Commit af56c1dd authored by Jacob Vosmaer's avatar Jacob Vosmaer

White-list requests from 127.0.0.1

On some misconfigured GitLab servers, if you look in production.log it looks
like all requests come from 127.0.0.1. To avoid unwanted banning we
white-list 127.0.0.1 with this commit.
parent c8b2def2
...@@ -300,6 +300,9 @@ production: &base ...@@ -300,6 +300,9 @@ production: &base
rack_attack: rack_attack:
git_basic_auth: git_basic_auth:
# Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
# ip_whitelist: ["127.0.0.1"]
#
# Limit the number of Git HTTP authentication attempts per IP # Limit the number of Git HTTP authentication attempts per IP
# maxretry: 10 # maxretry: 10
# #
......
...@@ -176,6 +176,7 @@ Settings['extra'] ||= Settingslogic.new({}) ...@@ -176,6 +176,7 @@ Settings['extra'] ||= Settingslogic.new({})
# #
Settings['rack_attack'] ||= Settingslogic.new({}) Settings['rack_attack'] ||= Settingslogic.new({})
Settings.rack_attack['git_basic_auth'] ||= Settingslogic.new({}) Settings.rack_attack['git_basic_auth'] ||= Settingslogic.new({})
Settings.rack_attack.git_basic_auth['ip_whitelist'] ||= %w{127.0.0.1}
Settings.rack_attack.git_basic_auth['maxretry'] ||= 10 Settings.rack_attack.git_basic_auth['maxretry'] ||= 10
Settings.rack_attack.git_basic_auth['findtime'] ||= 1.minute Settings.rack_attack.git_basic_auth['findtime'] ||= 1.minute
Settings.rack_attack.git_basic_auth['bantime'] ||= 1.hour Settings.rack_attack.git_basic_auth['bantime'] ||= 1.hour
......
...@@ -80,10 +80,15 @@ module Grack ...@@ -80,10 +80,15 @@ module Grack
# information is stored in the Rails cache (Redis) and will be used by # information is stored in the Rails cache (Redis) and will be used by
# the Rack::Attack middleware to decide whether to block requests from # the Rack::Attack middleware to decide whether to block requests from
# this IP. # this IP.
Rack::Attack::Allow2Ban.filter(@request.ip, Gitlab.config.rack_attack.git_basic_auth) do config = Gitlab.config.rack_attack.git_basic_auth
# Return true, so that Allow2Ban increments the counter (stored in Rack::Attack::Allow2Ban.filter(@request.ip, config) do
# Rails.cache) for the IP # Unless the IP is whitelisted, return true so that Allow2Ban
true # increments the counter (stored in Rails.cache) for the IP
if config.ip_whitelist.include?(@request.ip)
false
else
true
end
end end
nil # No user was found nil # No user was found
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment