Merge pull request #252 from UWM-Libraries/feature/rack-attack

srappel · web-flow · commit 7740e4881c1f · 2025-05-14T09:24:17.000-05:00
Feature/rack attack
diff --git a/Gemfile b/Gemfile
@@ -149,3 +149,6 @@ gem "logger", "1.6.0"
 
 # Nokogiri
 gem "nokogiri", "~> 1.17.0"
+
+# Rack Attack
+gem "rack-attack"
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -368,6 +368,8 @@ GEM
       nio4r (~> 2.0)
     racc (1.8.1)
     rack (3.1.14)
+    rack-attack (6.7.0)
+      rack (>= 1.0, < 4)
     rack-proxy (0.7.7)
       rack
     rack-session (2.1.1)
@@ -613,6 +615,7 @@ DEPENDENCIES
   nokogiri (~> 1.17.0)
   passenger (>= 5.0.25)
   puma (~> 6.6)
+  rack-attack
   rackup (~> 2.0)
   rails (~> 7.2.1)
   redis (~> 5.4)
diff --git a/config/environments/development.rb b/config/environments/development.rb
@@ -25,7 +25,10 @@
     config.action_controller.perform_caching = true
     config.action_controller.enable_fragment_cache_logging = true
 
-    config.cache_store = :memory_store
+    config.cache_store = :redis_cache_store, {
+      url: ENV.fetch("REDIS_URL", "redis://localhost:6379/1"),
+      namespace: "geodiscovery"
+    }
     config.public_file_server.headers = {
       "Cache-Control" => "public, max-age=#{2.days.to_i}"
     }
diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -59,7 +59,10 @@
   config.log_tags = [:request_id]
 
   # Use a different cache store in production.
-  # config.cache_store = :mem_cache_store
+  config.cache_store = :redis_cache_store, {
+    url: ENV.fetch("REDIS_URL", "redis://localhost:6379/1"),
+    namespace: "geodiscovery"
+  }
 
   # Use a real queuing backend for Active Job (and separate queues per environment).
   # config.active_job.queue_adapter     = :resque
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -0,0 +1,65 @@
+class Rack::Attack
+  ### Configure Cache ###
+
+  # If you don't want to use Rails.cache (Rack::Attack's default), then
+  # configure it here.
+  #
+  # Note: The store is only used for throttling (not blocklisting and
+  # safelisting). It must implement .increment and .write like
+  # ActiveSupport::Cache::Store
+
+  Rack::Attack.cache.store = Rails.cache
+
+  ### Throttle Spammy Clients ###
+
+  # If any single client IP is making tons of requests, then they're
+  # probably malicious or a poorly-configured scraper. Either way, they
+  # don't deserve to hog all of the app server's CPU. Cut them off!
+  #
+  # Note: If you're serving assets through rack, those requests may be
+  # counted by rack-attack and this throttle may be activated too
+  # quickly. If so, enable the condition to exclude them from tracking.
+
+  # Throttle all requests by IP (60rpm)
+  #
+  # Key: "rack::attack:#{Time.now.to_i/:period}:req/ip:#{req.ip}"
+  throttle("req/ip", limit: 200, period: 5.minutes) do |req|
+    req.ip # unless req.path.start_with?('/assets')
+  end
+
+  # Set up custom logger for Rack::Attack
+  RACK_ATTACK_LOGGER = Logger.new(
+    Rails.root.join("log/rack_attack.log"),
+    10,                         # keep 10 rotated files
+    5 * 1024 * 1024             # 5 MB each
+  )
+  RACK_ATTACK_LOGGER.level = Logger::WARN
+
+  RACK_ATTACK_LOGGER.formatter = proc do |severity, datetime, progname, msg|
+    "[#{datetime.utc.iso8601}] #{severity}: #{msg}\n"
+  end
+
+  ### Custom Throttle Response ###
+
+  # By default, Rack::Attack returns an HTTP 429 for throttled responses,
+  # which is just fine.
+  #
+  # If you want to return 503 so that the attacker might be fooled into
+  # believing that they've successfully broken your app (or you just want to
+  # customize the response), then uncomment these lines.
+  self.throttled_response = lambda do |env|
+    req = Rack::Request.new(env)
+    cache_key = "rack::attack:logged:#{req.ip}"
+
+    unless Rails.cache.exist?(cache_key)
+      RACK_ATTACK_LOGGER.warn "Throttled IP #{req.ip} on path #{req.path}"
+      Rails.cache.write(cache_key, true, expires_in: 5.minutes)
+    end
+
+    [
+      503,
+      {"Content-Type" => "text/plain"},
+      ["Service temporarily unavailable. Please try again later.\n"]
+    ]
+  end
+end
diff --git a/test/middleware/rack_attack_test.rb b/test/middleware/rack_attack_test.rb
@@ -0,0 +1,38 @@
+require "test_helper"
+
+class RackAttackTest < ActionDispatch::IntegrationTest
+  include ActiveSupport::Testing::TimeHelpers
+
+  setup do
+    Rack::Attack.enabled = true
+    Rack::Attack.reset!
+
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+
+    Rack::Attack.throttle("test/req/ip", limit: 3, period: 60) { |req| req.ip }
+
+    Rack::Attack.throttled_responder = lambda do |_request|
+      [
+        503,
+        {"Content-Type" => "text/plain"},
+        ["Service temporarily unavailable. Please try again later.\n"]
+      ]
+    end
+  end
+
+  teardown do
+    Rack::Attack.enabled = false
+    Rack::Attack.reset!
+  end
+
+  test "blocks request after exceeding limit" do
+    3.times do
+      get "/robots.txt", headers: {"REMOTE_ADDR" => "1.2.3.4"}
+      assert_response :success
+    end
+
+    get "/robots.txt", headers: {"REMOTE_ADDR" => "1.2.3.4"}
+    assert_response :service_unavailable
+    assert_match(/Service temporarily unavailable/, response.body)
+  end
+end
