Rack – redpanthers.co

Rack::Attack – secure you rails app for the real world

harikrishnan — Mon, 27 Feb 2017 15:08:19 +0000

Are you worried about the security issues in your Rails app? The rack-attack gem, can help you. Rack::Attack is a rack middleware which provides security to our rails application. It allows us to safelist, blacklist, throttle and to track requests.

If the request matches any safelist, it is allowed.
If the request matches any blocklist, it is blocked.
If the request matches any throttle, a counter is incremented in the Rack::Attack.cache. If any throttle’s limit is exceeded, the request is blocked.
Otherwise, all tracks are checked, and the request is allowed.

Implementation

Install the rack-attack gem, or add it to you Gemfile as:

gem 'rack-attack'

Then tell your app to use the Rack::Attack middleware. For Rails 3+ apps:

# In config/application.rb
config.middleware.use Rack::Attack

Or you can use it in Rackup file as

# In config.ru
use Rack::Attack

By default, Rack Attack uses Rails cache. You can override that by setting the `Rack::Attack.cache.store` value. It is used for throttling. If you want to create use a custom adapter, for example, memory store, create a file called rack_attack.rb in config/initializers to configure Rack Attack and put the following code in the file:

class Rack::Attack
  Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
  ########
end

Throttle

throttle('api/ip', limit: 3, period: 10) do |req|
  req.ip
end

Here we are limiting the request per seconds from the same IP address. Here we are limiting only 3 requests in 10 sec.

Safelist

Rack::Attack.safelist('allow from localhost') do |req|
  '127.0.0.1' == req.ip
end

Above example always allows the request from localhost. And the request is allowed if the value is true.

Blacklist

Rack::Attack.blacklist('block 2.2.2.2') do |req|
  '2.2.2.2' == req.ip
end

Here, it blocks the request from ‘2.2.2.2’.

Fail2Ban: Fail2Ban.filter can be used within a blocklist to block all requests from misbehaving clients. Allow2Ban: Allow2Ban.filter works the same way as the Fail2Ban.filter except that it allows requests from misbehaving clients until such time as they reach maximum retry.

Block logins from a bad user agent

Rack::Attack.blacklist('block bad UA logins') do |req|
  req.path == '/login' && req.post? && req.user_agent == 'BadUA'
end

In the above example, if a bad user tries to login, the request is blocked.

Tracks

Rack::Attack.track("special_agent") do |req|
  req.user_agent == "SpecialAgent"
end

It tracks request from a special user.

Security issues that Rack Attack addresses

Rate limits against DDoS and abusive users

DDoS is short for Distributed Denial of Service. It uses multiple computers and Internet connections to flood the targeted resource.

When you need more security to your rails app, don’t forget to add Rack::Attack in it. It will protect your app from bad clients.

Whitelist Search Engine spiders

Though we blacklist IP’s that are misbehaving, we have to whitelist search engine spiders. But they have a huge range of IP’s. So we can check user agent. But it’s something anyone can fake. We can run a reverse DNS lookup of the accessing IP and perform a forward DNS lookup on the domain (using host command). Verify that it is same as the original IP address from the logs.

References

]]>

How to write your own Rack middleware

anjana — Mon, 09 Jan 2017 07:22:19 +0000

Rack is a Ruby package which provides an interface for a web server to communicate with the application. It is very easy to add middleware components between the web server and the app to customize the way your request/response behaves. The middleware component sits between the client and the server, processing inbound requests and outbound responses. Rack Middleware is an implementation of the pipeline design pattern for web servers using Rack. For example with Rack, we can have separate stages of the pipeline:

Authentication: Checks whether the login details are correct or not when the request arrives.
Authorization: It performs role-based security. i.e. checks whether the user is authorized to perform the particular task.
Caching: Return a cached result if the request is already processed.
Decoration: Enhance the request to make downstream processing better.
Performance & Usage Monitoring: Status get from the request and response.
Execution: actually handle the request and provide a response.

Next, we will see how to build our own rack middleware.

Building your own Rack middleware

To add middleware to a Rack application, all you have to do is tell Rack to use it. You can use multiple middleware components, and they will change the request or response before passing it on to the next component. It uses the configuration file with extension .ru, that instructs Rack::Builder what middleware should it use and in which order. Now, let’s have a look at how to add our own rack middleware to a project. For that, add the following code in config.ru file.: Eg:

use Rack::Lint # gives more descriptive error messages when responses aren't valid
class Example
  def initialize(app)
    @app = app
  end
  def call(env)
    status, headers, body = @app.call(env)
    body.map { |msg| p "Example: #{msg}" }
    [status, headers, body]
  end
end
use Example # Does nothing with uppercase'd response, just logs it to stdout
run -> env {[200, {"Content-Type" => "text/html"}, ["Hello Redpanthers"]]}

In our example, here the response from Example is then passed into the 3rd party Rack middleware Rack::Lint which will let us know if our final response is valid or not. And the first argument of the initialize method is the application or the request handler.Another rule that applies to a middleware class is the call method. The call method executes the application which returns the status, the headers and the body of the response.

Finally, run the server with rackup. It will find config.ru and boot up on the specified port.

$ rackup -s Puma -p 9293
Puma starting in single mode...
Version 3.6.2 (ruby 2.3.1-p112), codename: Sleepy Sunday Serenity
Min threads: 5, max threads: 5
Environment: development
Listening on tcp://localhost:9293
Use Ctrl-C to stop
"Example: Hello Redpanthers"
127.0.0.1 - - [05/Jan/2017:17:48:43 +0530] "GET / HTTP/1.1" 200 - 0.0035
"Example: Hello Redpanthers"
127.0.0.1 - - [05/Jan/2017:17:48:43 +0530] "GET /favicon.ico HTTP/1.1" 200 - 0.0022

Adding it to Rails

We can add the middleware to our Rails app by placing middleware module to lib/ and configure it by using config.middleware in environments/.rb file. As per the above example, we can add the middleware Example in lib/example.rb configure it by using:

config.middleware.use Example

You can add your middleware using any of the following methods:

config.middleware.use(new_middleware, args) – Adds the new middleware at the bottom of the middleware stack.

config.middleware.insert_before(existing_middleware, new_middleware, args) – Adds the new middleware before the specified existing middleware in the middleware stack.

config.middleware.insert_after(existing_middleware, new_middleware, args) – Adds the new middleware after the specified existing middleware in the middleware stack.

Eg:

config.middleware.insert_before Rails::Rack::Lint, Example
config.middleware.insert_after Rails::Rack::Lint, Example

So, by doing the above steps we can make our own rack middleware. Hope it helps you in some way to know about the basics of rack middleware and how to create our own middleware.

References

]]>