diff --git a/files/gitlab-cookbooks/gitlab/attributes/default.rb b/files/gitlab-cookbooks/gitlab/attributes/default.rb index 622b53b..da9ac2b 100644 --- a/files/gitlab-cookbooks/gitlab/attributes/default.rb +++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb @@ -59,6 +59,8 @@ default['gitlab']['gitlab-core']['external_https'] = false default['gitlab']['gitlab-core']['notification_email'] = "gitlab@#{node['fqdn']}" default['gitlab']['gitlab-core']['support_email'] = "support@example.com" default['gitlab']['gitlab-core']['uploads_directory'] = "/var/opt/gitlab/uploads" +default['gitlab']['gitlab-core']['rate_limit_requests_per_period'] = 10 +default['gitlab']['gitlab-core']['rate_limit_period'] = 60 ### diff --git a/files/gitlab-cookbooks/gitlab/recipes/gitlab-core.rb b/files/gitlab-cookbooks/gitlab/recipes/gitlab-core.rb index c044fad..8107542 100644 --- a/files/gitlab-cookbooks/gitlab/recipes/gitlab-core.rb +++ b/files/gitlab-cookbooks/gitlab/recipes/gitlab-core.rb @@ -85,6 +85,21 @@ link "/opt/gitlab/embedded/service/gitlab-core/config/gitlab.yml" do to gitlab_yml end +rack_attack = File.join(gitlab_core_etc_dir, "rack_attack.rb") + +template rack_attack do + source "rack_attack.rb.erb" + owner "root" + group "root" + mode "0644" + variables(node['gitlab']['gitlab-core'].to_hash) + notifies :restart, 'service[gitlab-core]' if should_notify +end + +link "/opt/gitlab/embedded/service/gitlab-core/config/initializers/rack_attack.rb" do + to rack_attack +end + directory node['gitlab']['gitlab-core']['satellites_path'] do owner node['gitlab']['user']['username'] group node['gitlab']['user']['group'] diff --git a/files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.erb b/files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.erb new file mode 100644 index 0000000..0a0f4c7 --- /dev/null +++ b/files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.erb @@ -0,0 +1,18 @@ +# 1. Rename this file to rack_attack.rb +# 2. Review the paths_to_be_protected and add any other path you need protecting +# + +paths_to_be_protected = [ + "#{Rails.application.config.relative_url_root}/users/password", + "#{Rails.application.config.relative_url_root}/users/sign_in", + "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json", + "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session", + "#{Rails.application.config.relative_url_root}/users", + "#{Rails.application.config.relative_url_root}/users/confirmation" +] + +unless Rails.env.test? + Rack::Attack.throttle('protected paths', limit: <%= node['gitlab']['gitlab-core']['rate_limit_requests_per_period'] %>, period: <%= node['gitlab']['gitlab-core']['rate_limit_period'] %>.seconds) do |req| + req.ip if paths_to_be_protected.include?(req.path) && req.post? + end +end diff --git a/files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.example b/files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.example deleted file mode 100644 index bc3234b..0000000 --- a/files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.example +++ /dev/null @@ -1,18 +0,0 @@ -# 1. Rename this file to rack_attack.rb -# 2. Review the paths_to_be_protected and add any other path you need protecting -# - -paths_to_be_protected = [ - "#{Rails.application.config.relative_url_root}/users/password", - "#{Rails.application.config.relative_url_root}/users/sign_in", - "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json", - "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session", - "#{Rails.application.config.relative_url_root}/users", - "#{Rails.application.config.relative_url_root}/users/confirmation" -] - -unless Rails.env.test? - Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req| - req.ip if paths_to_be_protected.include?(req.path) && req.post? - end -end -- libgit2 0.21.2