rack_attack.rb

# config/initializers/rack_attack.rb

class Rack::Attack

  # Configuration for Rack::Attack
  BAN_TIME = 10.minutes.freeze

  # GET requests
  MAX_ATTEMPTS_GET = 20
  OBSERVATION_TIME_GET = 1.minute
  PUBLIC_PATHS_GET = ["/", "/sign_in", "/sign_up"].freeze

  # POST requests
  PUBLIC_PATHS_POST = ["/sign_in", "/password", "/sign_up"].freeze
  MAX_ATTEMPTS_POST = 25
  OBSERVATION_TIME_POST = 2.minutes

  # Blocks GET requests
  # Blocks for BAN_TIME after MAX_ATTEMPTS_GET requests in OBSERVATION_TIME_GET
  Rack::Attack.blocklist("block abusive get requests") do |req|
    Rack::Attack::Allow2Ban.filter("public-get:#{req.ip}", maxretry: MAX_ATTEMPTS_GET,
                                                           findtime: OBSERVATION_TIME_GET,
                                                           bantime: BAN_TIME) do
      req.get? && PUBLIC_PATHS_GET.include?(req.path)
    end
  end

  # Blocks POST requests
  # Blocks for BAN_TIME after MAX_ATTEMPTS_POST requests in OBSERVATION_TIME_POST
  Rack::Attack.blocklist("block abusive post requests") do |req|
    Rack::Attack::Allow2Ban.filter("public-post:#{req.ip}", maxretry: MAX_ATTEMPTS_POST,
                                                            findtime: OBSERVATION_TIME_POST,
                                                            bantime: BAN_TIME) do
      req.post? && PUBLIC_PATHS_POST.include?(req.path)
    end
  end

  # Custom response for blocked requests
  BLOCKED_HTTP_CODE = 503
  Rack::Attack.blocklisted_responder = lambda do |request|
    [BLOCKED_HTTP_CODE, {}, []]
  end
end