Rack::Attack: Protect your app with this one weird gem!

Rack::Attack: Protect your app with this one weird gem!

Mature apps face problems with abusive requests like misbehaving users, malicious hackers, and naive scrapers. Too often they drain developer productivity and happiness.

Rack::Attack is middleware to easily throttle abusive requests.

At Kickstarter, we built it to keep our site fast and reliable with little effort. Learn how Rack::Attack works through examples from kickstarter.com. Spend less time dealing with bad apples, and more time on the fun stuff.

5888fc25101419e40b7de521f8524dad?s=128

Aaron Suggs

April 22, 2014
Tweet

Transcript

  1. 10.
  2. 13.

    # Example rack middleware class MyMiddleware def initialize(app) @app =

    app end ! def call(env) @app.call(env) end end
  3. 14.

    # Example rack middleware class MyMiddleware def initialize(app) @app =

    app end ! def call(env) # Do stuff with the request @app.call(env) end end
  4. 15.

    # Example rack middleware class MyMiddleware def initialize(app) @app =

    app end ! def call(env) # Do stuff with the request @app.call(env) # Do stuff with the response end end
  5. 17.

    # In an initializer… # Throttle IPs to 10 reqs

    every 5 seconds module Rack::Attack throttle("ip", limit: 10, period: 5) {|req| req.ip } end
  6. 18.

    # In an initializer… # Throttle IPs to 10 reqs

    every 5 seconds module Rack::Attack throttle("ip", limit: 10, period: 5) {|req| req.ip } end Rack::Request.new(env)
  7. 19.

    # In an initializer… # Throttle IPs to 10 reqs

    every 5 seconds module Rack::Attack throttle("ip", limit: 10, period: 5) {|req| req.ip } end Discriminator
  8. 21.

    # Making the cache key now = Time.now.to_i ! #

    Key changes each period key = "#{name}:#{now/period}:#{block_return}" ! # => "ip:279569154:127.0.0.1"
  9. 26.
  10. 27.
  11. 28.
  12. 29.

    # Throttle logins per IP throttle('logins/ip', limit: 5, period: 20)

    {|req| ! if req.path == '/login' && req.post? req.ip end ! }
  13. 30.

    # Throttle logins per email throttle('logins/email', limit: 5, period: 20)

    {|req| ! if req.path == '/login' && req.post? req.params['email'].presence end ! }
  14. 33.

    # Starve the trolls # <3 our community support team

    BANNED_IPS = Set.new ['1.2.3.4', '5.6.7.8'] ! blacklist('banned_ip') {|req| BANNED_IPS.include?(req.ip) && ! req.get? }
  15. 38.

    Julian Doherty @ barelyknown Vipul A M Hakan Ensari Zach

    Millman @ alexchee Steve Hodgkiss T.J. Schuck Carsten Zimmermann Salimane Adjao Moustapha Jordan Moncharmont Pedro Nascimento Han Richard Schneeman Tieg Zaharia Navin Tristan Dunn Michael Jelks