Merge branch '40973-disable-rack-attack-by-default' into 'master'
Disable Rack Attack by default Closes #40973 See merge request gitlab-org/gitlab-ce!16669
This commit is contained in:
commit
cd03a8ad6f
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Rack attack is now disabled by default
|
||||
merge_request: 16669
|
||||
author:
|
||||
type: changed
|
|
@ -418,7 +418,7 @@ Settings['extra'] ||= Settingslogic.new({})
|
|||
#
|
||||
Settings['rack_attack'] ||= Settingslogic.new({})
|
||||
Settings.rack_attack['git_basic_auth'] ||= Settingslogic.new({})
|
||||
Settings.rack_attack.git_basic_auth['enabled'] = true if Settings.rack_attack.git_basic_auth['enabled'].nil?
|
||||
Settings.rack_attack.git_basic_auth['enabled'] = false if Settings.rack_attack.git_basic_auth['enabled'].nil?
|
||||
Settings.rack_attack.git_basic_auth['ip_whitelist'] ||= %w{127.0.0.1}
|
||||
Settings.rack_attack.git_basic_auth['maxretry'] ||= 10
|
||||
Settings.rack_attack.git_basic_auth['findtime'] ||= 1.minute
|
||||
|
|
|
@ -14,8 +14,8 @@ limited to 6 requests per minute. After trying for 6 times, the client will
|
|||
have to wait for the next minute to be able to try again.
|
||||
|
||||
If you installed or upgraded GitLab by following the [official guides](../install/README.md)
|
||||
this should be enabled by default. If your instance is not exposed to any incoming
|
||||
connections, it is recommended to disable Rack Attack.
|
||||
this should be disabled by default. If your instance is not exposed to any incoming
|
||||
connections, it is recommended to leave Rack Attack disabled.
|
||||
|
||||
For more information on how to use these options check out
|
||||
[rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md).
|
||||
|
@ -45,7 +45,7 @@ For more information on how to use these options check out
|
|||
|
||||
The following settings can be configured:
|
||||
|
||||
- `enabled`: By default this is set to `true`. Set this to `false` to disable Rack Attack.
|
||||
- `enabled`: By default this is set to `false`. Set this to `true` to enable Rack Attack.
|
||||
- `ip_whitelist`: Whitelist any IPs from being blocked. They must be formatted as strings within a ruby array.
|
||||
For example, `["127.0.0.1", "127.0.0.2", "127.0.0.3"]`.
|
||||
- `maxretry`: The maximum amount of times a request can be made in the
|
||||
|
|
|
@ -381,6 +381,10 @@ describe 'Git HTTP requests' do
|
|||
|
||||
context "when authentication fails" do
|
||||
context "when the user is IP banned" do
|
||||
before do
|
||||
Gitlab.config.rack_attack.git_basic_auth['enabled'] = true
|
||||
end
|
||||
|
||||
it "responds with status 401" do
|
||||
expect(Rack::Attack::Allow2Ban).to receive(:filter).and_return(true)
|
||||
allow_any_instance_of(Rack::Request).to receive(:ip).and_return('1.2.3.4')
|
||||
|
@ -420,6 +424,10 @@ describe 'Git HTTP requests' do
|
|||
end
|
||||
|
||||
context "when the user isn't blocked" do
|
||||
before do
|
||||
Gitlab.config.rack_attack.git_basic_auth['enabled'] = true
|
||||
end
|
||||
|
||||
it "resets the IP in Rack Attack on download" do
|
||||
expect(Rack::Attack::Allow2Ban).to receive(:reset).twice
|
||||
|
||||
|
|
Loading…
Reference in New Issue