diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | app/views/help/_layout.html.haml | 3 | ||||
| -rw-r--r-- | app/views/help/index.html.haml | 4 | ||||
| -rw-r--r-- | app/views/help/security.html.haml | 15 | ||||
| -rw-r--r-- | config/application.rb | 4 | ||||
| -rw-r--r-- | config/initializers/rack_attack.rb | 3 | ||||
| -rw-r--r-- | config/initializers/rack_attack.rb.example | 16 | ||||
| -rw-r--r-- | config/routes.rb | 1 | ||||
| -rw-r--r-- | doc/security/rack_attack.md | 19 |
9 files changed, 61 insertions, 5 deletions
diff --git a/.gitignore b/.gitignore index 683e6c45a2b..084edd30df7 100644 --- a/.gitignore +++ b/.gitignore @@ -20,6 +20,7 @@ Vagrantfile config/gitlab.yml config/database.yml config/initializers/omniauth.rb +config/initializers/rack_attack.rb config/unicorn.rb config/resque.yml config/aws.yml diff --git a/app/views/help/_layout.html.haml b/app/views/help/_layout.html.haml index ac8660dcbb4..da917888eee 100644 --- a/app/views/help/_layout.html.haml +++ b/app/views/help/_layout.html.haml @@ -30,5 +30,8 @@ %li %strong= link_to "Public Access", help_public_access_path + %li + %strong= link_to "Security", help_security_path + .span9.pull-right = yield diff --git a/app/views/help/index.html.haml b/app/views/help/index.html.haml index ff01136f5bb..fadc2dc21cb 100644 --- a/app/views/help/index.html.haml +++ b/app/views/help/index.html.haml @@ -79,3 +79,7 @@ %li %strong= link_to "Public Access", help_public_access_path %p Learn how you can allow public access to a project. + + %li + %strong= link_to "Security", help_security_path + %p Learn what you can do to secure your GitLab instance. diff --git a/app/views/help/security.html.haml b/app/views/help/security.html.haml new file mode 100644 index 00000000000..72f21e9f634 --- /dev/null +++ b/app/views/help/security.html.haml @@ -0,0 +1,15 @@ += render layout: 'help/layout' do + %h3.page-title Security + + %p.slead + If your GitLab instance is visible from the internet chances are it will be 'tested' by bots sooner or later. + %br + %br + %br + .file-holder + .file-title + %i.icon-file + Dealing with bruteforcing + .file-content.wiki + = preserve do + = markdown File.read(Rails.root.join("doc", "security", "rack_attack.md")) diff --git a/config/application.rb b/config/application.rb index 6ddc87010b3..0ab3597e73c 100644 --- a/config/application.rb +++ b/config/application.rb @@ -78,7 +78,7 @@ module Gitlab # # config.relative_url_root = "/gitlab" - # Enable rack attack middleware - config.middleware.use Rack::Attack + # Uncomment to enable rack attack middleware + # config.middleware.use Rack::Attack end end diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb deleted file mode 100644 index 88e638ba118..00000000000 --- a/config/initializers/rack_attack.rb +++ /dev/null @@ -1,3 +0,0 @@ -Rack::Attack.throttle('user logins, registration and password reset', limit: 6, period: 60.seconds) do |req| - req.ip if ["/users/password", "/users/sign_in", "/users"].include?(req.path) && req.post? -end diff --git a/config/initializers/rack_attack.rb.example b/config/initializers/rack_attack.rb.example new file mode 100644 index 00000000000..76fa7ad282e --- /dev/null +++ b/config/initializers/rack_attack.rb.example @@ -0,0 +1,16 @@ +# To enable rack-attack for your GitLab instance do the following: +# 1. In config/application.rb find and uncomment the following line: +# config.middleware.use Rack::Attack +# 2. Rename this file to rack_attack.rb +# 3. Review the paths_to_be_protected and add any other path you need protecting +# 4. Restart GitLab instance +# + +paths_to_be_protected = [ + "#{Rails.application.config.relative_url_root}/users/password", + "#{Rails.application.config.relative_url_root}/users/sign_in", + "#{Rails.application.config.relative_url_root}/users" +] +Rack::Attack.throttle('protected paths', limit: 6, period: 60.seconds) do |req| + req.ip if paths_to_be_protected.include?(req.path) && req.post? +end diff --git a/config/routes.rb b/config/routes.rb index 2b444c2a296..b6efd44a509 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -39,6 +39,7 @@ Gitlab::Application.routes.draw do get 'help/web_hooks' => 'help#web_hooks' get 'help/workflow' => 'help#workflow' get 'help/shortcuts' + get 'help/security' # # Global snippets diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md new file mode 100644 index 00000000000..a0d02b1650f --- /dev/null +++ b/doc/security/rack_attack.md @@ -0,0 +1,19 @@ +To prevent abusive clients doing damage GitLab uses rack-attack gem. +If you installed or upgraded GitLab by following the official guides this should be enabled by default. +If you are missing `config/initializers/rack_attack.rb` the following steps need to be taken in order to enable protection for your GitLab instance: + +1. In config/application.rb find and uncomment the following line: + config.middleware.use Rack::Attack +2. Rename config/initializers/rack_attack.rb.example to config/initializers/rack_attack.rb +3. Review the paths_to_be_protected and add any other path you need protecting +4. Restart GitLab instance + +By default, user sign-in, user sign-up(if enabled) and user password reset is limited to 6 requests per minute. +After trying for 6 times, client will have to wait for the next minute to be able to try again. +These settings can be found in `config/initializers/rack_attack.rb` + +If you want more restrictive/relaxed throttle rule change the `limit` or `period` values. For example, more relaxed throttle rule will be if you set limit: 3 and period: 1.second(this will allow 3 requests per second). You can also add other paths to the protected list by adding to `paths_to_be_protected` variable. If you change any of these settings do not forget to restart your GitLab instance. + +In case you find throttling is not enough to protect you against abusive clients, rack-attack gem offers IP whitelisting, blacklisting, Fail2ban style filter and tracking. + +For more information on how to use these options check out [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md).
\ No newline at end of file |