forked from gitlabhq/gitlabhq
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add documentation to help section, rack_attack as example
- Loading branch information
Showing
9 changed files
with
61 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| = render layout: 'help/layout' do | ||
| %h3.page-title Security | ||
|
|
||
| %p.slead | ||
| If your GitLab instance is visible from the internet chances are it will be 'tested' by bots sooner or later. | ||
| %br | ||
| %br | ||
| %br | ||
| .file-holder | ||
| .file-title | ||
| %i.icon-file | ||
| Dealing with bruteforcing | ||
| .file-content.wiki | ||
| = preserve do | ||
| = markdown File.read(Rails.root.join("doc", "security", "rack_attack.md")) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| # To enable rack-attack for your GitLab instance do the following: | ||
| # 1. In config/application.rb find and uncomment the following line: | ||
| # config.middleware.use Rack::Attack | ||
| # 2. Rename this file to rack_attack.rb | ||
| # 3. Review the paths_to_be_protected and add any other path you need protecting | ||
| # 4. Restart GitLab instance | ||
| # | ||
|
|
||
| paths_to_be_protected = [ | ||
| "#{Rails.application.config.relative_url_root}/users/password", | ||
| "#{Rails.application.config.relative_url_root}/users/sign_in", | ||
| "#{Rails.application.config.relative_url_root}/users" | ||
| ] | ||
| Rack::Attack.throttle('protected paths', limit: 6, period: 60.seconds) do |req| | ||
| req.ip if paths_to_be_protected.include?(req.path) && req.post? | ||
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| To prevent abusive clients doing damage GitLab uses rack-attack gem. | ||
| If you installed or upgraded GitLab by following the official guides this should be enabled by default. | ||
| If you are missing `config/initializers/rack_attack.rb` the following steps need to be taken in order to enable protection for your GitLab instance: | ||
|
|
||
| 1. In config/application.rb find and uncomment the following line: | ||
| config.middleware.use Rack::Attack | ||
| 2. Rename config/initializers/rack_attack.rb.example to config/initializers/rack_attack.rb | ||
| 3. Review the paths_to_be_protected and add any other path you need protecting | ||
| 4. Restart GitLab instance | ||
|
|
||
| By default, user sign-in, user sign-up(if enabled) and user password reset is limited to 6 requests per minute. | ||
| After trying for 6 times, client will have to wait for the next minute to be able to try again. | ||
| These settings can be found in `config/initializers/rack_attack.rb` | ||
|
|
||
| If you want more restrictive/relaxed throttle rule change the `limit` or `period` values. For example, more relaxed throttle rule will be if you set limit: 3 and period: 1.second(this will allow 3 requests per second). You can also add other paths to the protected list by adding to `paths_to_be_protected` variable. If you change any of these settings do not forget to restart your GitLab instance. | ||
|
|
||
| In case you find throttling is not enough to protect you against abusive clients, rack-attack gem offers IP whitelisting, blacklisting, Fail2ban style filter and tracking. | ||
|
|
||
| For more information on how to use these options check out [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). |