-
Notifications
You must be signed in to change notification settings - Fork 62
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1349 from rubymonsters/1346-use-rack-attack
Install rack attack with basic configuration
- Loading branch information
Showing
4 changed files
with
83 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| class Rack::Attack | ||
|
|
||
| ### Configure Cache ### | ||
|
|
||
| # If you don't want to use Rails.cache (Rack::Attack's default), then | ||
| # configure it here. | ||
| # | ||
| # Note: The store is only used for throttling (not blocklisting and | ||
| # safelisting). It must implement .increment and .write like | ||
| # ActiveSupport::Cache::Store | ||
|
|
||
| # Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new | ||
|
|
||
| ### Throttle Spammy Clients ### | ||
|
|
||
| # If any single client IP is making tons of requests, then they're | ||
| # probably malicious or a poorly-configured scraper. Either way, they | ||
| # don't deserve to hog all of the app server's CPU. Cut them off! | ||
| # | ||
| # Note: If you're serving assets through rack, those requests may be | ||
| # counted by rack-attack and this throttle may be activated too | ||
| # quickly. If so, enable the condition to exclude them from tracking. | ||
|
|
||
| # Throttle all requests by IP (60rpm) | ||
| # | ||
| # Key: "rack::attack:#{Time.now.to_i/:period}:req/ip:#{req.ip}" | ||
| throttle('req/ip', limit: 300, period: 3.minutes) do |req| | ||
| req.ip # unless req.path.start_with?('/assets') | ||
| end | ||
|
|
||
| ### Prevent Brute-Force Login Attacks ### | ||
|
|
||
| # The most common brute-force login attack is a brute-force password | ||
| # attack where an attacker simply tries a large number of emails and | ||
| # passwords to see if any credentials match. | ||
| # | ||
| # Another common method of attack is to use a swarm of computers with | ||
| # different IPs to try brute-forcing a password for a specific account. | ||
|
|
||
| # Throttle POST requests to /login by IP address | ||
| # | ||
| # Key: "rack::attack:#{Time.now.to_i/:period}:logins/ip:#{req.ip}" | ||
| throttle('logins/ip', limit: 5, period: 20.seconds) do |req| | ||
| if req.path == '/login' && req.post? | ||
| req.ip | ||
| end | ||
| end | ||
|
|
||
| # Throttle POST requests to /login by email param | ||
| # | ||
| # Key: "rack::attack:#{Time.now.to_i/:period}:logins/email:#{normalized_email}" | ||
| # | ||
| # Note: This creates a problem where a malicious user could intentionally | ||
| # throttle logins for another user and force their login requests to be | ||
| # denied, but that's not very common and shouldn't happen to you. (Knock | ||
| # on wood!) | ||
| throttle('logins/email', limit: 5, period: 20.seconds) do |req| | ||
| if req.path == '/login' && req.post? | ||
| # Normalize the email, using the same logic as your authentication process, to | ||
| # protect against rate limit bypasses. Return the normalized email if present, nil otherwise. | ||
| req.params['email'].to_s.downcase.gsub(/\s+/, "").presence | ||
| end | ||
| end | ||
|
|
||
| ### Custom Throttle Response ### | ||
|
|
||
| # By default, Rack::Attack returns an HTTP 429 for throttled responses, | ||
| # which is just fine. | ||
| # | ||
| # If you want to return 503 so that the attacker might be fooled into | ||
| # believing that they've successfully broken your app (or you just want to | ||
| # customize the response), then uncomment these lines. | ||
| # self.throttled_response = lambda do |env| | ||
| # [ 503, # status | ||
| # {}, # headers | ||
| # ['']] # body | ||
| # end | ||
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters