diff options
| author | Matt Penna <mpenna@gitlab.com> | 2019-06-07 14:33:31 +0000 |
|---|---|---|
| committer | Mike Lewis <mlewis@gitlab.com> | 2019-06-07 12:38:35 -0400 |
| commit | bf926010933fa2ce9d655c0a3df3f57951832975 (patch) | |
| tree | 221d2cc19c67329b4c6b8c5ded33eccd14e7bdfc /doc/security/rack_attack.md | |
| parent | fc925583dab4dcdaf750bd4aa5d79642fc5c9871 (diff) | |
| download | gitlab-ce-bf926010933fa2ce9d655c0a3df3f57951832975.tar.gz | |
Various edits to security documentation
Edits to conform with CE epic 1280 SSOT standards, other improvements
Diffstat (limited to 'doc/security/rack_attack.md')
| -rw-r--r-- | doc/security/rack_attack.md | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md index 66081d7e376..4cbddc4ec3a 100644 --- a/doc/security/rack_attack.md +++ b/doc/security/rack_attack.md @@ -1,24 +1,28 @@ +--- +type: reference, howto +--- # Rack Attack Rack Attack, also known as Rack::Attack, is [a rubygem](https://github.com/kickstarter/rack-attack) that is meant to protect GitLab with the ability to customize throttling and -blocking user IPs. +to block user IP addresses. + You can prevent brute-force passwords attacks, scrapers, or any other offenders -by throttling requests from IP addresses making large volumes of requests. -In case you find throttling is not enough to protect you against abusive clients, -Rack Attack offers IP whitelisting, blacklisting, Fail2ban style filtering and +by throttling requests from IP addresses that are making large volumes of requests. +If you find throttling is not enough to protect you against abusive clients, +Rack Attack offers IP whitelisting, blacklisting, Fail2ban style filtering, and tracking. **Note:** Starting with 11.2, Rack Attack is disabled by default. To continue -using this feature, please enable it by [configuring `gitlab.rb` as described in Settings](#settings). +using Rack Attack, please enable it by [configuring `gitlab.rb` as described in Settings](#settings). By default, user sign-in, user sign-up (if enabled), and user password reset is limited to 6 requests per minute. After trying for 6 times, the client will have to wait for the next minute to be able to try again. -If you installed or upgraded GitLab by following the [official guides](../install/README.md) -this should be disabled by default. If your instance is not exposed to any incoming -connections, it is recommended to leave Rack Attack disabled. +If you installed or upgraded GitLab by following the [official guides](../install/README.md), +Rack Attack should be disabled by default. If your instance is not exposed to any incoming +connections, it is recommended that you leave Rack Attack disabled. For more information on how to use these options check out [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). @@ -27,7 +31,7 @@ For more information on how to use these options check out **Omnibus GitLab** -1. Open `/etc/gitlab/gitlab.rb` with you editor +1. Open `/etc/gitlab/gitlab.rb` with your editor 1. Add the following: ```ruby @@ -53,7 +57,7 @@ The following settings can be configured: For example, `["127.0.0.1", "127.0.0.2", "127.0.0.3"]`. - `maxretry`: The maximum amount of times a request can be made in the specified time. -- `findtime`: The maximum amount of time failed requests can count against an IP +- `findtime`: The maximum amount of time that failed requests can count against an IP before it's blacklisted (in seconds). - `bantime`: The total amount of time that a blacklisted IP will be blocked (in seconds). |