Stack Overflow
Stack Overflow

Questions tagged [rackattack]

Rack middleware for blocking & throttling

Rack::Attack is a rack middleware to protect your web app from bad clients. It allows whitelisting, blacklisting, throttling, and tracking based on arbitrary properties of the request.

Github: https://github.com/kickstarter/rack-attack

35 questions
12
votes
2 answers

Invalid request parameters: invalid %-encoding when upload file to Rails api only server

I am working on web app that use Reactjs as a front-end and Rails5 api only app as a back-end This is the data that i send to the server as Request payload ------WebKitFormBoundaryCD1o71UpVNpU4v86 Content-Disposition: form-data;…
Varis Darasirikul
  • 3,907
  • 9
  • 40
  • 75
12
votes
1 answer

Throttle # of requests per user (with rack-attack & devise)

I'm using https://github.com/kickstarter/rack-attack/#throttles to throttle request to certain url's. Rack-attack docs show how to throttle by request IP or request parameters, but what I'd like to do is throttle requests per user. So no matter the…
ddgd
  • 1,657
  • 1
  • 15
  • 25
8
votes
2 answers

Rails rack attack gem throttle

I don't know why I can not use rack-attack gem Here what I did Gemfile gem 'rack-attack' I ve installed the gem config/application.rb config.middleware.use Rack::Attack initializers/rack-attack.rb class Rack::Attack throttle('logins/ip', :limit…
Ramazan Zor
  • 209
  • 1
  • 14
7
votes
2 answers

Rails using kickstarter rack-attack IP blacklisting with Cloudflare

Rails app, using Kickstarter's rack-attack Within my config/rack-attack.rb file, I have: class Rack::Attack Rack::Attack.blacklist ('block ip') do |req| # Request are blocked if the return value is truthy '68.888.23.22' == req.ip #…
dmt2989
  • 1,610
  • 3
  • 17
  • 30
6
votes
1 answer

Regex To Detect Basic SQL Injections, But Not As A Means to Prevent SQL Injections

Let me start off by saying that I am confidante in the measures I have taken to make sure SQL Injection attacks fail. All SQL query values are done via active record prepared statements, and all operators if not hard coded are done through a system…
rovermicrover
  • 1,453
  • 1
  • 15
  • 21
6
votes
1 answer

Does Rails gracefully handle cache store outages (memcached)?

I'm interested in using https://github.com/kickstarter/rack-attack to throttle abusers and brute force attackers. My app runs on multiple dynos, so I imagine the Rails default FileStore is not fully effective since there's a filesystem for each…
user1322092
  • 4,020
  • 7
  • 35
  • 52
4
votes
1 answer

rails rendering html from rack

I'm using rack attack. If somebody exceeds the limit I'm using the following code: Rack::Attack.throttled_response = lambda do |env| [429, {}, [ActionView::Base.new.render(file: 'public/429.html')]] end When sby exceeds the limit on a POST…
Sean Magyar
  • 2,360
  • 1
  • 25
  • 57
3
votes
2 answers

How to add rate limiter in ruby on rails?

In my ruby on rails application i am facing ceratin performance issues. In certain forms more than 2500 request came from a same ip address at a time. So i used https://github.com/kickstarter/rack-attack to add rate limiter and track all the request…
Harish Jams
  • 31
  • 1
  • 2
3
votes
1 answer

Preventing rapid-fire login attempts with Rack::Attack

We have been reading the Definitive guide to form based website authentication with the intention of preventing rapid-fire login attempts. One example of this could be: 1 failed attempt = no delay 2 failed attempts = 2 sec delay 3 failed attempts =…
Jacob
  • 1,886
  • 2
  • 25
  • 40
3
votes
1 answer

How to make Rack::Attack work behind a load balancer?

I used the example throttle code for Rack::Attack. throttle('req/ip', limit: 100, period: 5.minutes) do |req| req.ip unless req.path.starts_with?('/assets') end This worked great on our staging server but immediately ran into the limit on…
Kevin Lawrence
  • 698
  • 7
  • 23
3
votes
3 answers

Rack-Attack: Array of IP addresses

I'm trying to create an array of IP addresses so that when the application is ran Rack-Attack can identify from the set of IP addresses that are allowed to access the application. So what I have done is as followed: a = "127.0.0.1" …
user532339
  • 179
  • 9
3
votes
1 answer

Rack-attack and Allow2Ban filtering in rails 4

I'm implementing Kickstarter's Rack-attack in my rails app. The whitelist/blacklist filtering is working properly, but I'm having issues with using Allow2Ban to lock out ip addresses that are hammering my sign_in (Devise) page. Note: im testing this…
dmt2989
  • 1,610
  • 3
  • 17
  • 30
2
votes
1 answer

Can rack_attack safelist a dynamically-created list of IPs (such as IPs recently used by admins)?

The rack_attack gem offers easy safelisting of a static list of IPs for example: # config/rack_attack.rb ok_ips="1.1.1.1, 2.2.2.2, 3.3.3.3" Rack::Attack.safelist('safelist these IPs') do |req| ok_ips.include?(req.ip) end But is there…
jpw
  • 18,697
  • 25
  • 111
  • 187
2
votes
2 answers

rack-attack doesn't blacklists any ip

Its my first interaction with rack-attack so please feel free to point out any mistakes I might have in the code. what I am trying is to blacklist those ip which are trying to access routes like "/azenv.php", "/setup.php" etc.. As these people are…
Abhinay
  • 1,796
  • 4
  • 28
  • 52
1
vote
0 answers

Set flash error from Rack::Attack response?

I'm trying to set a flash[:error] to give feedback to the user. I haven't been able to find info on how to implement. One workaround I'm doing is to redirect with query params and pick that up in the controller, but it's brittle and I'm getting…
Ashbury
  • 2,160
  • 3
  • 27
  • 52
1
2 3