Rate Limiting

Implement rate limiting using the rack-attack gem to enhance the security of your Rails application and prevent abuse. This gem helps throttle excessive requests and block abusive traffic efficiently.

Follow these step-by-step instructions to integrate rack-attack into your Lightning Rails app.

Step 1: Add the rack-attack Gem

First, add the to your Gemfile:

gem 'rack-attack'

Then, install the gem by running:

bundle install

Step 2: Configure rack-attack

Now, configure the rate limiting rules by creating an initializer file:

touch config/initializers/rack_attack.rb

Open the file and add the following configuration:

class Rack::Attack
  # Throttle requests from the same IP address to 5 requests per second
  throttle('req/ip', limit: 5, period: 1.second) do |req|
    req.ip
  end

  # Block IPs that fail authentication too many times
  Rack::Attack.blocklist('block bad IPs') do |req|
    Rack::Attack::Fail2Ban.filter("bad-ips", maxretry: 5, findtime: 1.minute, bantime: 5.minutes) do
      req.ip if req.path == "users/sign_in" || "users/sign_up" && req.post?
    end
  end

  # Allow whitelisted IPs to bypass rate limits
  safelist('allow from localhost') do |req|
    '127.0.0.1' == req.ip
  end

  # Log blocked requests
  ActiveSupport::Notifications.subscribe("rack.attack") do |name, start, finish, request_id, payload|
    Rails.logger.info "[Rack::Attack] Throttled: #{payload[:request].ip}" if payload[:request]
  end
end

This configuration:

• Limits all requests to 5 per second per IP.

• Blocks IPs that exceed 5 failed login attempts within a minute.

• Allows localhost (127.0.0.1) to bypass rate limits, you can add other IPs if needed

• Logs blocked requests for monitoring on your production server.

This last point was very usefull to me as when I suspected a bot attack, I checked the IP address and realised it was Google's IP address trying to index my site 😅

Step 3: Test Your Configuration

1. Restart Your Server Run the following command to apply the changes:

   Copy

   shCopyEditrails restart

2. Monitor Logs Check your Rails logs (log/development.log) to see if any IPs are being throttled or blocked:

   Copy

   shCopyEdittail -f log/development.log

   If rate limits are hit, you will see messages like:

   Copy

   cppCopyEdit[Rack::Attack] Throttled: 192.168.1.100

3. Adjust Limits

   • Modify the limit and period values to suit your needs.

   • Tweak maxretry, findtime, and bantime for authentication-related restrictions.

   • Add custom rules to protect specific endpoints like API requests.

Step 4: Deploy and Monitor

Once tested locally, deploy your changes to production. Monitor logs and adjust limits based on real-world traffic patterns.

You can also integrate Redis for better performance with large-scale applications.

Final Thoughts

By following these steps, you've successfully added rate limiting to your Rails app using rack-attack. This helps prevent abuse, enhance security, and optimize resource usage efficiently.

Happy coding! 🚀