Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ERA] Bring in rack attack for rate limiting #954

Closed
murny opened this issue Dec 6, 2018 · 0 comments
Closed

[ERA] Bring in rack attack for rate limiting #954

murny opened this issue Dec 6, 2018 · 0 comments

Comments

@murny
Copy link
Contributor

murny commented Dec 6, 2018

For other apps in DI (avalon, discovery/neosdiscovery, etc), we have taken the approach to deal with enthusiastic web scrappers by banning them (or in some cases, just banning all web scrappers).

A far better approach would be to rate limit them (and any other spammy users) and giving them a proper 429 (Too Many Requests) status code.

This is all easily done by using this gem:
https://github.com/kickstarter/rack-attack

We can lead by example by adding this to jupiter.

Simply add the gem and an intializer to jupiter! Done!

The rack-attack initializer in jupiter would be something like this (https://github.com/kickstarter/rack-attack/blob/master/docs/example_configuration.md):

  ### Throttle Spammy Clients ###

  # If any single client IP is making tons of requests, then they're
  # probably malicious or a poorly-configured scraper. Either way, they
  # don't deserve to hog all of the app server's CPU. Cut them off!
  #
  # Note: If you're serving assets through rack, those requests may be
  # counted by rack-attack and this throttle may be activated too
  # quickly. If so, enable the condition to exclude them from tracking.

  # Throttle all requests by IP (60rpm)
  #
  # Key: "rack::attack:#{Time.now.to_i/:period}:req/ip:#{req.ip}"
  throttle('req/ip', limit: 300, period: 5.minutes, &:ip)

(We don't need to rate limit logins/etc as we off source this to the central IST's SAML server)

@weiweishi weiweishi changed the title Bring in rack attack for rate limiting [ERA] Bring in rack attack for rate limiting Jan 11, 2019
@ConnorSheremeta ConnorSheremeta self-assigned this Apr 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants