All notable changes to this project will be documented in this file.
6.6.0 - 2022-01-29
- Ability to have access to the
request
object instead of onlyenv
(still can access env withrequest.env
) when customizing throttle and blocklist responses with new methodsRack::Attack.blocklisted_responder=
andRack::Attack.throttled_responder=
which yield the request to your lambda. (@NikolayRys)
Rack::Attack.blocklisted_response=
Rack::Attack.throttled_response=
6.5.0 - 2021-02-07
-
Added ability to normalize throttle discriminator by setting
Rack::Attack.throttle_discriminator_normalizer
(@fatkodima)Example:
Rack::Attack.throttle_discriminator_normalizer = ->(discriminator) { ... }
or disable default normalization with:
Rack::Attack.throttle_discriminator_normalizer = nil
- Dropped support for ruby v2.4
- Dropped support for rails v5.1
6.4.0 - 2021-01-23
- Added support for ruby v3.0
- Dropped support for ruby v2.3
6.3.1 - 2020-05-21
- Warning when using
ActiveSupport::Cache::RedisCacheStore
as a cache store with rails 5.2.4.3 (#482) (@rofreg)
6.3.0 - 2020-04-26
Rack::Attack.reset!
to reset state (#436) (@fatkodima)Rack::Attack.throttled_response_retry_after_header=
setting that enables aRetry-After
response header when client is throttled (#440) (@fatkodima)
- No longer swallow Redis non-connection errors if Redis is configured as cache store (#450) (@fatkodima)
Rack::Attack.clear_configuration
also clearsblocklisted_response
andthrottled_response
back to defaults
6.2.2 - 2019-12-18
- Fixed occasional
Redis::FutureNotReady
error (#445) (@fatkodima)
6.2.1 - 2019-10-30
- Remove unintended side-effects on Rails app initialization order. It was potentially affecting the order of
config/initializers/*
in respect to gems initializers (#457)
6.2.0 - 2019-10-12
- Failsafe on Redis error replies in RedisCacheStoreProxy (#421) (@cristiangreco)
- Rack::Attack middleware is now auto added for Rails 5.1+ apps to simplify gem setup (#431) (@fatkodima)
- You can disable Rack::Attack with
Rack::Attack.enabled = false
(#431) (@fatkodima)
6.1.0 - 2019-07-11
- Provide throttle discriminator in the env
throttle_data
6.0.0 - 2019-04-17
#blocklist
and#safelist
name argument (the first one) is now optional.- Added support to subscribe only to specific event types via
ActiveSupport::Notifications
, e.g. subscribe to thethrottle.rack_attack
or theblocklist.rack_attack
event.
- Changed
ActiveSupport::Notifications
event naming to comply with the recommended format. - Changed
ActiveSupport::Notifications
event so that the 5th yielded argument to the#subscribe
method is now aHash
instead of aRack::Attack::Request
, to comply withActiveSupport
s spec. The original request object is still accessible, being the value of the hash's:request
key.
- Subscriptions via
ActiveSupport::Notifications
to the"rack.attack"
event will continue to work (receive event notifications), but it is going to be removed in a future version. Replace the event name with/rack_attack/
to continue to be subscribed to all events, or"throttle.rack_attack"
e.g. for specific type of events only.
- Removed support for ruby 2.2.
- Removed support for obsolete memcache-client as a cache store.
- Removed deprecated methods
#blacklist
and#whitelist
(use#blocklist
and#safelist
instead).
5.4.2 - 2018-10-30
- Fix unexpected error when using
redis
3 and any store which is not proxied
- Provide better information in
MisconfiguredStoreError
exception message to aid end-user debugging
5.4.1 - 2018-09-29
- Make
ActiveSupport::Cache::MemCacheStore
also work as excepted when initialized with pool options (e.g.pool_size
). Thank you @jdelStrother.
5.4.0 - 2018-07-02
- Support "plain"
Redis
as a cache store backend (#280). Thanks @bfad and @ryandv. - When overwriting
Rack::Attack.throttled_response
you can now access the exact epoch integer that was used for caching so your custom code is less prone to race conditions (#282). Thanks @doliveirakn.
- Explictly declare ancient
rack 0.x
series as incompatible in gemspec
5.3.2 - 2018-06-25
- Don't raise exception
The Redis cache store requires the redis gem
when usingActiveSupport::Cache::MemoryStore
as a cache store backend
5.3.1 - 2018-06-20
- Make
ActiveSupport::Cache::RedisCacheStore
also work as excepted when initialized with pool options (e.g.pool_size
)
5.3.0 - 2018-06-19
- Add support for
ActiveSupport::Cache::RedisCacheStore
as a store backend (#340 and #350)
5.2.0 - 2018-03-29
- Shorthand for blocking an IP address
Rack::Attack.blocklist_ip("1.2.3.4")
(#320) - Shorthand for blocking an IP subnet
Rack::Attack.blocklist_ip("1.2.0.0/16")
(#320) - Shorthand for safelisting an IP address
Rack::Attack.safelist_ip("5.6.7.8")
(#320) - Shorthand for safelisting an IP subnet
Rack::Attack.safelist_ip("5.6.0.0/16")
(#320) - Throw helpful error message when using
allow2ban
but cache store is misconfigured (#315) - Throw helpful error message when using
fail2ban
but cache store is misconfigured (#315)
5.1.0 - 2018-03-10
- Fixes edge case bug when using ruby 2.5.0 and redis #253 (#271)
- Throws errors with better semantics when missing or misconfigured store caches to aid in developers debugging their configs (#274)
- Removed legacy code that was originally intended for Rails 3 apps (#264)
5.0.1 - 2016-08-11
- Fixes arguments passed to deprecated internal methods. (#198)
5.0.0 - 2016-08-09
- Deprecate
whitelist
/blacklist
in favor ofsafelist
/blocklist
. (#181, thanks @renee-travisci). To upgrade and fix deprecations, find and replace instances ofwhitelist
andblacklist
withsafelist
andblocklist
. If you referencerack.attack.match_type
, note that it will have values like:safelist
/:blocklist
. - Remove test coverage for unsupported ruby dependencies: ruby 2.0, activesupport 3.2/4.0, and dalli 1.
4.4.1 - 2016-02-17
- Fix a bug affecting apps using Redis::Store and ActiveSupport that could generate an error saying dalli was a required dependency. I learned all about ActiveSupport autoloading. (#165)
4.4.0 - 2016-02-10
- New: support for MemCacheStore (#153). Thanks @elhu.
- Some documentation and test harness improvements.
4.3.1 - 2015-12-18
- SECURITY FIX: Normalize request paths when using ActionDispatch. Thanks Andres Riancho at @includesecurity for reporting it.
- Remove support for ruby 1.9.x
- Add Code of Conduct
- Several documentation and testing improvements
4.3.0 - 2015-05-22
- Redis proxy passes
raw: true
(thanks @stanhu) - Redis supports
delete
method to be consistent with Dalli (thanks @stanhu) - Support the ability to reset Fail2Ban count and ban flag (thanks @stanhu)
4.2.0 - 2014-10-26
- Throttle's
period
argument now takes a proc as well as a number (thanks @gsamokovarov) - Invoke the
#call
method onblocklist_response
andthrottle_response
instead of#[]
, as per the Rack spec. (thanks @gsamokovarov)
4.1.1 - 2014-09-11
- Fix a race condition in throttles that could allow more requests than intended.
4.1.0 - 2014-05-22
- Tracks take an optional limit and period to only notify once a threshold is reached (similar to throttles). Thanks @chiliburger!
- Default throttled & blocklist responses have Content-Type: text/plain
- Rack::Attack.clear! resets tracks
4.0.1 - 2014-05-14
- Add throttle discriminator to rack env (thanks @blahed)
4.0.0 - 2014-04-28
- Implement proxy for Dalli with better Memcachier support. (thanks @hakanensari)
- Rack::Attack.new returns an instance to ease testing. (thanks @stevehodgkiss) [Changing a module to a class is not backwards compatible, hence v4.0.0.]
- Use Rack::Attack::Request subclass of Rack::Request for easier extending (thanks @tristandunn)
- Test more dalli versions.
3.0.0 - 2014-03-15
- Change default blocklisted response to 403 Forbidden (thanks @carpodaster).
- Fail gracefully when Redis store is not available; rescue exeption and don't throttle request. (thanks @wkimeria)
- TravisCI runs integration tests.
2.3.0 - 2013-10-11
- Allow throttle
limit
argument to be a proc. (thanks @lunks) - Add Allow2Ban, complement of Fail2Ban. (thanks @jormon)
- Improved TravisCI testing
2.2.1 - 2013-08-13
- Add license to gemspec
- Support ruby version 1.9.2
- Change default blocklisted response code from 503 to 401; throttled response from 503 to 429.
2.2.0 - 2013-06-20
- Fail2Ban filtering. See README for details. Thx @madlep!
- Introduce StoreProxy to more cleanly abstract cache stores. Thx @madlep.
- Start keeping changelog
- Fix
Redis::CommandError
when using ActiveSupport numeric extensions (e.g.1.second
) - Remove unused variable
- Extract mandatory options to constants