diff options
| author | Jacob Vosmaer <contact@jacobvosmaer.nl> | 2014-12-18 13:08:11 +0300 |
|---|---|---|
| committer | Jacob Vosmaer <contact@jacobvosmaer.nl> | 2014-12-18 13:08:11 +0300 |
| commit | c8b2def2be44771ffb479ad989acc7eccf4012f8 (patch) | |
| tree | 291f0fee380b62646d2210264332ecdbd53eb389 | |
| parent | 4a389e761635ad17a707d3caa8ec5bf09b849f2f (diff) | |
Add more comments explaining how we block IPs
| -rw-r--r-- | config/initializers/rack_attack_git_basic_auth.rb | 2 | ||||
| -rw-r--r-- | lib/gitlab/backend/grack_auth.rb | 5 |
2 files changed, 6 insertions, 1 deletions
diff --git a/config/initializers/rack_attack_git_basic_auth.rb b/config/initializers/rack_attack_git_basic_auth.rb index 2348768ff16..bbbfed68329 100644 --- a/config/initializers/rack_attack_git_basic_auth.rb +++ b/config/initializers/rack_attack_git_basic_auth.rb @@ -1,4 +1,6 @@ unless Rails.env.test? + # Tell the Rack::Attack Rack middleware to maintain an IP blacklist. We will + # update the blacklist from Grack::Auth#authenticate_user. Rack::Attack.blacklist('Git HTTP Basic Auth') do |req| Rack::Attack::Allow2Ban.filter(req.ip, Gitlab.config.rack_attack.git_basic_auth) do # This block only gets run if the IP was not already banned. diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb index ab5d2ef3da4..7bc745bf97e 100644 --- a/lib/gitlab/backend/grack_auth.rb +++ b/lib/gitlab/backend/grack_auth.rb @@ -76,7 +76,10 @@ module Grack return user if user.present? # At this point, we know the credentials were wrong. We let Rack::Attack - # know there was a failed authentication attempt from this IP + # know there was a failed authentication attempt from this IP. This + # information is stored in the Rails cache (Redis) and will be used by + # the Rack::Attack middleware to decide whether to block requests from + # this IP. Rack::Attack::Allow2Ban.filter(@request.ip, Gitlab.config.rack_attack.git_basic_auth) do # Return true, so that Allow2Ban increments the counter (stored in # Rails.cache) for the IP |