rack-defense 0.2.1 → 0.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +43 -3
- data/Rakefile +3 -2
- data/lib/rack/defense/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: dd445dc72ae32d2d2c249b55e5e43134d5693520
|
|
4
|
+
data.tar.gz: fca8260313829448c683a6f2f0fc3585d33c413b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6dc5a88acda42bccaa4df59a65810ea0c8ec26452d044516d07ea7d7bcebcc92cf2895a0f9c7bc169aaedb70ecfd855ec67ebfcb68fae40c1708c2395e6bcb1a
|
|
7
|
+
data.tar.gz: d11ad7a9acdcca424ef644287aa74a8337e791233f8a23cf4698bbf0ec1a133ab401b4c20430bc82e7d4b97f7682ae130a886e7c7ce95261d9b40c4373f9c157
|
data/README.md
CHANGED
|
@@ -11,9 +11,9 @@ A Rack middleware for throttling and filtering requests.
|
|
|
11
11
|
|
|
12
12
|
Rack::Defense is a Rack middleware that allows to easily add request rate limiting and request filtering to your Rack based application (Ruby On Rails, Sinatra etc.).
|
|
13
13
|
|
|
14
|
-
* Request throttling (aka rate limiting) happens on __sliding window__ using the provided period, request criteria and maximum request number. It uses Redis to track the request rate.
|
|
14
|
+
* [Request throttling](#throttling) (aka rate limiting) happens on __sliding window__ using the provided period, request criteria and maximum request number. It uses Redis to track the request rate.
|
|
15
15
|
|
|
16
|
-
* Request filtering bans (rejects) requests based on provided criteria.
|
|
16
|
+
* [Request filtering](#filtering) bans (rejects) requests based on provided criteria.
|
|
17
17
|
|
|
18
18
|
Rack::Defense has a small footprint and only two dependencies: [rack](https://github.com/rack/rack) and [redis](https://github.com/redis/redis-rb).
|
|
19
19
|
|
|
@@ -116,7 +116,7 @@ Rack::Defense can reject requests based on arbitrary properties of the request.
|
|
|
116
116
|
|
|
117
117
|
### Examples
|
|
118
118
|
|
|
119
|
-
Allow only a whitelist of
|
|
119
|
+
Allow only a whitelist of IPs for a given path:
|
|
120
120
|
|
|
121
121
|
```ruby
|
|
122
122
|
Rack::Defense.setup do |config|
|
|
@@ -126,6 +126,17 @@ Rack::Defense.setup do |config|
|
|
|
126
126
|
end
|
|
127
127
|
```
|
|
128
128
|
|
|
129
|
+
Deny access to a blacklist of application users. Again, we assume here that
|
|
130
|
+
[Warden](https://github.com/hassox/warden) or any Warden based authentication wrapper, like [Devise](https://github.com/plataformatec/devise), is used:
|
|
131
|
+
|
|
132
|
+
```ruby
|
|
133
|
+
Rack::Defense.setup do |config|
|
|
134
|
+
config.ban('user_blacklist') do |req|
|
|
135
|
+
['hacker@example.com', 'badguy@example.com'].include? req.env['warden'].user.email
|
|
136
|
+
end
|
|
137
|
+
end
|
|
138
|
+
```
|
|
139
|
+
|
|
129
140
|
Allow only requests with a known API authorization token:
|
|
130
141
|
|
|
131
142
|
```ruby
|
|
@@ -178,6 +189,35 @@ Rack::Defense.setup do |config|
|
|
|
178
189
|
end
|
|
179
190
|
```
|
|
180
191
|
|
|
192
|
+
## Advanced Examples
|
|
193
|
+
|
|
194
|
+
### Temporarily suspend access to suspicious IPs
|
|
195
|
+
|
|
196
|
+
In this example, when an IP is exceeding the permitted request rate, we would like to ban this IP for a given period of time:
|
|
197
|
+
|
|
198
|
+
```ruby
|
|
199
|
+
Rack::Defense.setup do |config|
|
|
200
|
+
config.throttle('reset_password', 10, 10.minutes.in_milliseconds) do |req|
|
|
201
|
+
req.ip if req.path == '/api/users/password' && req.post?
|
|
202
|
+
end
|
|
203
|
+
|
|
204
|
+
config.after_throttle do |req, rules|
|
|
205
|
+
config.store.setex("ban:ip:#{req.ip}", 1.hour, 1) if rules.key? 'reset_password'
|
|
206
|
+
end
|
|
207
|
+
|
|
208
|
+
config.ban('blacklist') do |req|
|
|
209
|
+
config.store.exists("ban:ip:#{req.ip}")
|
|
210
|
+
end
|
|
211
|
+
end
|
|
212
|
+
```
|
|
213
|
+
|
|
214
|
+
The first rule named `reset_password` defines the maximum permitted rate per IP for post requests on path
|
|
215
|
+
`/api/users/password`. Once a user exceeds this limit, it gets throttled and denied access to the resource.
|
|
216
|
+
This raises a throttle event and triggers the `after_throttle` callback defined above. The callback sets a key in the redis store post-fixed with the user IP and having 1 hour an expiration time.
|
|
217
|
+
|
|
218
|
+
The last rule named `blacklist` looks up each incoming request IP and checks if it has a corresponding ban key
|
|
219
|
+
in redis. If the request IP matches a ban key it gets denied.
|
|
220
|
+
|
|
181
221
|
## License
|
|
182
222
|
|
|
183
223
|
Licensed under the [MIT License](http://opensource.org/licenses/MIT).
|
data/Rakefile
CHANGED
data/lib/rack/defense/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-defense
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Chaker Nakhli
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2015-07-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|