Gitlab Error: Forbidden

July 19, 2021July 19, 2021 admin

Error: Forbidden

Rack::Attack

In this article we are discussing the situation where all the Gitlab urls suddenly showing up Forbidden error.

This error is because of one securty measure configured in Gitlab and the ipaddress should be added to the blacklist.

If we check the logs, it will show some "Rack::Attack" messages.

#grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log

This will provide the ipaddresses those added to the banlist and as a reason Gitlab urls starts showing Forbidden error.

If we need to remove ipaddress from blacklist, login to the redis using cli.

#/opt/gitlab/embedded/bin/redis-cli -s /var/opt/gitlab/redis/redis.socket

Then delete the required ipaddress from the list.

>del cache:gitlab:rack::attack:allow2ban:ban:<ip>

Here ip need to be replaced with the required ipaddress.

Now the Gitlab urls should starts working and note that this is temporary and there may be a chance to get the ipaddress again blacklisted.

Its better to whitelist our ipaddress permanently in Gitlab so that we can avoid this issue in future.

For adding ipaddresss to the whitelist, open the Gitlab configuration file.

#/etc/gitlab/gitlab.rb

Then add/modify the following lines and save.

gitlab_rails['rack_attack_git_basic_auth'] = {
  'enabled' => true,
  'ip_whitelist' => ["127.0.0.1","ip2","ip2"],
  'maxretry' => 10, # Limit the number of Git HTTP authentication attempts per IP
  'findtime' => 60, # Reset the auth attempt counter per IP after 60 seconds
  'bantime' => 3600 # Ban an IP for one hour (3600s) after too many auth attempts
}

Here we can specify all the requires ipaddresses in the ip_whitelist list.

The following varaibles are also configurable in this section.

enabled: By default this is set to false. Set this to true to enable Rack Attack.
ip_whitelist: Whitelist any IPs from being blocked. They must be formatted as strings within a Ruby array. CIDR notation is supported in GitLab v12.1 and up. For example, ["127.0.0.1", "127.0.0.2", "127.0.0.3", "192.168.0.1/24"].
maxretry: The maximum amount of times a request can be made in the specified time.
findtime: The maximum amount of time that failed requests can count against an IP before it’s blacklisted (in seconds).
bantime: The total amount of time that a blacklisted IP is blocked (in seconds).

Reconfigured the Gitlab once done the changes.

#gitlab-ctl reconfigure

That's all…

M	T	W	T	F	S	S
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

TECHIES WORLD

Gitlab Error: Forbidden

Leave a Reply Cancel reply