Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
62ea0274
Commit
62ea0274
authored
Dec 15, 2014
by
Jacob Vosmaer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Block Git HTTP Basic Auth after 10 failed attempts
parent
7512016d
Changes
6
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
66 additions
and
2 deletions
+66
-2
CHANGELOG
CHANGELOG
+3
-0
config/gitlab.yml.example
config/gitlab.yml.example
+11
-0
config/initializers/1_settings.rb
config/initializers/1_settings.rb
+9
-0
config/initializers/rack_attack_git_basic_auth.rb
config/initializers/rack_attack_git_basic_auth.rb
+10
-0
config/initializers/redis-store-fix-expiry.rb
config/initializers/redis-store-fix-expiry.rb
+21
-0
lib/gitlab/backend/grack_auth.rb
lib/gitlab/backend/grack_auth.rb
+12
-2
No files found.
CHANGELOG
View file @
62ea0274
v 7.7.0
- Block Git HTTP access after 10 failed authentication attempts
v 7.6.0
- Fork repository to groups
- New rugged version
...
...
config/gitlab.yml.example
View file @
62ea0274
...
...
@@ -298,6 +298,17 @@ production: &base
# ![Company Logo](http://www.companydomain.com/logo.png)
# [Learn more about CompanyName](http://www.companydomain.com/)
rack_attack:
git_basic_auth:
# Limit the number of Git HTTP authentication attempts per IP
# maxretry: 10
#
# Reset the auth attempt counter per IP after 60 seconds
# findtime: 60
#
# Ban an IP for one hour (3600s) after too many auth attempts
# bantime: 3600
development:
<<: *base
...
...
config/initializers/1_settings.rb
View file @
62ea0274
...
...
@@ -171,6 +171,15 @@ Settings.satellites['timeout'] ||= 30
#
Settings
[
'extra'
]
||=
Settingslogic
.
new
({})
#
# Rack::Attack settings
#
Settings
[
'rack_attack'
]
||=
Settingslogic
.
new
({})
Settings
.
rack_attack
[
'git_basic_auth'
]
||=
Settingslogic
.
new
({})
Settings
.
rack_attack
.
git_basic_auth
[
'maxretry'
]
||=
10
Settings
.
rack_attack
.
git_basic_auth
[
'findtime'
]
||=
1
.
minute
Settings
.
rack_attack
.
git_basic_auth
[
'bantime'
]
||=
1
.
hour
#
# Testing settings
#
...
...
config/initializers/rack_attack_git_basic_auth.rb
0 → 100644
View file @
62ea0274
unless
Rails
.
env
.
test?
Rack
::
Attack
.
blacklist
(
'Git HTTP Basic Auth'
)
do
|
req
|
Rack
::
Attack
::
Allow2Ban
.
filter
(
req
.
ip
,
Gitlab
.
config
.
rack_attack
.
git_basic_auth
)
do
# This block only gets run if the IP was not already banned.
# Return false, meaning that we do not see anything wrong with the
# request at this time
false
end
end
end
config/initializers/redis-store-fix-expiry.rb
0 → 100644
View file @
62ea0274
# Monkey-patch Redis::Store to make 'setex' and 'expire' work with namespacing
module
Gitlab
class
Redis
class
Store
module
Namespace
def
setex
(
key
,
expires_in
,
value
,
options
=
nil
)
namespace
(
key
)
{
|
key
|
super
(
key
,
expires_in
,
value
)
}
end
def
expire
(
key
,
expires_in
)
namespace
(
key
)
{
|
key
|
super
(
key
,
expires_in
)
}
end
end
end
end
end
Redis
::
Store
.
class_eval
do
include
Gitlab
::
Redis
::
Store
::
Namespace
end
lib/gitlab/backend/grack_auth.rb
View file @
62ea0274
...
...
@@ -72,8 +72,18 @@ module Grack
end
def
authenticate_user
(
login
,
password
)
auth
=
Gitlab
::
Auth
.
new
auth
.
find
(
login
,
password
)
user
=
Gitlab
::
Auth
.
new
.
find
(
login
,
password
)
return
user
if
user
.
present?
# At this point, we know the credentials were wrong. We let Rack::Attack
# know there was a failed authentication attempt from this IP
Rack
::
Attack
::
Allow2Ban
.
filter
(
@request
.
ip
,
Gitlab
.
config
.
rack_attack
.
git_basic_auth
)
do
# Return true, so that Allow2Ban increments the counter (stored in
# Rails.cache) for the IP
true
end
nil
# No user was found
end
def
authorized_request?
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment