mirror of
https://github.com/astuto/astuto.git
synced 2025-12-15 19:27:52 +01:00
Add DDoS protection (#308)
* Add and configure rack-attack gem * Limit number of tenant registrations with same email address * Limit requests to tenants#create by IP
This commit is contained in:
Riccardo Graziosi
committed by
GitHub
GitHub
parent
e34e3f1aba
commit
336adb9bfd
73
config/initializers/rack_attack.rb
Normal file
73
config/initializers/rack_attack.rb
Normal file
@@ -0,0 +1,73 @@
|
||||
class Rack::Attack
|
||||
### Throttle Spammy Clients ###
|
||||
|
||||
# If any single client IP is making tons of requests, then they're
|
||||
# probably malicious or a poorly-configured scraper. Either way, they
|
||||
# don't deserve to hog all of the app server's CPU. Cut them off!
|
||||
#
|
||||
# Note: If you're serving assets through rack, those requests may be
|
||||
# counted by rack-attack and this throttle may be activated too
|
||||
# quickly. If so, enable the condition to exclude them from tracking.
|
||||
|
||||
# Throttle all requests by IP (60rpm)
|
||||
#
|
||||
# Key: "rack::attack:#{Time.now.to_i/:period}:req/ip:#{req.ip}"
|
||||
throttle('req/ip', limit: 300, period: 5.minutes) do |req|
|
||||
req.ip # unless req.path.start_with?('/assets')
|
||||
end
|
||||
|
||||
### Prevent Brute-Force Login Attacks ###
|
||||
|
||||
# The most common brute-force login attack is a brute-force password
|
||||
# attack where an attacker simply tries a large number of emails and
|
||||
# passwords to see if any credentials match.
|
||||
#
|
||||
# Another common method of attack is to use a swarm of computers with
|
||||
# different IPs to try brute-forcing a password for a specific account.
|
||||
|
||||
# Throttle POST requests to /users/sign_in by IP address
|
||||
#
|
||||
# Key: "rack::attack:#{Time.now.to_i/:period}:logins/ip:#{req.ip}"
|
||||
throttle('logins/ip', limit: 5, period: 20.seconds) do |req|
|
||||
if req.path == '/users/sign_in' && req.post?
|
||||
req.ip
|
||||
end
|
||||
end
|
||||
|
||||
# Throttle POST requests to /users/sign_in by email param
|
||||
#
|
||||
# Key: "rack::attack:#{Time.now.to_i/:period}:logins/email:#{normalized_email}"
|
||||
#
|
||||
# Note: This creates a problem where a malicious user could intentionally
|
||||
# throttle logins for another user and force their login requests to be
|
||||
# denied, but that's not very common and shouldn't happen to you. (Knock
|
||||
# on wood!)
|
||||
throttle('logins/email', limit: 5, period: 20.seconds) do |req|
|
||||
if req.path == '/users/sign_in' && req.post?
|
||||
# Normalize the email, using the same logic as your authentication process, to
|
||||
# protect against rate limit bypasses. Return the normalized email if present, nil otherwise.
|
||||
req.params['email'].to_s.downcase.gsub(/\s+/, "").presence
|
||||
end
|
||||
end
|
||||
|
||||
# Throttle POST requests to /tenants by IP address
|
||||
throttle('tenant_signups/ip', limit: 5, period: 20.seconds) do |req|
|
||||
if req.path == '/tenants' && req.post?
|
||||
req.ip
|
||||
end
|
||||
end
|
||||
|
||||
### Custom Throttle Response ###
|
||||
|
||||
# By default, Rack::Attack returns an HTTP 429 for throttled responses,
|
||||
# which is just fine.
|
||||
#
|
||||
# If you want to return 503 so that the attacker might be fooled into
|
||||
# believing that they've successfully broken your app (or you just want to
|
||||
# customize the response), then uncomment these lines.
|
||||
# self.throttled_response = lambda do |env|
|
||||
# [ 503, # status
|
||||
# {}, # headers
|
||||
# ['']] # body
|
||||
# end
|
||||
end
|
||||
Reference in New Issue
Block a user