summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarin Jankovski <maxlazio@gmail.com>2013-09-26 22:40:55 +0200
committerMarin Jankovski <maxlazio@gmail.com>2013-09-30 11:10:46 +0200
commit055b60d4200aeee0eeab762f162c05305e58c41d (patch)
tree46efa952dcd01e92fa6217bed2b0f990261253f9
parentc562d290eaab16f8e72e7e3e9ff188e172372226 (diff)
downloadgitlab-ce-055b60d4200aeee0eeab762f162c05305e58c41d.tar.gz
Add documentation to help section, rack_attack as example
-rw-r--r--.gitignore1
-rw-r--r--app/views/help/_layout.html.haml3
-rw-r--r--app/views/help/index.html.haml4
-rw-r--r--app/views/help/security.html.haml15
-rw-r--r--config/application.rb4
-rw-r--r--config/initializers/rack_attack.rb3
-rw-r--r--config/initializers/rack_attack.rb.example16
-rw-r--r--config/routes.rb1
-rw-r--r--doc/security/rack_attack.md19
9 files changed, 61 insertions, 5 deletions
diff --git a/.gitignore b/.gitignore
index 683e6c45a2b..084edd30df7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,6 +20,7 @@ Vagrantfile
config/gitlab.yml
config/database.yml
config/initializers/omniauth.rb
+config/initializers/rack_attack.rb
config/unicorn.rb
config/resque.yml
config/aws.yml
diff --git a/app/views/help/_layout.html.haml b/app/views/help/_layout.html.haml
index ac8660dcbb4..da917888eee 100644
--- a/app/views/help/_layout.html.haml
+++ b/app/views/help/_layout.html.haml
@@ -30,5 +30,8 @@
%li
%strong= link_to "Public Access", help_public_access_path
+ %li
+ %strong= link_to "Security", help_security_path
+
.span9.pull-right
= yield
diff --git a/app/views/help/index.html.haml b/app/views/help/index.html.haml
index ff01136f5bb..fadc2dc21cb 100644
--- a/app/views/help/index.html.haml
+++ b/app/views/help/index.html.haml
@@ -79,3 +79,7 @@
%li
%strong= link_to "Public Access", help_public_access_path
%p Learn how you can allow public access to a project.
+
+ %li
+ %strong= link_to "Security", help_security_path
+ %p Learn what you can do to secure your GitLab instance.
diff --git a/app/views/help/security.html.haml b/app/views/help/security.html.haml
new file mode 100644
index 00000000000..72f21e9f634
--- /dev/null
+++ b/app/views/help/security.html.haml
@@ -0,0 +1,15 @@
+= render layout: 'help/layout' do
+ %h3.page-title Security
+
+ %p.slead
+ If your GitLab instance is visible from the internet chances are it will be 'tested' by bots sooner or later.
+ %br
+ %br
+ %br
+ .file-holder
+ .file-title
+ %i.icon-file
+ Dealing with bruteforcing
+ .file-content.wiki
+ = preserve do
+ = markdown File.read(Rails.root.join("doc", "security", "rack_attack.md"))
diff --git a/config/application.rb b/config/application.rb
index 6ddc87010b3..0ab3597e73c 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -78,7 +78,7 @@ module Gitlab
#
# config.relative_url_root = "/gitlab"
- # Enable rack attack middleware
- config.middleware.use Rack::Attack
+ # Uncomment to enable rack attack middleware
+ # config.middleware.use Rack::Attack
end
end
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
deleted file mode 100644
index 88e638ba118..00000000000
--- a/config/initializers/rack_attack.rb
+++ /dev/null
@@ -1,3 +0,0 @@
-Rack::Attack.throttle('user logins, registration and password reset', limit: 6, period: 60.seconds) do |req|
- req.ip if ["/users/password", "/users/sign_in", "/users"].include?(req.path) && req.post?
-end
diff --git a/config/initializers/rack_attack.rb.example b/config/initializers/rack_attack.rb.example
new file mode 100644
index 00000000000..76fa7ad282e
--- /dev/null
+++ b/config/initializers/rack_attack.rb.example
@@ -0,0 +1,16 @@
+# To enable rack-attack for your GitLab instance do the following:
+# 1. In config/application.rb find and uncomment the following line:
+# config.middleware.use Rack::Attack
+# 2. Rename this file to rack_attack.rb
+# 3. Review the paths_to_be_protected and add any other path you need protecting
+# 4. Restart GitLab instance
+#
+
+paths_to_be_protected = [
+ "#{Rails.application.config.relative_url_root}/users/password",
+ "#{Rails.application.config.relative_url_root}/users/sign_in",
+ "#{Rails.application.config.relative_url_root}/users"
+]
+Rack::Attack.throttle('protected paths', limit: 6, period: 60.seconds) do |req|
+ req.ip if paths_to_be_protected.include?(req.path) && req.post?
+end
diff --git a/config/routes.rb b/config/routes.rb
index 2b444c2a296..b6efd44a509 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -39,6 +39,7 @@ Gitlab::Application.routes.draw do
get 'help/web_hooks' => 'help#web_hooks'
get 'help/workflow' => 'help#workflow'
get 'help/shortcuts'
+ get 'help/security'
#
# Global snippets
diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md
new file mode 100644
index 00000000000..a0d02b1650f
--- /dev/null
+++ b/doc/security/rack_attack.md
@@ -0,0 +1,19 @@
+To prevent abusive clients doing damage GitLab uses rack-attack gem.
+If you installed or upgraded GitLab by following the official guides this should be enabled by default.
+If you are missing `config/initializers/rack_attack.rb` the following steps need to be taken in order to enable protection for your GitLab instance:
+
+1. In config/application.rb find and uncomment the following line:
+ config.middleware.use Rack::Attack
+2. Rename config/initializers/rack_attack.rb.example to config/initializers/rack_attack.rb
+3. Review the paths_to_be_protected and add any other path you need protecting
+4. Restart GitLab instance
+
+By default, user sign-in, user sign-up(if enabled) and user password reset is limited to 6 requests per minute.
+After trying for 6 times, client will have to wait for the next minute to be able to try again.
+These settings can be found in `config/initializers/rack_attack.rb`
+
+If you want more restrictive/relaxed throttle rule change the `limit` or `period` values. For example, more relaxed throttle rule will be if you set limit: 3 and period: 1.second(this will allow 3 requests per second). You can also add other paths to the protected list by adding to `paths_to_be_protected` variable. If you change any of these settings do not forget to restart your GitLab instance.
+
+In case you find throttling is not enough to protect you against abusive clients, rack-attack gem offers IP whitelisting, blacklisting, Fail2ban style filter and tracking.
+
+For more information on how to use these options check out [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). \ No newline at end of file