Download as
Browse Code »

Commit a93f8709269c566b39216e5b488d0331ccb4d2e4

Authored by Jacob Vosmaer
2 parents d0fcfaeb 7eaa6913
Exists in master and in 17 other branches 6-6-stable, 6-6-stable-ee, 6-7-stable, 6-7-stable-ee, 6-8-stable, 6-8-stable-ee, 6-9-stable, 6-9-stable-ee, 7-0-stable, 7-0-stable-ee, 7-0-stable-spb, 7-1-stable, 7-1-stable-ee, 7-2-stable, 7-2-stable-ee, branch_test, nginx_ssl_tweaks

Merge branch 'rack_attack' into 'master' 

Rack Attack
Showing 3 changed files with 35 additions and 0 deletions   Show diff stats
files/gitlab-cookbooks/gitlab/attributes/default.rb
  Diff comments   View file @a93f870
@@ -59,6 +59,8 @@ default['gitlab']['gitlab-core']['external_https'] = false @@ -59,6 +59,8 @@ default['gitlab']['gitlab-core']['external_https'] = false
59 default['gitlab']['gitlab-core']['notification_email'] = "gitlab@#{node['fqdn']}" 59 default['gitlab']['gitlab-core']['notification_email'] = "gitlab@#{node['fqdn']}"
60 default['gitlab']['gitlab-core']['support_email'] = "support@example.com" 60 default['gitlab']['gitlab-core']['support_email'] = "support@example.com"
61 default['gitlab']['gitlab-core']['uploads_directory'] = "/var/opt/gitlab/uploads" 61 default['gitlab']['gitlab-core']['uploads_directory'] = "/var/opt/gitlab/uploads"
  62 +default['gitlab']['gitlab-core']['rate_limit_requests_per_period'] = 10
  63 +default['gitlab']['gitlab-core']['rate_limit_period'] = 60
62 64
63 65
64 ### 66 ###
files/gitlab-cookbooks/gitlab/recipes/gitlab-core.rb
  Diff comments   View file @a93f870
@@ -85,6 +85,21 @@ link "/opt/gitlab/embedded/service/gitlab-core/config/gitlab.yml" do @@ -85,6 +85,21 @@ link "/opt/gitlab/embedded/service/gitlab-core/config/gitlab.yml" do
85 to gitlab_yml 85 to gitlab_yml
86 end 86 end
87 87
  88 +rack_attack = File.join(gitlab_core_etc_dir, "rack_attack.rb")
  89 +
  90 +template rack_attack do
  91 + source "rack_attack.rb.erb"
  92 + owner "root"
  93 + group "root"
  94 + mode "0644"
  95 + variables(node['gitlab']['gitlab-core'].to_hash)
  96 + notifies :restart, 'service[gitlab-core]' if should_notify
  97 +end
  98 +
  99 +link "/opt/gitlab/embedded/service/gitlab-core/config/initializers/rack_attack.rb" do
  100 + to rack_attack
  101 +end
  102 +
88 directory node['gitlab']['gitlab-core']['satellites_path'] do 103 directory node['gitlab']['gitlab-core']['satellites_path'] do
89 owner node['gitlab']['user']['username'] 104 owner node['gitlab']['user']['username']
90 group node['gitlab']['user']['group'] 105 group node['gitlab']['user']['group']
files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.erb 0 → 100644
  Diff comments   View file @a93f870
@@ -0,0 +1,18 @@ @@ -0,0 +1,18 @@
  1 +# 1. Rename this file to rack_attack.rb
  2 +# 2. Review the paths_to_be_protected and add any other path you need protecting
  3 +#
  4 +
  5 +paths_to_be_protected = [
  6 + "#{Rails.application.config.relative_url_root}/users/password",
  7 + "#{Rails.application.config.relative_url_root}/users/sign_in",
  8 + "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
  9 + "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
  10 + "#{Rails.application.config.relative_url_root}/users",
  11 + "#{Rails.application.config.relative_url_root}/users/confirmation"
  12 +]
  13 +
  14 +unless Rails.env.test?
  15 + Rack::Attack.throttle('protected paths', limit: <%= node['gitlab']['gitlab-core']['rate_limit_requests_per_period'] %>, period: <%= node['gitlab']['gitlab-core']['rate_limit_period'] %>.seconds) do |req|
  16 + req.ip if paths_to_be_protected.include?(req.path) && req.post?
  17 + end
  18 +end