +```
  14 +
  15 +### 1. Stop server
  16 +
  17 + sudo service gitlab stop
  18 +
  19 +### 2. Get latest code
  20 +
  21 +```bash
  22 +cd /home/git/gitlab
  23 +sudo -u git -H git fetch
  24 +sudo -u git -H git checkout 6-2-stable
  25 +```
  26 +
  27 +### 3. Update gitlab-shell
  28 +
  29 +```bash
  30 +cd /home/git/gitlab-shell
  31 +sudo -u git -H git fetch
  32 +sudo -u git -H git checkout v1.7.1
  33 +```
  34 +
  35 +### 4. Install libs, migrations, etc.
  36 +
  37 +```bash
  38 +cd /home/git/gitlab
  39 +
  40 +# MySQL
  41 +sudo -u git -H bundle install --without development test postgres --deployment
  42 +
  43 +#PostgreSQL
  44 +sudo -u git -H bundle install --without development test mysql --deployment
  45 +
  46 +
  47 +sudo -u git -H bundle exec rake db:migrate RAILS_ENV=production
  48 +sudo -u git -H bundle exec rake migrate_iids RAILS_ENV=production
  49 +sudo -u git -H bundle exec rake assets:clean RAILS_ENV=production
  50 +sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production
  51 +sudo -u git -H bundle exec rake cache:clear RAILS_ENV=production
  52 +```
  53 +
  54 +### 5. Update config files
  55 +
  56 +* Make `/home/git/gitlab/config/gitlab.yml` same as https://github.com/gitlabhq/gitlabhq/blob/6-2-stable/config/gitlab.yml.example but with your settings.
  57 +* Make `/home/git/gitlab/config/unicorn.rb` same as https://github.com/gitlabhq/gitlabhq/blob/6-2-stable/config/unicorn.rb.example but with your settings.
  58 +* Copy rack attack middleware config
  59 +```bash
  60 +sudo -u git -H cp config/initializers/rack_attack.rb.example config/initializers/rack_attack.rb
  61 +```
  62 +* Uncomment `config.middleware.use Rack::Attack` in `/home/git/gitlab/config/application.rb`
  63 +
  64 +### 6. Update Init script
  65 +
  66 +```bash
  67 +sudo rm /etc/init.d/gitlab
  68 +sudo curl --output /etc/init.d/gitlab https://raw.github.com/gitlabhq/gitlabhq/6-2-stable/lib/support/init.d/gitlab
  69 +sudo chmod +x /etc/init.d/gitlab
  70 +```
  71 +
  72 +### 7. Start application
  73 +
  74 + sudo service gitlab start
  75 + sudo service nginx restart
  76 +
  77 +### 8. Check application status
  78 +
  79 +Check if GitLab and its environment are configured correctly:
  80 +
  81 + sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
  82 +
  83 +To make sure you didn't miss anything run a more thorough check with:
  84 +
  85 + sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production
  86 +
  87 +If all items are green, then congratulations upgrade complete!
  88 +
  89 +## Things went south? Revert to previous version (6.1)
  90 +
  91 +### 1. Revert the code to the previous version
  92 +Follow the [`upgrade guide from 6.0 to 6.1`](6.0-to-6.1.md), except for the database migration
  93 +(The backup is already migrated to the previous version)
  94 +
  95 +### 2. Restore from the backup:
  96 +
  97 +```bash
  98 +cd /home/git/gitlab
  99 +sudo -u git -H RAILS_ENV=production bundle exec rake gitlab:backup:restore
  100 +```