I'm interested in using https://github.com/kickstarter/rack-attack to throttle abusers and brute force attackers. My app runs on multiple dynos, so I imagine the Rails default FileStore is not fully effective since there's a filesystem for each dyno, and throttling needs to be the aggregate of both.
If I were to use a memcached plugin service for Rails.cache
, is there a "fallback" built into Rails if the memcached service goes down (i.e., say to FileStore)?
If not, with the outage of the memcached service, will the rails app crash or become inaccessible to users (vs gracefully handling errors)?
I'm the author of rack-attack.
tl;dr: when your caching backend (memcached or redis) is down, then all requests are allowed (i.e. fail-open).
It really depends on what the Rails cache does. Both the Dalli memcached client (ActiveSupport::Cache::DalliStore), and the Redis client (ActiveSupport::Cache::RedisStore) rescue connection errors and timeouts to return nil
.
When rack-attack queries the cache store for a throttle value, the cache store returns nil
. Rack attack casts thatto_i
to get 0
. And since your throttle limit is > 0, the request is allowed.
Rack attack has integration tests run on each commit testing that no errors are raised and requests are allowed when memcached/redis are unavailable.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With