Commit 16deac2b authored by Kirill Smelkov's avatar Kirill Smelkov

X rack-attack

parent 23e826c4
...@@ -41,6 +41,13 @@ cert = ${slap-connection:cert-file} ...@@ -41,6 +41,13 @@ cert = ${slap-connection:cert-file}
# #
# last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9 # last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9
# TODO recheck ) # TODO recheck )
configuration.rate_limit_requests_per_period = 10
configuration.rate_limit_period = 60
# XXX not used yet
configuration.initial_root_password = "password"
configuration.email_enabled = true configuration.email_enabled = true
configuration.email_from = lab@example.com configuration.email_from = lab@example.com
configuration.email_display_name = GitLab configuration.email_display_name = GitLab
...@@ -237,6 +244,12 @@ template= {{ smtp_settings_rb_in }} ...@@ -237,6 +244,12 @@ template= {{ smtp_settings_rb_in }}
context = context =
section instance_parameter instance-parameter section instance_parameter instance-parameter
[rack_attack.rb]
<= gitlab-etc-template
template = {{ rack_attack_rb_in }}
context =
section instance_parameter instance-parameter
# TODO log: logrotate # TODO log: logrotate
...@@ -309,6 +322,7 @@ command-line = ...@@ -309,6 +322,7 @@ command-line =
# This way Gitlab/Rails still think they work in 1 code / 1 instance way, # This way Gitlab/Rails still think they work in 1 code / 1 instance way,
# and we can reuse SR. # and we can reuse SR.
# XXX run second time after first error try? (mkdir fails) # XXX run second time after first error try? (mkdir fails)
# XXX naming
[gitlab-root-shadow] [gitlab-root-shadow]
recipe = plone.recipe.command recipe = plone.recipe.command
stop-on-error = yes stop-on-error = yes
...@@ -332,7 +346,7 @@ command = ...@@ -332,7 +346,7 @@ command =
ln -s ${resque.yml:rendered} resque.yml && ln -s ${resque.yml:rendered} resque.yml &&
# config/initializers/ # config/initializers/
cd initializers && cd initializers &&
ln -s ${gitlab:etc}/rack_attack.rb . && ln -s ${rack_attack.rb:rendered} rack_attack.rb &&
ln -s ${smtp_settings.rb:rendered} smtp_settings.rb && ln -s ${smtp_settings.rb:rendered} smtp_settings.rb &&
# public/ # public/
cd ../../public && cd ../../public &&
......
...@@ -36,6 +36,7 @@ context = ...@@ -36,6 +36,7 @@ context =
raw gitlab_yml_in ${gitlab.yml.in:target} raw gitlab_yml_in ${gitlab.yml.in:target}
raw resque_yml_in ${resque.yml.in:target} raw resque_yml_in ${resque.yml.in:target}
raw smtp_settings_rb_in ${smtp_settings.rb.in:target} raw smtp_settings_rb_in ${smtp_settings.rb.in:target}
raw rack_attack_rb_in ${rack_attack.rb.in:target}
# XXX hack - better use ${gitlab-shell-repository:location} directly # XXX hack - better use ${gitlab-shell-repository:location} directly
raw gitlab_shell ${gitlab-shell-repository:location} raw gitlab_shell ${gitlab-shell-repository:location}
...@@ -194,6 +194,10 @@ url = ${:_profile_base_location_}/template/${:_buildout_section_name_} ...@@ -194,6 +194,10 @@ url = ${:_profile_base_location_}/template/${:_buildout_section_name_}
<= download-template <= download-template
# md5sum = TODO # md5sum = TODO
[rack_attack.rb.in]
<= download-template
# md5sum = TODO
[unicorn.rb.in] [unicorn.rb.in]
<= download-template <= download-template
# md5sum = TODO # md5sum = TODO
......
# @autogenerated
# see:
# https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/initializers/rack_attack.rb.example
# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.erb
# (last updated for omnibus-gitlab 8.1.0+rc1.ce.0-30-g38ef5d7)
{# cfg(name) -> instance_parameter:configuration.<name> #}
{# XXX dup -> import from gitlab.yml.in ? #}
{% macro cfg(name) %}{{ instance_parameter[str("configuration." + name)] }}{% endmacro %}
# 1. Rename this file to rack_attack.rb
# 2. Review the paths_to_be_protected and add any other path you need protecting
#
paths_to_be_protected = [
"#{Rails.application.config.relative_url_root}/users/password",
"#{Rails.application.config.relative_url_root}/users/sign_in",
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
"#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
"#{Rails.application.config.relative_url_root}/users",
"#{Rails.application.config.relative_url_root}/users/confirmation",
"#{Rails.application.config.relative_url_root}/unsubscribes/"
]
# Create one big regular expression that matches strings starting with any of
# the paths_to_be_protected.
paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ })
unless Rails.env.test?
Rack::Attack.throttle('protected paths', limit: {{ cfg('rate_limit_requests_per_period') }}, period: {{ cfg('rate_limit_period') }}.seconds) do |req|
if req.post? && req.path =~ paths_regex
req.ip
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment