Commit cd03a8ad authored by Douwe Maan's avatar Douwe Maan

Merge branch '40973-disable-rack-attack-by-default' into 'master'

Disable Rack Attack by default

Closes #40973

See merge request gitlab-org/gitlab-ce!16669
parents 891cb10f 8f39bb5d
---
title: Rack attack is now disabled by default
merge_request: 16669
author:
type: changed
...@@ -418,7 +418,7 @@ Settings['extra'] ||= Settingslogic.new({}) ...@@ -418,7 +418,7 @@ Settings['extra'] ||= Settingslogic.new({})
# #
Settings['rack_attack'] ||= Settingslogic.new({}) Settings['rack_attack'] ||= Settingslogic.new({})
Settings.rack_attack['git_basic_auth'] ||= Settingslogic.new({}) Settings.rack_attack['git_basic_auth'] ||= Settingslogic.new({})
Settings.rack_attack.git_basic_auth['enabled'] = true if Settings.rack_attack.git_basic_auth['enabled'].nil? Settings.rack_attack.git_basic_auth['enabled'] = false if Settings.rack_attack.git_basic_auth['enabled'].nil?
Settings.rack_attack.git_basic_auth['ip_whitelist'] ||= %w{127.0.0.1} Settings.rack_attack.git_basic_auth['ip_whitelist'] ||= %w{127.0.0.1}
Settings.rack_attack.git_basic_auth['maxretry'] ||= 10 Settings.rack_attack.git_basic_auth['maxretry'] ||= 10
Settings.rack_attack.git_basic_auth['findtime'] ||= 1.minute Settings.rack_attack.git_basic_auth['findtime'] ||= 1.minute
......
...@@ -14,8 +14,8 @@ limited to 6 requests per minute. After trying for 6 times, the client will ...@@ -14,8 +14,8 @@ limited to 6 requests per minute. After trying for 6 times, the client will
have to wait for the next minute to be able to try again. have to wait for the next minute to be able to try again.
If you installed or upgraded GitLab by following the [official guides](../install/README.md) If you installed or upgraded GitLab by following the [official guides](../install/README.md)
this should be enabled by default. If your instance is not exposed to any incoming this should be disabled by default. If your instance is not exposed to any incoming
connections, it is recommended to disable Rack Attack. connections, it is recommended to leave Rack Attack disabled.
For more information on how to use these options check out For more information on how to use these options check out
[rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md).
...@@ -45,7 +45,7 @@ For more information on how to use these options check out ...@@ -45,7 +45,7 @@ For more information on how to use these options check out
The following settings can be configured: The following settings can be configured:
- `enabled`: By default this is set to `true`. Set this to `false` to disable Rack Attack. - `enabled`: By default this is set to `false`. Set this to `true` to enable Rack Attack.
- `ip_whitelist`: Whitelist any IPs from being blocked. They must be formatted as strings within a ruby array. - `ip_whitelist`: Whitelist any IPs from being blocked. They must be formatted as strings within a ruby array.
For example, `["127.0.0.1", "127.0.0.2", "127.0.0.3"]`. For example, `["127.0.0.1", "127.0.0.2", "127.0.0.3"]`.
- `maxretry`: The maximum amount of times a request can be made in the - `maxretry`: The maximum amount of times a request can be made in the
......
...@@ -381,6 +381,10 @@ describe 'Git HTTP requests' do ...@@ -381,6 +381,10 @@ describe 'Git HTTP requests' do
context "when authentication fails" do context "when authentication fails" do
context "when the user is IP banned" do context "when the user is IP banned" do
before do
Gitlab.config.rack_attack.git_basic_auth['enabled'] = true
end
it "responds with status 401" do it "responds with status 401" do
expect(Rack::Attack::Allow2Ban).to receive(:filter).and_return(true) expect(Rack::Attack::Allow2Ban).to receive(:filter).and_return(true)
allow_any_instance_of(Rack::Request).to receive(:ip).and_return('1.2.3.4') allow_any_instance_of(Rack::Request).to receive(:ip).and_return('1.2.3.4')
...@@ -420,6 +424,10 @@ describe 'Git HTTP requests' do ...@@ -420,6 +424,10 @@ describe 'Git HTTP requests' do
end end
context "when the user isn't blocked" do context "when the user isn't blocked" do
before do
Gitlab.config.rack_attack.git_basic_auth['enabled'] = true
end
it "resets the IP in Rack Attack on download" do it "resets the IP in Rack Attack on download" do
expect(Rack::Attack::Allow2Ban).to receive(:reset).twice expect(Rack::Attack::Allow2Ban).to receive(:reset).twice
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment