Mission Control - Web

This gem provides a Rails-based frontend and middleware to deny access to particular parts of your application. This is especially useful in an incident response scenario such as deployment of unperformant code, or a denial of service attack.

How it works

Mission Control - Web can be configured via the admin interface to block requests whose path matched a regex pattern. If the requested path matches any "Denied" path, it will be blocked with a 503 HTTP status code.

Usage

You can choose to deploy Mission Control - Web admin and middleware both in the same Rails app, or two separate apps, a protected Rails app and an admin app.

The benefit of using two separate apps is that if your protected app is attacked or suffers a performance issue, it may become inaccessible while an admin app does not.

Installation

Add this line to your application's Gemfile:

gem "mission_control-web"

And then execute:

$ bundle

then, follow the instructions below for a single app, or a separate admin app.

Installation in a single app

And then execute:

$ bin/rails generate mission_control:web:install

Installation with two apps, admin and protected

After adding the mission_control-web gem, in your admin app:

$ bin/rails generate mission_control:web:install:admin

and in your protected Rails app:

$ bin/rails generate mission_control:web:install:middleware

Configuration

Redis client

Configure Mission Control - Web with a Redis client.

# config/initializers/mission_control_web.rb

config.mission_control.web.redis = Redis.new(url: "redis://server:6379/0")

Administered applications

config.mission_control.web.administered_applications = [ { name: "My Rails App", redis: Redis.new(url: "redis://server:6379/0") } ]

Authentication and base controller class

By default, Mission Control's controllers will extend the host app's ApplicationController. If no authentication is enforced, the admin pages will be available to everyone. You might want to implement some kind of authentication for this in your app. To make this easier, you can specify a different controller as the base class for Mission Control's controllers:

config.mission_control.web.base_controller_class = "AdminController"

Custom "denied" page

You can configure a custom page to show to users when a request is denied by Mission Control - Web. Configure this like so:

config.mission_control.web.errors_controller = MissionControl::Web::CustomErrorsController

Then, in your application, create a custom errors controller:

class MissionControl::Web::CustomErrorsController < MissionControl::Web::ErrorsController
  def disallowed
    render file: "public/503.html"
  end
end

Other configuration

Useful for disabling the Mission Control - Web request intercept middleware on a per-application or per-environment basis:

config.mission_control.web.middleware_enabled = false

Denied paths are cached by the middleware and refreshed from Redis on this interval. With this configuration, it takes up to 10 seconds for path denial to take effect:

config.mission_control.web.routes_cache_ttl = 10.seconds

Testing

Run:

rake test

Performance tests can be run in the "profile" environment for more consistent results with:

RAILS_ENV=profile rake test:performance

Resiliency

If Redis is down (or raises any instance of Redis::BaseConnectionError), Mission Control Web middleware will fail-open.

It's recommended to also consider using a resilient Redis client with a circuit-breaker. See Semian.

License

The gem is available as open source under the terms of the MIT License.