rack-defense 0.2.1 → 0.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +43 -3
- data/Rakefile +3 -2
- data/lib/rack/defense/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: dd445dc72ae32d2d2c249b55e5e43134d5693520
|
|
4
|
+
data.tar.gz: fca8260313829448c683a6f2f0fc3585d33c413b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6dc5a88acda42bccaa4df59a65810ea0c8ec26452d044516d07ea7d7bcebcc92cf2895a0f9c7bc169aaedb70ecfd855ec67ebfcb68fae40c1708c2395e6bcb1a
|
|
7
|
+
data.tar.gz: d11ad7a9acdcca424ef644287aa74a8337e791233f8a23cf4698bbf0ec1a133ab401b4c20430bc82e7d4b97f7682ae130a886e7c7ce95261d9b40c4373f9c157
|
data/README.md
CHANGED
|
@@ -11,9 +11,9 @@ A Rack middleware for throttling and filtering requests.
|
|
|
11
11
|
|
|
12
12
|
Rack::Defense is a Rack middleware that allows to easily add request rate limiting and request filtering to your Rack based application (Ruby On Rails, Sinatra etc.).
|
|
13
13
|
|
|
14
|
-
* Request throttling (aka rate limiting) happens on __sliding window__ using the provided period, request criteria and maximum request number. It uses Redis to track the request rate.
|
|
14
|
+
* [Request throttling](#throttling) (aka rate limiting) happens on __sliding window__ using the provided period, request criteria and maximum request number. It uses Redis to track the request rate.
|
|
15
15
|
|
|
16
|
-
* Request filtering bans (rejects) requests based on provided criteria.
|
|
16
|
+
* [Request filtering](#filtering) bans (rejects) requests based on provided criteria.
|
|
17
17
|
|
|
18
18
|
Rack::Defense has a small footprint and only two dependencies: [rack](https://github.com/rack/rack) and [redis](https://github.com/redis/redis-rb).
|
|
19
19
|
|
|
@@ -116,7 +116,7 @@ Rack::Defense can reject requests based on arbitrary properties of the request.
|
|
|
116
116
|
|
|
117
117
|
### Examples
|
|
118
118
|
|
|
119
|
-
Allow only a whitelist of
|
|
119
|
+
Allow only a whitelist of IPs for a given path:
|
|
120
120
|
|
|
121
121
|
```ruby
|
|
122
122
|
Rack::Defense.setup do |config|
|
|
@@ -126,6 +126,17 @@ Rack::Defense.setup do |config|
|
|
|
126
126
|
end
|
|
127
127
|
```
|
|
128
128
|
|
|
129
|
+
Deny access to a blacklist of application users. Again, we assume here that
|
|
130
|
+
[Warden](https://github.com/hassox/warden) or any Warden based authentication wrapper, like [Devise](https://github.com/plataformatec/devise), is used:
|
|
131
|
+
|
|
132
|
+
```ruby
|
|
133
|
+
Rack::Defense.setup do |config|
|
|
134
|
+
config.ban('user_blacklist') do |req|
|
|
135
|
+
['hacker@example.com', 'badguy@example.com'].include? req.env['warden'].user.email
|
|
136
|
+
end
|
|
137
|
+
end
|
|
138
|
+
```
|
|
139
|
+
|
|
129
140
|
Allow only requests with a known API authorization token:
|
|
130
141
|
|
|
131
142
|
```ruby
|
|
@@ -178,6 +189,35 @@ Rack::Defense.setup do |config|
|
|
|
178
189
|
end
|
|
179
190
|
```
|
|
180
191
|
|
|
192
|
+
## Advanced Examples
|
|
193
|
+
|
|
194
|
+
### Temporarily suspend access to suspicious IPs
|
|
195
|
+
|
|
196
|
+
In this example, when an IP is exceeding the permitted request rate, we would like to ban this IP for a given period of time:
|
|
197
|
+
|
|
198
|
+
```ruby
|
|
199
|
+
Rack::Defense.setup do |config|
|
|
200
|
+
config.throttle('reset_password', 10, 10.minutes.in_milliseconds) do |req|
|
|
201
|
+
req.ip if req.path == '/api/users/password' && req.post?
|
|
202
|
+
end
|
|
203
|
+
|
|
204
|
+
config.after_throttle do |req, rules|
|
|
205
|
+
config.store.setex("ban:ip:#{req.ip}", 1.hour, 1) if rules.key? 'reset_password'
|
|
206
|
+
end
|
|
207
|
+
|
|
208
|
+
config.ban('blacklist') do |req|
|
|
209
|
+
config.store.exists("ban:ip:#{req.ip}")
|
|
210
|
+
end
|
|
211
|
+
end
|
|
212
|
+
```
|
|
213
|
+
|
|
214
|
+
The first rule named `reset_password` defines the maximum permitted rate per IP for post requests on path
|
|
215
|
+
`/api/users/password`. Once a user exceeds this limit, it gets throttled and denied access to the resource.
|
|
216
|
+
This raises a throttle event and triggers the `after_throttle` callback defined above. The callback sets a key in the redis store post-fixed with the user IP and having 1 hour an expiration time.
|
|
217
|
+
|
|
218
|
+
The last rule named `blacklist` looks up each incoming request IP and checks if it has a corresponding ban key
|
|
219
|
+
in redis. If the request IP matches a ban key it gets denied.
|
|
220
|
+
|
|
181
221
|
## License
|
|
182
222
|
|
|
183
223
|
Licensed under the [MIT License](http://opensource.org/licenses/MIT).
|
data/Rakefile
CHANGED
data/lib/rack/defense/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-defense
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Chaker Nakhli
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2015-07-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|