• iv's avatar
    gitlab: Sync upstream configs from omnibus-gitlab 8.8.7+ce.1-0-g5116476 · 5e227fdb
    iv authored
    Like f6f97d72 - pristine copy from omnibus-gitlab 8.8.7+ce.1-0-g5116476
    
    Changes are:
    
        - gitlab.yml.erb
          Add gitlab_default_projects_features_container_registry variable to be used by docker containers
    
        - nginx.conf.erb
          Docker related password storage
          https://gitlab.com/gitlab-org/omnibus-gitlab/issues/1218 (commit f74472d4)
    
        - rack_attack.rb.erb
          Disable Rack Attack throttling if admin disables it in config file
    
        - smtp_settings.rb.erb
          If authentication is not enabled for smtp, don't place it in the config.
    
    The following files stay the same:
    
        - database.yml.erb
        - gitconfig.erb
        - gitlab-shell-config.yml.erb
        - nginx-gitlab-http.conf.erb
        - resque.yml.erb
        - unicorn.rb.erb
    5e227fdb
rack_attack.rb.erb 1.32 KB
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.

# 1. Rename this file to rack_attack.rb
# 2. Review the paths_to_be_protected and add any other path you need protecting
#

paths_to_be_protected = [
  "#{Rails.application.config.relative_url_root}/users/password",
  "#{Rails.application.config.relative_url_root}/users/sign_in",
  "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
  "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
  "#{Rails.application.config.relative_url_root}/users",
  "#{Rails.application.config.relative_url_root}/users/confirmation",
  "#{Rails.application.config.relative_url_root}/unsubscribes/"

]

# Create one big regular expression that matches strings starting with any of
# the paths_to_be_protected.
paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ })
rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled']

unless Rails.env.test? || !rack_attack_enabled
  Rack::Attack.throttle('protected paths', limit: <%= @rate_limit_requests_per_period %>, period: <%= @rate_limit_period %>.seconds) do |req|
    if req.post? && req.path =~ paths_regex
      req.ip
    end
  end
end