Add more comments explaining how we block IPs

c8b2def2 · Jacob Vosmaer · 4a389e76 · c8b2def2 · c8b2def2
Commit c8b2def2 authored Dec 18, 2014 by Jacob Vosmaer
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

config/initializers/rack_attack_git_basic_auth.rb config/initializers/rack_attack_git_basic_auth.rb +2 -0

lib/gitlab/backend/grack_auth.rb lib/gitlab/backend/grack_auth.rb +4 -1

No files found.
--- a/config/initializers/rack_attack_git_basic_auth.rb
+++ b/config/initializers/rack_attack_git_basic_auth.rb
 unless Rails.env.test?
+  # Tell the Rack::Attack Rack middleware to maintain an IP blacklist. We will
+  # update the blacklist from Grack::Auth#authenticate_user.
  Rack::Attack.blacklist('Git HTTP Basic Auth') do |req|
    Rack::Attack::Allow2Ban.filter(req.ip, Gitlab.config.rack_attack.git_basic_auth) do
      # This block only gets run if the IP was not already banned.

--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
@@ -76,7 +76,10 @@ module Grack
      return user if user.present?

      # At this point, we know the credentials were wrong. We let Rack::Attack
-      # know there was a failed authentication attempt from this IP
+      # know there was a failed authentication attempt from this IP. This
+      # information is stored in the Rails cache (Redis) and will be used by
+      # the Rack::Attack middleware to decide whether to block requests from
+      # this IP.
      Rack::Attack::Allow2Ban.filter(@request.ip, Gitlab.config.rack_attack.git_basic_auth) do
        # Return true, so that Allow2Ban increments the counter (stored in
        # Rails.cache) for the IP