Commit 7eaa691379b87612c7f19fa4994af0de75cf3ff8
1 parent
68dbda3d
Exists in
master
and in
17 other branches
Add Rack::Attack rate limiting configuration
Showing
4 changed files
with
35 additions
and
18 deletions
Show diff stats
files/gitlab-cookbooks/gitlab/attributes/default.rb
| ... | ... | @@ -59,6 +59,8 @@ default['gitlab']['gitlab-core']['external_https'] = false |
| 59 | 59 | default['gitlab']['gitlab-core']['notification_email'] = "gitlab@#{node['fqdn']}" |
| 60 | 60 | default['gitlab']['gitlab-core']['support_email'] = "support@example.com" |
| 61 | 61 | default['gitlab']['gitlab-core']['uploads_directory'] = "/var/opt/gitlab/uploads" |
| 62 | +default['gitlab']['gitlab-core']['rate_limit_requests_per_period'] = 10 | |
| 63 | +default['gitlab']['gitlab-core']['rate_limit_period'] = 60 | |
| 62 | 64 | |
| 63 | 65 | |
| 64 | 66 | ### | ... | ... |
files/gitlab-cookbooks/gitlab/recipes/gitlab-core.rb
| ... | ... | @@ -85,6 +85,21 @@ link "/opt/gitlab/embedded/service/gitlab-core/config/gitlab.yml" do |
| 85 | 85 | to gitlab_yml |
| 86 | 86 | end |
| 87 | 87 | |
| 88 | +rack_attack = File.join(gitlab_core_etc_dir, "rack_attack.rb") | |
| 89 | + | |
| 90 | +template rack_attack do | |
| 91 | + source "rack_attack.rb.erb" | |
| 92 | + owner "root" | |
| 93 | + group "root" | |
| 94 | + mode "0644" | |
| 95 | + variables(node['gitlab']['gitlab-core'].to_hash) | |
| 96 | + notifies :restart, 'service[gitlab-core]' if should_notify | |
| 97 | +end | |
| 98 | + | |
| 99 | +link "/opt/gitlab/embedded/service/gitlab-core/config/initializers/rack_attack.rb" do | |
| 100 | + to rack_attack | |
| 101 | +end | |
| 102 | + | |
| 88 | 103 | directory node['gitlab']['gitlab-core']['satellites_path'] do |
| 89 | 104 | owner node['gitlab']['user']['username'] |
| 90 | 105 | group node['gitlab']['user']['group'] | ... | ... |
files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.erb
0 → 100644
| ... | ... | @@ -0,0 +1,18 @@ |
| 1 | +# 1. Rename this file to rack_attack.rb | |
| 2 | +# 2. Review the paths_to_be_protected and add any other path you need protecting | |
| 3 | +# | |
| 4 | + | |
| 5 | +paths_to_be_protected = [ | |
| 6 | + "#{Rails.application.config.relative_url_root}/users/password", | |
| 7 | + "#{Rails.application.config.relative_url_root}/users/sign_in", | |
| 8 | + "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json", | |
| 9 | + "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session", | |
| 10 | + "#{Rails.application.config.relative_url_root}/users", | |
| 11 | + "#{Rails.application.config.relative_url_root}/users/confirmation" | |
| 12 | +] | |
| 13 | + | |
| 14 | +unless Rails.env.test? | |
| 15 | + Rack::Attack.throttle('protected paths', limit: <%= node['gitlab']['gitlab-core']['rate_limit_requests_per_period'] %>, period: <%= node['gitlab']['gitlab-core']['rate_limit_period'] %>.seconds) do |req| | |
| 16 | + req.ip if paths_to_be_protected.include?(req.path) && req.post? | |
| 17 | + end | |
| 18 | +end | ... | ... |
files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.example
| ... | ... | @@ -1,18 +0,0 @@ |
| 1 | -# 1. Rename this file to rack_attack.rb | |
| 2 | -# 2. Review the paths_to_be_protected and add any other path you need protecting | |
| 3 | -# | |
| 4 | - | |
| 5 | -paths_to_be_protected = [ | |
| 6 | - "#{Rails.application.config.relative_url_root}/users/password", | |
| 7 | - "#{Rails.application.config.relative_url_root}/users/sign_in", | |
| 8 | - "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json", | |
| 9 | - "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session", | |
| 10 | - "#{Rails.application.config.relative_url_root}/users", | |
| 11 | - "#{Rails.application.config.relative_url_root}/users/confirmation" | |
| 12 | -] | |
| 13 | - | |
| 14 | -unless Rails.env.test? | |
| 15 | - Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req| | |
| 16 | - req.ip if paths_to_be_protected.include?(req.path) && req.post? | |
| 17 | - end | |
| 18 | -end |