Commit 055b60d4 authored by Marin Jankovski's avatar Marin Jankovski

Add documentation to help section, rack_attack as example

parent c562d290
......@@ -20,6 +20,7 @@ Vagrantfile
config/gitlab.yml
config/database.yml
config/initializers/omniauth.rb
config/initializers/rack_attack.rb
config/unicorn.rb
config/resque.yml
config/aws.yml
......
......@@ -30,5 +30,8 @@
%li
%strong= link_to "Public Access", help_public_access_path
%li
%strong= link_to "Security", help_security_path
.span9.pull-right
= yield
......@@ -79,3 +79,7 @@
%li
%strong= link_to "Public Access", help_public_access_path
%p Learn how you can allow public access to a project.
%li
%strong= link_to "Security", help_security_path
%p Learn what you can do to secure your GitLab instance.
= render layout: 'help/layout' do
%h3.page-title Security
%p.slead
If your GitLab instance is visible from the internet chances are it will be 'tested' by bots sooner or later.
%br
%br
%br
.file-holder
.file-title
%i.icon-file
Dealing with bruteforcing
.file-content.wiki
= preserve do
= markdown File.read(Rails.root.join("doc", "security", "rack_attack.md"))
......@@ -78,7 +78,7 @@ module Gitlab
#
# config.relative_url_root = "/gitlab"
# Enable rack attack middleware
config.middleware.use Rack::Attack
# Uncomment to enable rack attack middleware
# config.middleware.use Rack::Attack
end
end
Rack::Attack.throttle('user logins, registration and password reset', limit: 6, period: 60.seconds) do |req|
req.ip if ["/users/password", "/users/sign_in", "/users"].include?(req.path) && req.post?
end
# To enable rack-attack for your GitLab instance do the following:
# 1. In config/application.rb find and uncomment the following line:
# config.middleware.use Rack::Attack
# 2. Rename this file to rack_attack.rb
# 3. Review the paths_to_be_protected and add any other path you need protecting
# 4. Restart GitLab instance
#
paths_to_be_protected = [
"#{Rails.application.config.relative_url_root}/users/password",
"#{Rails.application.config.relative_url_root}/users/sign_in",
"#{Rails.application.config.relative_url_root}/users"
]
Rack::Attack.throttle('protected paths', limit: 6, period: 60.seconds) do |req|
req.ip if paths_to_be_protected.include?(req.path) && req.post?
end
......@@ -39,6 +39,7 @@ Gitlab::Application.routes.draw do
get 'help/web_hooks' => 'help#web_hooks'
get 'help/workflow' => 'help#workflow'
get 'help/shortcuts'
get 'help/security'
#
# Global snippets
......
To prevent abusive clients doing damage GitLab uses rack-attack gem.
If you installed or upgraded GitLab by following the official guides this should be enabled by default.
If you are missing `config/initializers/rack_attack.rb` the following steps need to be taken in order to enable protection for your GitLab instance:
1. In config/application.rb find and uncomment the following line:
config.middleware.use Rack::Attack
2. Rename config/initializers/rack_attack.rb.example to config/initializers/rack_attack.rb
3. Review the paths_to_be_protected and add any other path you need protecting
4. Restart GitLab instance
By default, user sign-in, user sign-up(if enabled) and user password reset is limited to 6 requests per minute.
After trying for 6 times, client will have to wait for the next minute to be able to try again.
These settings can be found in `config/initializers/rack_attack.rb`
If you want more restrictive/relaxed throttle rule change the `limit` or `period` values. For example, more relaxed throttle rule will be if you set limit: 3 and period: 1.second(this will allow 3 requests per second). You can also add other paths to the protected list by adding to `paths_to_be_protected` variable. If you change any of these settings do not forget to restart your GitLab instance.
In case you find throttling is not enough to protect you against abusive clients, rack-attack gem offers IP whitelisting, blacklisting, Fail2ban style filter and tracking.
For more information on how to use these options check out [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md).
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment