I'm sorry you are right... I had meant Rack::Attack not Rack::Timeout, I confused the two in my head. You are right I was referring to Rack::Attack
If a known administrator has a fixed IP address, I disagree that "IP based security generally adds no real world actual security" Perhaps you are saying this in the context of IP blocking, which I agree offers little help in a world where it is easy for someone to switch IPs after they are blacklisted. However, the original question was to whitelist (not blacklist) an known IP address for a known user. This seems like a highly appropriate security whitelisting strategy and is widely used across the internet. (Blacklisting bad actors, on the other hand, is indeed a cat & mouse game that probably won't work out too well.) > On Dec 6, 2016, at 7:28 AM, Neil Middleton <[email protected]> wrote: > > Sorry - but this is incorrect. > > Rack-timeout only ensures that requests that are hitting a predefined service > time are killed off rather than being allowed to run on consuming resources. > At the very minimum Rack Timeout should be installed with a setting of 30s, > the same time that the Heroku router will kill a request with an H12 error. > > If you're wanting any sort of DDoS protection and so on, then Rack::Attack is > the one to go for. > > However, like I said earlier - IP based security generally adds no real world > actual security. ---- Jason Fleetwood-Boldt [email protected] http://www.jasonfleetwoodboldt.com/writing If you'd like to reply by encrypted email you can find my public key on jasonfleetwoodboldt.com <http://jasonfleetwoodboldt.com/> (more about setting GPG: https://gpgtools.org) -- -- You received this message because you are subscribed to the Google Groups "Heroku" group. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/heroku?hl=en_US?hl=en --- You received this message because you are subscribed to the Google Groups "Heroku Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
