Can't output log when Gitlab::Auth::IpRateLimite ban IP because of skipping Rails::log.
Summary
Can't output log when Gitlab::Auth::IpRateLimite ban IP because of skipping Rails::log.
Steps to reproduce
$ gitlab-rails console
irb(main):001:0> Gitlab.config.rack_attack.git_basic_auth
=> {"ip_whitelist"=>[], "enabled"=>true, "maxretry"=>10, "findtime"=>60 seconds, "bantime"=>3600 seconds}
irb(main):002:0> 10.times { Gitlab::Auth::rate_limit!('127.0.0.1', success: false, login: 'foobar') }
=> 10
Rack::Attack began to ban IP.
$ curl http://127.0.0.1/
forbbiden
$ less /var/opt/gitlab/gitlab-rails/production.log
Example Project
nothing
What is the current bug behavior?
no log at /var/opt/gitlab/gitlab-rails/production.log
What is the expected correct behavior?
log exist at /var/opt/gitlab/gitlab-rails/production.log
IP 127.0.0.1 failed to login as foobar but has been temporarily banned from Git auth
Relevant logs and/or screenshots
Started GET "/users/sign_in" for 127.0.0.1 at 2017-09-06 07:12:19 +0000
Processing by SessionsController#new as */*
Completed 200 OK in 20ms (Views: 9.7ms | ActiveRecord: 0.9ms)
Started GET "/users/sign_in" for 127.0.0.1 at 2017-09-06 07:12:20 +0000
Processing by SessionsController#new as */*
Completed 200 OK in 17ms (Views: 8.5ms | ActiveRecord: 0.7ms)
Started GET "/users/sign_in" for 127.0.0.1 at 2017-09-06 07:12:21 +0000
Rack_Attack: blacklist 127.0.0.1 GET /users/sign_in
Started GET "/-/metrics" for 127.0.0.1 at 2017-09-06 07:12:22 +0000
Rack_Attack: blacklist 127.0.0.1 GET /-/metrics
Started GET "/users/sign_in" for 127.0.0.1 at 2017-09-06 07:12:22 +0000
Rack_Attack: blacklist 127.0.0.1 GET /users/sign_in
Started GET "/users/sign_in" for 127.0.0.1 at 2017-09-06 07:12:23 +0000
Rack_Attack: blacklist 127.0.0.1 GET /users/sign_in
Results of GitLab environment info
[root@gitlab etc]# gitlab-rake gitlab:env:info
System information
System: CentOS 6.9
Current User: git
Using RVM: no
Ruby Version: 2.3.3p222
Gem Version: 2.6.6
Bundler Version:1.13.7
Rake Version: 10.5.0
Redis Version: 3.2.5
Git Version: 2.13.0
Sidekiq Version:5.0.0
Go Version: unknown
GitLab information
Version: 9.4.3
Revision: b125d21
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: postgresql
URL: http://example.com
HTTP Clone URL: http://example.com/some-group/some-project.git
SSH Clone URL: git@example.com:some-group/some-project.git
Using LDAP: yes
Using Omniauth: no
GitLab Shell
Version: 5.3.1
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks
Git: /opt/gitlab/embedded/bin/git
Possible fixes
Rack::Atack::Allow2Ban.filter
return false
when set banned ip.
https://github.com/kickstarter/rack-attack/blob/master/lib/rack/attack/allow2ban.rb#L18
$ gitlab-rake cache:clear:redis
$ gitlab-rails console
irb(main):001:0> 9.times { Rack::Attack::Allow2Ban.filter('127.0.0.1',Gitlab.config.rack_attack.git_basic_auth) do true end }
=> 9
irb(main):002:0> Rack::Attack::Allow2Ban.banned?('127.0.0.1')
=> false
irb(main):003:0> Rack::Attack::Allow2Ban.filter('127.0.0.1',Gitlab.config.rack_attack.git_basic_auth) do true end
=> false
irb(main):004:0> Rack::Attack::Allow2Ban.banned?('127.0.0.1')
=> true
What do you think that Gitlab::Auth::IpRateLimiter.banned?
or Gitlab::Auth::IpRateLimiter.register_fail!
check Rack::Attack::Allow2Ban.banned?
?
https://github.com/gitlabhq/gitlabhq/blob/master/lib/gitlab/auth/ip_rate_limiter.rb#L21
Edited by Yusuke Watase