|
1 | 1 | # frozen_string_literal: true |
2 | 2 |
|
3 | | -class Rack::Attack |
| 3 | +module Rack |
| 4 | + class Attack |
| 5 | + ### Configure Cache ### |
4 | 6 |
|
5 | | - ### Configure Cache ### |
| 7 | + # If you don't want to use Rails.cache (Rack::Attack's default), then |
| 8 | + # configure it here. |
| 9 | + # |
| 10 | + # Note: The store is only used for throttling (not blocklisting and |
| 11 | + # safelisting). It must implement .increment and .write like |
| 12 | + # ActiveSupport::Cache::Store |
6 | 13 |
|
7 | | - # If you don't want to use Rails.cache (Rack::Attack's default), then |
8 | | - # configure it here. |
9 | | - # |
10 | | - # Note: The store is only used for throttling (not blocklisting and |
11 | | - # safelisting). It must implement .increment and .write like |
12 | | - # ActiveSupport::Cache::Store |
| 14 | + Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new |
13 | 15 |
|
14 | | - Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new |
| 16 | + ### Throttle Spammy Clients ### |
15 | 17 |
|
16 | | - ### Throttle Spammy Clients ### |
| 18 | + # If any single client IP is making tons of requests, then they're |
| 19 | + # probably malicious or a poorly-configured scraper. Either way, they |
| 20 | + # don't deserve to hog all of the app server's CPU. Cut them off! |
| 21 | + # |
| 22 | + # Note: If you're serving assets through rack, those requests may be |
| 23 | + # counted by rack-attack and this throttle may be activated too |
| 24 | + # quickly. If so, enable the condition to exclude them from tracking. |
17 | 25 |
|
18 | | - # If any single client IP is making tons of requests, then they're |
19 | | - # probably malicious or a poorly-configured scraper. Either way, they |
20 | | - # don't deserve to hog all of the app server's CPU. Cut them off! |
21 | | - # |
22 | | - # Note: If you're serving assets through rack, those requests may be |
23 | | - # counted by rack-attack and this throttle may be activated too |
24 | | - # quickly. If so, enable the condition to exclude them from tracking. |
25 | | - |
26 | | - # Throttle all requests by IP (60rpm) |
27 | | - # |
28 | | - # Key: "rack::attack:#{Time.now.to_i/:period}:req/ip:#{req.ip}" |
29 | | - throttle('req/ip', limit: 300, period: 5.minutes) do |req| |
30 | | - req.ip # unless req.path.start_with?('/assets') |
31 | | - end |
| 26 | + # Throttle all requests by IP (60rpm) |
| 27 | + # |
| 28 | + # Key: "rack::attack:#{Time.now.to_i/:period}:req/ip:#{req.ip}" |
| 29 | + throttle("req/ip", limit: 300, period: 5.minutes) do |req| |
| 30 | + req.ip # unless req.path.start_with?('/assets') |
| 31 | + end |
32 | 32 |
|
33 | | - ### Prevent Brute-Force Login Attacks ### |
| 33 | + ### Prevent Brute-Force Login Attacks ### |
34 | 34 |
|
35 | | - # The most common brute-force login attack is a brute-force password |
36 | | - # attack where an attacker simply tries a large number of emails and |
37 | | - # passwords to see if any credentials match. |
38 | | - # |
39 | | - # Another common method of attack is to use a swarm of computers with |
40 | | - # different IPs to try brute-forcing a password for a specific account. |
| 35 | + # The most common brute-force login attack is a brute-force password |
| 36 | + # attack where an attacker simply tries a large number of emails and |
| 37 | + # passwords to see if any credentials match. |
| 38 | + # |
| 39 | + # Another common method of attack is to use a swarm of computers with |
| 40 | + # different IPs to try brute-forcing a password for a specific account. |
41 | 41 |
|
42 | | - # Throttle POST requests to /login by IP address |
43 | | - # |
44 | | - # Key: "rack::attack:#{Time.now.to_i/:period}:logins/ip:#{req.ip}" |
45 | | - throttle('logins/ip', limit: 5, period: 20.seconds) do |req| |
46 | | - if req.path == '/login' && req.post? |
47 | | - req.ip |
| 42 | + # Throttle POST requests to /login by IP address |
| 43 | + # |
| 44 | + # Key: "rack::attack:#{Time.now.to_i/:period}:logins/ip:#{req.ip}" |
| 45 | + throttle("logins/ip", limit: 5, period: 20.seconds) do |req| |
| 46 | + req.ip if req.path == "/login" && req.post? |
48 | 47 | end |
49 | | - end |
50 | 48 |
|
51 | | - # Throttle POST requests to /login by email param |
52 | | - # |
53 | | - # Key: "rack::attack:#{Time.now.to_i/:period}:logins/email:#{normalized_email}" |
54 | | - # |
55 | | - # Note: This creates a problem where a malicious user could intentionally |
56 | | - # throttle logins for another user and force their login requests to be |
57 | | - # denied, but that's not very common and shouldn't happen to you. (Knock |
58 | | - # on wood!) |
59 | | - throttle('logins/email', limit: 5, period: 20.seconds) do |req| |
60 | | - if req.path == '/login' && req.post? |
61 | | - # Normalize the email, using the same logic as your authentication process, to |
62 | | - # protect against rate limit bypasses. Return the normalized email if present, nil otherwise. |
63 | | - req.params['email'].to_s.downcase.gsub(/\s+/, "").presence |
| 49 | + # Throttle POST requests to /login by email param |
| 50 | + # |
| 51 | + # Key: "rack::attack:#{Time.now.to_i/:period}:logins/email:#{normalized_email}" |
| 52 | + # |
| 53 | + # Note: This creates a problem where a malicious user could intentionally |
| 54 | + # throttle logins for another user and force their login requests to be |
| 55 | + # denied, but that's not very common and shouldn't happen to you. (Knock |
| 56 | + # on wood!) |
| 57 | + throttle("logins/email", limit: 5, period: 20.seconds) do |req| |
| 58 | + if req.path == "/login" && req.post? |
| 59 | + # Normalize the email, using the same logic as your authentication process, to |
| 60 | + # protect against rate limit bypasses. Return the normalized email if present, nil otherwise. |
| 61 | + req.params["email"].to_s.downcase.gsub(/\s+/, "").presence |
| 62 | + end |
64 | 63 | end |
65 | | - end |
66 | 64 |
|
67 | | - ### Custom Throttle Response ### |
| 65 | + ### Custom Throttle Response ### |
68 | 66 |
|
69 | | - # By default, Rack::Attack returns an HTTP 429 for throttled responses, |
70 | | - # which is just fine. |
71 | | - # |
72 | | - # If you want to return 503 so that the attacker might be fooled into |
73 | | - # believing that they've successfully broken your app (or you just want to |
74 | | - # customize the response), then uncomment these lines. |
75 | | - # self.throttled_responder = lambda do |env| |
76 | | - # [ 503, # status |
77 | | - # {}, # headers |
78 | | - # ['']] # body |
79 | | - # end |
| 67 | + # By default, Rack::Attack returns an HTTP 429 for throttled responses, |
| 68 | + # which is just fine. |
| 69 | + # |
| 70 | + # If you want to return 503 so that the attacker might be fooled into |
| 71 | + # believing that they've successfully broken your app (or you just want to |
| 72 | + # customize the response), then uncomment these lines. |
| 73 | + # self.throttled_responder = lambda do |env| |
| 74 | + # [ 503, # status |
| 75 | + # {}, # headers |
| 76 | + # ['']] # body |
| 77 | + # end |
| 78 | + end |
80 | 79 | end |
81 | | - |
0 commit comments