More elegant way to block IPs?

[pisaacs]

The current documentation illustrates a static method to blocking/blacklisting an ip address:

# Block requests from 1.2.3.4
Rack::Attack.blacklist('block 1.2.3.4') do |req|
  # Requests are blocked if the return value is truthy
  '1.2.3.4' == req.ip
end

I've been thinking about a more "elegant" (i.e., dynamic really) solution to blocking/blacklisting IPs. How about the following approach?

Rack::Attack.blacklist('block <ip>') do |req|
  # if variable `block <ip>` exists in cache store, then we'll block the request
  Rails.cache.fetch("block #{req.ip}").blank?
end

In the case of ip 1.2.3.4, this snippet simply checks if the cache store has a variable called block 1.2.3.4, which can be managed by a site maintainer via Rails console:

rails c
Rails.cache.write('block 1.2.3.4', true, expires_in: 5.days)

Thoughts? I haven't tested this out. If you think the approach is good, we can update the docs.

Edit
Meant Rails.cache.fetch("block #{req.ip}").present? instead of Rails.cache.fetch("block #{req.ip}").blank?

[zmillman]

In this block, blank? should be present?

Rack::Attack.blacklist('block <ip>') do |req|
  # if variable `block <ip>` exists in cache store, then we'll block the request
  Rails.cache.fetch("block #{req.ip}").blank?
end

---

And yep, this sounds like a reasonable way to manage a blacklist set by admins.

We could make an "Advanced Configuration" page in the project wiki to record these sorts of advanced techniques. We can link to that page from the README and "Example Configuration" to keep the README simple :)

Some other possible techniques for inclusion:

• Exponential backoff - Implement exponential backoff #106
• Blacklist from env variables - Blacklisting by Heroku parameter variables #110
• Helper to filter by subdomains - Support for subdomains #73
• Handle requests with basic auth - Throttling Basic Auth #47

[zmillman]

Also, if you're using a redis instance as your caching store, I believe you can use sets as values which would be an easier data structure to manage (otherwise how would you list the currently blacklisted IPs?)

[pisaacs]

Ahh, yes, I meant .present? instead of .blank?.

I like the idea of an "Advanced Configuration" page on the wiki...

[zmillman]

https://github.com/kickstarter/rack-attack/wiki/Advanced-Configuration 😀

[pisaacs]

👍 pure awesomeness. Thanks @zmillman!

[ktheory]

👏 Thanks @zmillman

[zmillman]

Any time 😺

I think this can be closed now?