diff options
author | Douwe Maan <douwe@gitlab.com> | 2018-07-25 12:41:25 +0300 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2018-07-25 12:41:25 +0300 |
commit | cd03a8ad6f52d615b19b3f1f9cadd01c8e2b58a9 (patch) | |
tree | 3b838d42bed161cd162efd9c27025a411a96b344 | |
parent | 891cb10fc9ca4ee915eecdefb2c903705fefaa64 (diff) | |
parent | 8f39bb5da5dcb252536f3cda06d7412d98d974ff (diff) |
Merge branch '40973-disable-rack-attack-by-default' into 'master'
Disable Rack Attack by default
Closes #40973
See merge request gitlab-org/gitlab-ce!16669
-rw-r--r-- | changelogs/unreleased/40973-disable-rack-attack-by-default.yml | 5 | ||||
-rw-r--r-- | config/initializers/1_settings.rb | 2 | ||||
-rw-r--r-- | doc/security/rack_attack.md | 6 | ||||
-rw-r--r-- | spec/requests/git_http_spec.rb | 8 |
4 files changed, 17 insertions, 4 deletions
diff --git a/changelogs/unreleased/40973-disable-rack-attack-by-default.yml b/changelogs/unreleased/40973-disable-rack-attack-by-default.yml new file mode 100644 index 00000000000..681aa761e2a --- /dev/null +++ b/changelogs/unreleased/40973-disable-rack-attack-by-default.yml @@ -0,0 +1,5 @@ +--- +title: Rack attack is now disabled by default +merge_request: 16669 +author: +type: changed diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index 3230d9c0a5b..9ad55e21d11 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -418,7 +418,7 @@ Settings['extra'] ||= Settingslogic.new({}) # Settings['rack_attack'] ||= Settingslogic.new({}) Settings.rack_attack['git_basic_auth'] ||= Settingslogic.new({}) -Settings.rack_attack.git_basic_auth['enabled'] = true if Settings.rack_attack.git_basic_auth['enabled'].nil? +Settings.rack_attack.git_basic_auth['enabled'] = false if Settings.rack_attack.git_basic_auth['enabled'].nil? Settings.rack_attack.git_basic_auth['ip_whitelist'] ||= %w{127.0.0.1} Settings.rack_attack.git_basic_auth['maxretry'] ||= 10 Settings.rack_attack.git_basic_auth['findtime'] ||= 1.minute diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md index c61729581e8..4d1e157031c 100644 --- a/doc/security/rack_attack.md +++ b/doc/security/rack_attack.md @@ -14,8 +14,8 @@ limited to 6 requests per minute. After trying for 6 times, the client will have to wait for the next minute to be able to try again. If you installed or upgraded GitLab by following the [official guides](../install/README.md) -this should be enabled by default. If your instance is not exposed to any incoming -connections, it is recommended to disable Rack Attack. +this should be disabled by default. If your instance is not exposed to any incoming +connections, it is recommended to leave Rack Attack disabled. For more information on how to use these options check out [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md). @@ -45,7 +45,7 @@ For more information on how to use these options check out The following settings can be configured: -- `enabled`: By default this is set to `true`. Set this to `false` to disable Rack Attack. +- `enabled`: By default this is set to `false`. Set this to `true` to enable Rack Attack. - `ip_whitelist`: Whitelist any IPs from being blocked. They must be formatted as strings within a ruby array. For example, `["127.0.0.1", "127.0.0.2", "127.0.0.3"]`. - `maxretry`: The maximum amount of times a request can be made in the diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb index 0f3e7157e14..c71eae9164a 100644 --- a/spec/requests/git_http_spec.rb +++ b/spec/requests/git_http_spec.rb @@ -381,6 +381,10 @@ describe 'Git HTTP requests' do context "when authentication fails" do context "when the user is IP banned" do + before do + Gitlab.config.rack_attack.git_basic_auth['enabled'] = true + end + it "responds with status 401" do expect(Rack::Attack::Allow2Ban).to receive(:filter).and_return(true) allow_any_instance_of(Rack::Request).to receive(:ip).and_return('1.2.3.4') @@ -420,6 +424,10 @@ describe 'Git HTTP requests' do end context "when the user isn't blocked" do + before do + Gitlab.config.rack_attack.git_basic_auth['enabled'] = true + end + it "resets the IP in Rack Attack on download" do expect(Rack::Attack::Allow2Ban).to receive(:reset).twice |