慢慢赚钱博客

10月 9 2019

gitlab forbidden 解决办法(gitlab的rack::attack机制)

版本:GitLab Community Edition 10.8.7

现象:小部分用户web访问gitlab显示403 forbidden。

原因:gitlab有rack::attack模块,来防治恶意ip刷机,其详细文档:https://docs.gitlab.com/ee/security/rack_attack.html

确定是否是这个原因:

1、查日志
# cd /var/log/gitlab/gitlab-rails/
# grep 'Rack_Attack' production.log|more
Rack_Attack: blacklist 192.130.160.212 GET /xxx
Rack_Attack: blacklist 192.130.160.212 GET /xxxxxx
Rack_Attack: blacklist 192.130.160.212 GET /xxxxxxxx
确认这个ip是否是访问者的ip
2、进入redis:
# /opt/gitlab/embedded/bin/redis-cli -s /var/opt/gitlab/redis/redis.socket
redis /var/opt/gitlab/redis/redis.socket> keys *rack::attack*
1) "cache:gitlab:rack::attack:26176509:allow2ban:count:192.130.160.212"
2) "cache:gitlab:rack::attack:allow2ban:ban:192.130.160.212"

通过两步即可确认,就是这个原因。在redis里清除该条即可:
del cache:gitlab:rack::attack:allow2ban:ban:192.130.160.212

总结:从11版本开始,官方默认不开启这个功能:
Note: Starting with GitLab 11.2, Rack Attack is disabled by default. If your instance is not exposed to the public internet, it is recommended that you leave Rack Attack disabled.

Written by moneyslow.com

moneyslow.com真棒!