Gitlab Error: Forbidden

Error: Forbidden

Rack::Attack

In this article we are discussing the situation where all the Gitlab urls suddenly showing up Forbidden error.

This error is because of one securty measure configured in Gitlab and the ipaddress should be added to the blacklist.

If we check the logs, it will show some "Rack::Attack" messages.

#grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log

This will provide the ipaddresses those added to the banlist and as a reason Gitlab urls starts showing Forbidden error.

If we need to remove ipaddress from blacklist, login to the redis using cli.

#/opt/gitlab/embedded/bin/redis-cli -s /var/opt/gitlab/redis/redis.socket

Then delete the required ipaddress from the list.

>del cache:gitlab:rack::attack:allow2ban:ban:<ip>

Here ip need to be replaced with the required ipaddress.

Now the Gitlab urls should starts working and note that this is temporary and there may be a chance to get the ipaddress again blacklisted.

Its better to whitelist our ipaddress permanently in Gitlab so that we can avoid this issue in future.

For adding ipaddresss to the whitelist, open the Gitlab configuration file.

#/etc/gitlab/gitlab.rb

Then add/modify the following lines and save.

gitlab_rails['rack_attack_git_basic_auth'] = {
  'enabled' => true,
  'ip_whitelist' => ["127.0.0.1","ip2","ip2"],
  'maxretry' => 10, # Limit the number of Git HTTP authentication attempts per IP
  'findtime' => 60, # Reset the auth attempt counter per IP after 60 seconds
  'bantime' => 3600 # Ban an IP for one hour (3600s) after too many auth attempts
}

Here we can specify all the requires ipaddresses in the ip_whitelist list.

The following varaibles are also configurable in this section.

enabled: By default this is set to false. Set this to true to enable Rack Attack.
ip_whitelist: Whitelist any IPs from being blocked. They must be formatted as strings within a Ruby array. CIDR notation is supported in GitLab v12.1 and up. For example, ["127.0.0.1", "127.0.0.2", "127.0.0.3", "192.168.0.1/24"].
maxretry: The maximum amount of times a request can be made in the specified time.
findtime: The maximum amount of time that failed requests can count against an IP before it’s blacklisted (in seconds).
bantime: The total amount of time that a blacklisted IP is blocked (in seconds).

Reconfigured the Gitlab once done the changes.

#gitlab-ctl reconfigure

That's all…

Leave a Reply

Your email address will not be published. Required fields are marked *