Commit 58f8acb2 authored by Michael Rose's avatar Michael Rose

ratelimits: add Rack::Attack to limit public endpoints

parent 856e8c39
......@@ -15,6 +15,9 @@ gem 'devise-async'
gem 'rails_12factor'
# Rate limiting
gem 'rack-attack'
# Memcached for caching
gem 'dalli'
gem 'connection_pool'
......
......@@ -218,6 +218,8 @@ GEM
pg (0.21.0)
public_suffix (3.0.0)
rack (2.0.3)
rack-attack (5.0.1)
rack
rack-mini-profiler (0.10.5)
rack (>= 1.2.0)
rack-protection (2.0.0)
......@@ -381,6 +383,7 @@ DEPENDENCIES
minitest-reporters (>= 0.5.0)
newrelic_rpm
pg
rack-attack
rack-mini-profiler
rails (~> 5.1)
rails-timeago (~> 2.0)
......
......@@ -28,5 +28,7 @@ module Scryer
config.maintenance = false
config.active_job.queue_adapter = :sidekiq
config.middleware.use Rack::Attack
end
end
class Rack::Attack
# Rack::Attack.safelist('allow from localhost') do |req|
# # Requests are allowed if the return value is truthy
# '127.0.0.1' == req.ip || '::1' == req.ip
# end
# Throttle story id lookups
Rack::Attack.throttle('/stories/by_id', limit: 10, period: 1.minute) do |req|
req.ip if req.path.starts_with? '/stories'
end
# Throttle searches
Rack::Attack.throttle('/search', limit: 25, period: 1.minute) do |req|
req.ip if req.path.starts_with? '/search'
end
end
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment