Merge pull request #660 from sul-dlss/rack-attack

Add rack-attack to clamp down on badly behaved bots.
sul-dlss · Jul 22, 2024 · 016a32e · 016a32e
2 parents 5910252 + 2117c23
commit 016a32e
Show file tree

Hide file tree

Showing 3 changed files with 75 additions and 0 deletions.
diff --git a/Gemfile b/Gemfile
@@ -86,5 +86,6 @@ gem "rsolr", ">= 1.0", "< 3"
 gem "honeybadger", "~> 5.0"
 gem "okcomputer", "~> 1.18"
 
+gem "rack-attack"
 gem "recaptcha", "~> 5.12"
 gem "redis", ">= 4.0.1"
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -299,6 +299,8 @@ GEM
       nio4r (~> 2.0)
     racc (1.8.0)
     rack (3.1.7)
+    rack-attack (6.7.0)
+      rack (>= 1.0, < 4)
     rack-session (2.0.0)
       rack (>= 3.0.0)
     rack-test (2.1.0)
@@ -507,6 +509,7 @@ DEPENDENCIES
   pg (~> 1.4)
   propshaft (~> 0.6.4)
   puma (~> 6.0)
+  rack-attack
   rails (~> 7.1.1)
   recaptcha (~> 5.12)
   redis (>= 4.0.1)

diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module Rack
+  ##
+  # See https://github.com/kickstarter/rack-attack/blob/master/docs/example_configuration.md
+  # for more configuration options
+  class Attack
+    ### Throttle Spammy Clients ###
+
+    # If any single client IP is making tons of requests, then they're
+    # probably malicious or a poorly-configured scraper. Either way, they
+    # don't deserve to hog all of the app server's CPU. Cut them off!
+    #
+    # Note: If you're serving assets through rack, those requests may be
+    # counted by rack-attack and this throttle may be activated too
+    # quickly. If so, enable the condition to exclude them from tracking.
+
+    # Throttle all requests by IP (60rpm)
+    #
+    # Key: "rack::attack:#{Time.now.to_i/:period}:req/ip:#{req.ip}"
+    throttle('req/ip', limit: 300, period: 5.minutes, &:ip)
+
+    # Throttle search requests by IP (15rpm)
+    Rack::Attack.throttle('req/search/ip', limit: 15, period: 1.minute) do |req|
+      route = begin
+        Rails.application.routes.recognize_path(req.path) || {}
+      rescue StandardError
+        {}
+      end
+
+      req.ip if route[:controller] == 'catalog' && (route[:action] == 'index' || route[:action] == 'facet')
+    end
+
+    # Throttle document actions requests by IP (15rpm)
+    Rack::Attack.throttle('req/actions/ip', limit: 15, period: 1.minute) do |req|
+      route = begin
+        Rails.application.routes.recognize_path(req.path) || {}
+      rescue StandardError
+        {}
+      end
+
+      req.ip if route[:action].in? %w[email sms]
+    end
+
+    # Inform throttled clients about limits and when they will get out of jail
+    Rack::Attack.throttled_response_retry_after_header = true
+    Rack::Attack.throttled_responder = lambda do |request|
+      match_data = request.env['rack.attack.match_data']
+      now = match_data[:epoch_time]
+
+      if Settings.throttling.notify_honeybadger && (
+        ((match_data[:limit] - match_data[:count]) < 5) || (match_data[:count] % 10).zero?
+      )
+        Honeybadger.notify('Throttling request', context: { ip: request.ip, path: request.path }.merge(match_data))
+      end
+
+      headers = {
+        'RateLimit-Limit' => match_data[:limit].to_s,
+        'RateLimit-Remaining' => '0',
+        'RateLimit-Reset' => (now + (match_data[:period] - (now % match_data[:period]))).to_s
+      }
+
+      [429, headers, ["Throttled\n"]]
+    end
+
+    # Safelist the following IP ranges:
+    Rack::Attack.safelist_ip('171.64.0.0/14')
+    Rack::Attack.safelist_ip('10.0.0.0/8')
+    Rack::Attack.safelist_ip('172.16.0.0/12')
+  end
+end