This gem provides a Rails-based frontend and middleware to deny access to particular parts of your application. This is especially useful in an incident response scenario such as deployment of unperformant code, or a denial of service attack.
Mission Control - Web can be configured via the admin interface to block requests whose path matched a regex pattern. If the requested path matches any "Denied" path, it will be blocked with a 503 HTTP status code.
You can choose to deploy Mission Control - Web admin and middleware both in the same Rails app, or two separate apps, a protected Rails app and an admin app.
The benefit of using two separate apps is that if your protected app is attacked or suffers a performance issue, it may become inaccessible while an admin app does not.
Add this line to your application's Gemfile:
gem "mission_control-web"
And then execute:
$ bundle
then, follow the instructions below for a single app, or a separate admin app.
And then execute:
$ bin/rails generate mission_control:web:install
After adding the mission_control-web
gem, in your admin app:
$ bin/rails generate mission_control:web:install:admin
and in your protected Rails app:
$ bin/rails generate mission_control:web:install:middleware
Configure Mission Control - Web with a Redis client.
# config/initializers/mission_control_web.rb
config.mission_control.web.redis = Redis.new(url: "redis://server:6379/0")
config.mission_control.web.administered_applications = [ { name: "My Rails App", redis: Redis.new(url: "redis://server:6379/0") } ]
By default, Mission Control's controllers will extend the host app's ApplicationController. If no authentication is enforced, the admin pages will be available to everyone. You might want to implement some kind of authentication for this in your app. To make this easier, you can specify a different controller as the base class for Mission Control's controllers:
config.mission_control.web.base_controller_class = "AdminController"
You can configure a custom page to show to users when a request is denied by Mission Control - Web. Configure this like so:
config.mission_control.web.errors_controller = MissionControl::Web::CustomErrorsController
Then, in your application, create a custom errors controller:
class MissionControl::Web::CustomErrorsController < MissionControl::Web::ErrorsController
def disallowed
render file: "public/503.html"
end
end
Useful for disabling the Mission Control - Web request intercept middleware on a per-application or per-environment basis:
config.mission_control.web.middleware_enabled = false
Denied paths are cached by the middleware and refreshed from Redis on this interval. With this configuration, it takes up to 10 seconds for path denial to take effect:
config.mission_control.web.routes_cache_ttl = 10.seconds
Run:
rake test
Performance tests can be run in the "profile" environment for more consistent results with:
RAILS_ENV=profile rake test:performance
If Redis is down (or raises any instance of Redis::BaseConnectionError), Mission Control Web middleware will fail-open.
It's recommended to also consider using a resilient Redis client with a circuit-breaker. See Semian.
The gem is available as open source under the terms of the MIT License.