Commit ac6180bcb04d3f7486b87bf1a950e8250c6e27a5
Exists in
master
and in
4 other branches
Merge branch 'rack_attack' of /home/git/repositories/gitlab/gitlabhq
Showing
12 changed files
with
175 additions
and
0 deletions
Show diff stats
.gitignore
@@ -20,6 +20,7 @@ Vagrantfile | @@ -20,6 +20,7 @@ Vagrantfile | ||
20 | config/gitlab.yml | 20 | config/gitlab.yml |
21 | config/database.yml | 21 | config/database.yml |
22 | config/initializers/omniauth.rb | 22 | config/initializers/omniauth.rb |
23 | +config/initializers/rack_attack.rb | ||
23 | config/unicorn.rb | 24 | config/unicorn.rb |
24 | config/resque.yml | 25 | config/resque.yml |
25 | config/aws.yml | 26 | config/aws.yml |
Gemfile
@@ -120,6 +120,9 @@ gem "underscore-rails", "~> 1.4.4" | @@ -120,6 +120,9 @@ gem "underscore-rails", "~> 1.4.4" | ||
120 | # Sanitize user input | 120 | # Sanitize user input |
121 | gem "sanitize" | 121 | gem "sanitize" |
122 | 122 | ||
123 | +# Protect against bruteforcing | ||
124 | +gem "rack-attack" | ||
125 | + | ||
123 | group :assets do | 126 | group :assets do |
124 | gem "sass-rails" | 127 | gem "sass-rails" |
125 | gem "coffee-rails" | 128 | gem "coffee-rails" |
Gemfile.lock
@@ -334,6 +334,8 @@ GEM | @@ -334,6 +334,8 @@ GEM | ||
334 | rack (1.4.5) | 334 | rack (1.4.5) |
335 | rack-accept (0.4.5) | 335 | rack-accept (0.4.5) |
336 | rack (>= 0.4) | 336 | rack (>= 0.4) |
337 | + rack-attack (2.2.1) | ||
338 | + rack | ||
337 | rack-cache (1.2) | 339 | rack-cache (1.2) |
338 | rack (>= 0.4) | 340 | rack (>= 0.4) |
339 | rack-mini-profiler (0.1.31) | 341 | rack-mini-profiler (0.1.31) |
@@ -608,6 +610,7 @@ DEPENDENCIES | @@ -608,6 +610,7 @@ DEPENDENCIES | ||
608 | poltergeist (~> 1.4.1) | 610 | poltergeist (~> 1.4.1) |
609 | pry | 611 | pry |
610 | quiet_assets (~> 1.0.1) | 612 | quiet_assets (~> 1.0.1) |
613 | + rack-attack | ||
611 | rack-mini-profiler | 614 | rack-mini-profiler |
612 | rails (= 3.2.13) | 615 | rails (= 3.2.13) |
613 | rails-dev-tweaks | 616 | rails-dev-tweaks |
app/views/help/_layout.html.haml
@@ -30,5 +30,8 @@ | @@ -30,5 +30,8 @@ | ||
30 | %li | 30 | %li |
31 | %strong= link_to "Public Access", help_public_access_path | 31 | %strong= link_to "Public Access", help_public_access_path |
32 | 32 | ||
33 | + %li | ||
34 | + %strong= link_to "Security", help_security_path | ||
35 | + | ||
33 | .span9.pull-right | 36 | .span9.pull-right |
34 | = yield | 37 | = yield |
app/views/help/index.html.haml
@@ -79,3 +79,7 @@ | @@ -79,3 +79,7 @@ | ||
79 | %li | 79 | %li |
80 | %strong= link_to "Public Access", help_public_access_path | 80 | %strong= link_to "Public Access", help_public_access_path |
81 | %p Learn how you can allow public access to a project. | 81 | %p Learn how you can allow public access to a project. |
82 | + | ||
83 | + %li | ||
84 | + %strong= link_to "Security", help_security_path | ||
85 | + %p Learn what you can do to secure your GitLab instance. |
@@ -0,0 +1,15 @@ | @@ -0,0 +1,15 @@ | ||
1 | += render layout: 'help/layout' do | ||
2 | + %h3.page-title Security | ||
3 | + | ||
4 | + %p.slead | ||
5 | + If your GitLab instance is visible from the internet chances are it will be 'tested' by bots sooner or later. | ||
6 | + %br | ||
7 | + %br | ||
8 | + %br | ||
9 | + .file-holder | ||
10 | + .file-title | ||
11 | + %i.icon-file | ||
12 | + Dealing with bruteforcing | ||
13 | + .file-content.wiki | ||
14 | + = preserve do | ||
15 | + = markdown File.read(Rails.root.join("doc", "security", "rack_attack.md")) |
config/application.rb
@@ -77,5 +77,8 @@ module Gitlab | @@ -77,5 +77,8 @@ module Gitlab | ||
77 | # 3) In your unicorn.rb: ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab" | 77 | # 3) In your unicorn.rb: ENV['RAILS_RELATIVE_URL_ROOT'] = "/gitlab" |
78 | # | 78 | # |
79 | # config.relative_url_root = "/gitlab" | 79 | # config.relative_url_root = "/gitlab" |
80 | + | ||
81 | + # Uncomment to enable rack attack middleware | ||
82 | + # config.middleware.use Rack::Attack | ||
80 | end | 83 | end |
81 | end | 84 | end |
@@ -0,0 +1,16 @@ | @@ -0,0 +1,16 @@ | ||
1 | +# To enable rack-attack for your GitLab instance do the following: | ||
2 | +# 1. In config/application.rb find and uncomment the following line: | ||
3 | +# config.middleware.use Rack::Attack | ||
4 | +# 2. Rename this file to rack_attack.rb | ||
5 | +# 3. Review the paths_to_be_protected and add any other path you need protecting | ||
6 | +# 4. Restart GitLab instance | ||
7 | +# | ||
8 | + | ||
9 | +paths_to_be_protected = [ | ||
10 | + "#{Rails.application.config.relative_url_root}/users/password", | ||
11 | + "#{Rails.application.config.relative_url_root}/users/sign_in", | ||
12 | + "#{Rails.application.config.relative_url_root}/users" | ||
13 | +] | ||
14 | +Rack::Attack.throttle('protected paths', limit: 6, period: 60.seconds) do |req| | ||
15 | + req.ip if paths_to_be_protected.include?(req.path) && req.post? | ||
16 | +end |
config/routes.rb
@@ -39,6 +39,7 @@ Gitlab::Application.routes.draw do | @@ -39,6 +39,7 @@ Gitlab::Application.routes.draw do | ||
39 | get 'help/web_hooks' => 'help#web_hooks' | 39 | get 'help/web_hooks' => 'help#web_hooks' |
40 | get 'help/workflow' => 'help#workflow' | 40 | get 'help/workflow' => 'help#workflow' |
41 | get 'help/shortcuts' | 41 | get 'help/shortcuts' |
42 | + get 'help/security' | ||
42 | 43 | ||
43 | # | 44 | # |
44 | # Global snippets | 45 | # Global snippets |
doc/install/installation.md
@@ -195,6 +195,13 @@ You can change `6-1-stable` to `master` if you want the *bleeding edge* version, | @@ -195,6 +195,13 @@ You can change `6-1-stable` to `master` if you want the *bleeding edge* version, | ||
195 | # Ex. change amount of workers to 3 for 2GB RAM server | 195 | # Ex. change amount of workers to 3 for 2GB RAM server |
196 | sudo -u git -H editor config/unicorn.rb | 196 | sudo -u git -H editor config/unicorn.rb |
197 | 197 | ||
198 | + # Copy the example Rack attack config | ||
199 | + sudo -u git -H cp config/initializers/rack_attack.rb.example config/initializers/rack_attack.rb | ||
200 | + | ||
201 | + # Enable rack attack middleware | ||
202 | + # Find and uncomment the line 'config.middleware.use Rack::Attack' | ||
203 | + sudo -u git -H editor config/application.rb | ||
204 | + | ||
198 | # Configure Git global settings for git user, useful when editing via web | 205 | # Configure Git global settings for git user, useful when editing via web |
199 | # Edit user.email according to what is set in gitlab.yml | 206 | # Edit user.email according to what is set in gitlab.yml |
200 | sudo -u git -H git config --global user.name "GitLab" | 207 | sudo -u git -H git config --global user.name "GitLab" |
@@ -0,0 +1,19 @@ | @@ -0,0 +1,19 @@ | ||
1 | +To prevent abusive clients doing damage GitLab uses rack-attack gem. | ||
2 | +If you installed or upgraded GitLab by following the official guides this should be enabled by default. | ||
3 | +If you are missing `config/initializers/rack_attack.rb` the following steps need to be taken in order to enable protection for your GitLab instance: | ||
4 | + | ||
5 | +1. In config/application.rb find and uncomment the following line: | ||
6 | + config.middleware.use Rack::Attack | ||
7 | +2. Rename config/initializers/rack_attack.rb.example to config/initializers/rack_attack.rb | ||
8 | +3. Review the paths_to_be_protected and add any other path you need protecting | ||
9 | +4. Restart GitLab instance | ||
10 | + | ||
11 | +By default, user sign-in, user sign-up(if enabled) and user password reset is limited to 6 requests per minute. | ||
12 | +After trying for 6 times, client will have to wait for the next minute to be able to try again. | ||
13 | +These settings can be found in `config/initializers/rack_attack.rb` | ||
14 | + | ||
15 | +If you want more restrictive/relaxed throttle rule change the `limit` or `period` values. For example, more relaxed throttle rule will be if you set limit: 3 and period: 1.second(this will allow 3 requests per second). You can also add other paths to the protected list by adding to `paths_to_be_protected` variable. If you change any of these settings do not forget to restart your GitLab instance. | ||
16 | + | ||
17 | +In case you find throttling is not enough to protect you against abusive clients, rack-attack gem offers IP whitelisting, blacklisting, Fail2ban style filter and tracking. | ||
18 | + | ||
19 | +For more information on how to use these options check out [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). | ||
0 | \ No newline at end of file | 20 | \ No newline at end of file |
@@ -0,0 +1,100 @@ | @@ -0,0 +1,100 @@ | ||
1 | +# From 6.1 to 6.2 | ||
2 | + | ||
3 | +# You should update to 6.1 before installing 6.2 so all the necessary conversions are run. | ||
4 | + | ||
5 | +### 0. Backup | ||
6 | + | ||
7 | +It's useful to make a backup just in case things go south: | ||
8 | +(With MySQL, this may require granting "LOCK TABLES" privileges to the GitLab user on the database version) | ||
9 | + | ||
10 | +```bash | ||
11 | +cd /home/git/gitlab | ||
12 | +sudo -u git -H RAILS_ENV=production bundle exec rake gitlab:backup:create | ||
13 | +``` | ||
14 | + | ||
15 | +### 1. Stop server | ||
16 | + | ||
17 | + sudo service gitlab stop | ||
18 | + | ||
19 | +### 2. Get latest code | ||
20 | + | ||
21 | +```bash | ||
22 | +cd /home/git/gitlab | ||
23 | +sudo -u git -H git fetch | ||
24 | +sudo -u git -H git checkout 6-2-stable | ||
25 | +``` | ||
26 | + | ||
27 | +### 3. Update gitlab-shell | ||
28 | + | ||
29 | +```bash | ||
30 | +cd /home/git/gitlab-shell | ||
31 | +sudo -u git -H git fetch | ||
32 | +sudo -u git -H git checkout v1.7.1 | ||
33 | +``` | ||
34 | + | ||
35 | +### 4. Install libs, migrations, etc. | ||
36 | + | ||
37 | +```bash | ||
38 | +cd /home/git/gitlab | ||
39 | + | ||
40 | +# MySQL | ||
41 | +sudo -u git -H bundle install --without development test postgres --deployment | ||
42 | + | ||
43 | +#PostgreSQL | ||
44 | +sudo -u git -H bundle install --without development test mysql --deployment | ||
45 | + | ||
46 | + | ||
47 | +sudo -u git -H bundle exec rake db:migrate RAILS_ENV=production | ||
48 | +sudo -u git -H bundle exec rake migrate_iids RAILS_ENV=production | ||
49 | +sudo -u git -H bundle exec rake assets:clean RAILS_ENV=production | ||
50 | +sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production | ||
51 | +sudo -u git -H bundle exec rake cache:clear RAILS_ENV=production | ||
52 | +``` | ||
53 | + | ||
54 | +### 5. Update config files | ||
55 | + | ||
56 | +* Make `/home/git/gitlab/config/gitlab.yml` same as https://github.com/gitlabhq/gitlabhq/blob/6-2-stable/config/gitlab.yml.example but with your settings. | ||
57 | +* Make `/home/git/gitlab/config/unicorn.rb` same as https://github.com/gitlabhq/gitlabhq/blob/6-2-stable/config/unicorn.rb.example but with your settings. | ||
58 | +* Copy rack attack middleware config | ||
59 | +```bash | ||
60 | +sudo -u git -H cp config/initializers/rack_attack.rb.example config/initializers/rack_attack.rb | ||
61 | +``` | ||
62 | +* Uncomment `config.middleware.use Rack::Attack` in `/home/git/gitlab/config/application.rb` | ||
63 | + | ||
64 | +### 6. Update Init script | ||
65 | + | ||
66 | +```bash | ||
67 | +sudo rm /etc/init.d/gitlab | ||
68 | +sudo curl --output /etc/init.d/gitlab https://raw.github.com/gitlabhq/gitlabhq/6-2-stable/lib/support/init.d/gitlab | ||
69 | +sudo chmod +x /etc/init.d/gitlab | ||
70 | +``` | ||
71 | + | ||
72 | +### 7. Start application | ||
73 | + | ||
74 | + sudo service gitlab start | ||
75 | + sudo service nginx restart | ||
76 | + | ||
77 | +### 8. Check application status | ||
78 | + | ||
79 | +Check if GitLab and its environment are configured correctly: | ||
80 | + | ||
81 | + sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production | ||
82 | + | ||
83 | +To make sure you didn't miss anything run a more thorough check with: | ||
84 | + | ||
85 | + sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production | ||
86 | + | ||
87 | +If all items are green, then congratulations upgrade complete! | ||
88 | + | ||
89 | +## Things went south? Revert to previous version (6.1) | ||
90 | + | ||
91 | +### 1. Revert the code to the previous version | ||
92 | +Follow the [`upgrade guide from 6.0 to 6.1`](6.0-to-6.1.md), except for the database migration | ||
93 | +(The backup is already migrated to the previous version) | ||
94 | + | ||
95 | +### 2. Restore from the backup: | ||
96 | + | ||
97 | +```bash | ||
98 | +cd /home/git/gitlab | ||
99 | +sudo -u git -H RAILS_ENV=production bundle exec rake gitlab:backup:restore | ||
100 | +``` |