diff options
author | Jacob Vosmaer <contact@jacobvosmaer.nl> | 2015-01-06 18:56:56 +0300 |
---|---|---|
committer | Jacob Vosmaer <contact@jacobvosmaer.nl> | 2015-01-06 18:56:56 +0300 |
commit | af56c1dd323ee418eb8dbfa9eb35c7ec9ac58a66 (patch) | |
tree | b3ab3629579ac4db3441c60cb48cc0c652dd73e7 | |
parent | c8b2def2be44771ffb479ad989acc7eccf4012f8 (diff) |
White-list requests from 127.0.0.1
On some misconfigured GitLab servers, if you look in production.log it looks
like all requests come from 127.0.0.1. To avoid unwanted banning we
white-list 127.0.0.1 with this commit.
-rw-r--r-- | config/gitlab.yml.example | 3 | ||||
-rw-r--r-- | config/initializers/1_settings.rb | 1 | ||||
-rw-r--r-- | lib/gitlab/backend/grack_auth.rb | 13 |
3 files changed, 13 insertions, 4 deletions
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index b474063505f..5d801b9ae5b 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -300,6 +300,9 @@ production: &base rack_attack: git_basic_auth: + # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers + # ip_whitelist: ["127.0.0.1"] + # # Limit the number of Git HTTP authentication attempts per IP # maxretry: 10 # diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index 4464d9d0001..c744577d516 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -176,6 +176,7 @@ Settings['extra'] ||= Settingslogic.new({}) # Settings['rack_attack'] ||= Settingslogic.new({}) Settings.rack_attack['git_basic_auth'] ||= Settingslogic.new({}) +Settings.rack_attack.git_basic_auth['ip_whitelist'] ||= %w{127.0.0.1} Settings.rack_attack.git_basic_auth['maxretry'] ||= 10 Settings.rack_attack.git_basic_auth['findtime'] ||= 1.minute Settings.rack_attack.git_basic_auth['bantime'] ||= 1.hour diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb index 7bc745bf97e..1f71906bc8e 100644 --- a/lib/gitlab/backend/grack_auth.rb +++ b/lib/gitlab/backend/grack_auth.rb @@ -80,10 +80,15 @@ module Grack # information is stored in the Rails cache (Redis) and will be used by # the Rack::Attack middleware to decide whether to block requests from # this IP. - Rack::Attack::Allow2Ban.filter(@request.ip, Gitlab.config.rack_attack.git_basic_auth) do - # Return true, so that Allow2Ban increments the counter (stored in - # Rails.cache) for the IP - true + config = Gitlab.config.rack_attack.git_basic_auth + Rack::Attack::Allow2Ban.filter(@request.ip, config) do + # Unless the IP is whitelisted, return true so that Allow2Ban + # increments the counter (stored in Rails.cache) for the IP + if config.ip_whitelist.include?(@request.ip) + false + else + true + end end nil # No user was found |