This gem provides a Rails-based frontend and middleware to deny access to particular parts of your application. This is especially useful in an incident response scenario such as deployment of unperformant code, or a denial of service attack.

Mission Control - Web can be configured via the admin interface to block requests whose path matched a regex pattern. If the requested path matches any "Denied" path, it will be blocked with a 503 HTTP status code.

You can choose to deploy Mission Control - Web admin and middleware both in the same Rails app, or two separate apps, a protected Rails app and an admin app.

The benefit of using two separate apps is that if your protected app is attacked or suffers a performance issue, it may become inaccessible while an admin app does not.

Add this line to your application's Gemfile:

gem "mission_control-web"

And then execute:

$ bundle

then, follow the instructions below for a single app, or a separate admin app.

And then execute:

$ bin/rails generate mission_control:web:install

After adding the mission_control-web gem, in your admin app:

$ bin/rails generate mission_control:web:install:admin

and in your protected Rails app:

$ bin/rails generate mission_control:web:install:middleware

Configure Mission Control - Web with a Redis client.

# config/initializers/mission_control_web.rb

config.mission_control.web.redis = Redis.new(url: "redis://server:6379/0")

config.mission_control.web.administered_applications = [ { name: "My Rails App", redis: Redis.new(url: "redis://server:6379/0") } ]

By default, Mission Control's controllers will extend the host app's ApplicationController. If no authentication is enforced, the admin pages will be available to everyone. You might want to implement some kind of authentication for this in your app. To make this easier, you can specify a different controller as the base class for Mission Control's controllers:

config.mission_control.web.base_controller_class = "AdminController"

You can configure a custom page to show to users when a request is denied by Mission Control - Web. Configure this like so:

config.mission_control.web.errors_controller = MissionControl::Web::CustomErrorsController

Then, in your application, create a custom errors controller:

class MissionControl::Web::CustomErrorsController < MissionControl::Web::ErrorsController
  def disallowed
    render file: "public/503.html"
  end
end

Useful for disabling the Mission Control - Web request intercept middleware on a per-application or per-environment basis:

config.mission_control.web.middleware_enabled = false

Denied paths are cached by the middleware and refreshed from Redis on this interval. With this configuration, it takes up to 10 seconds for path denial to take effect:

config.mission_control.web.routes_cache_ttl = 10.seconds

When configuring denied paths through the Mission Control - Web admin interface, you can use regex patterns to match Rails routes.

1. Deny all routes under a specific namespace (e.g., admin):

   ^/admin/.*
   

   This pattern blocks access to all routes that start with /admin/.

2. Deny specific controller actions (e.g., editing user profiles or settings updates):

   ^/users/edit
   ^/settings/update
   

   These patterns ensure that routes like /users/edit and /settings/update are blocked.

3. Deny access to API routes under a specific version (e.g., API v1):

   ^/api/v1/.*
   

   This pattern blocks all routes starting with /api/v1/, useful for deprecating old API versions.

Run:

rake test

Performance tests can be run in the "profile" environment for more consistent results with:

RAILS_ENV=profile rake test:performance

If Redis is down (or raises any instance of Redis::BaseConnectionError), Mission Control Web middleware will fail-open.

It's recommended to also consider using a resilient Redis client with a circuit-breaker. See Semian.

The gem is available as open source under the terms of the MIT License.