search
Changelog NotificationsAPIAikido login

Setup and Installation of Zen Firewall for Ruby

This guide will walk you through installing and setting up Zen Firewall by Aikido for your application. Follow the steps below to protect your application.

We have first class support for multiple frameworks and database drivers, for the full list check our README on GitHubarrow-up-right.

hashtag
Installation

1

hashtag
Install Zen by Aikido

Zen Firewall for Ruby comes as a Gem that need to be installed together with your code so your application can be protected.

We recommend testing Zen locally or on staging before deploying to production. You can install it using bundler 

bundle add aikido-zen
2

hashtag
Create an app in the dashboard and generate a token

  1. Create your Aikido account if you haven't done so already

  2. Go to the Zen sectionarrow-up-right in Aikido.

  3. Click on Add app.

  4. Choose a name for your app and click Generate token.

  5. Copy the generated token

Zen app setup form: enter app name, repository, and environment to enable security reporting.

3

hashtag
Configure your application to initiate the Zen firewall.

For Ruby on Rails you can install Zen by requiring it before Bundler.require in config/application.rb:

# config/application.rb
require_relative "boot"

require "rails/all"

require "aikido-zen"
Aikido::Zen.protect!

# Require the gems listed in Gemfile, including any gems
# you've limited to :test, :development, or :production.
Bundler.require(*Rails.groups)
4

hashtag
Start Zen Firewall in dry / detection-only mode

  1. Set the token as an environment variable: AIKIDO_TOKEN=YOUR_SECRET_TOKEN

  2. Start your app in dry mode AIKIDO_BLOCK=false to ensure it works as expected without blocking any requests. We advise to run Aikido Zen in staging for two weeks to avoid any false positives.

circle-info

You can use AIKIDO_DEBUG=true to enable debug mode for more detailed information about what the agent is doing. For more information about your environment variables: Configuration via environment variables

Alternatively, if you're using Rails' encrypted credentialsarrow-up-right, and prefer not storing sensitive values in your env vars, you can easily configure Zen for it. For example, assuming the following credentials structure:

# config/credentials.yml.enc
zen:
  token: "AIKIDO_RUNTIME_..."

You can just tell Zen to use it like so:

# config/initializers/zen.rb
Rails.application.config.zen.token = Rails.application.credentials.zen.token
5

hashtag
Test your app

Browse to your application and perform a couple of actions or open a couple of pages. Zen will automatically discover the routes in your application.

You can verify a working agent by looking at the following pages of your Zen application:

  • Events: Should show an "Application started" event.

  • Routes: After some time your application routes will start showing here with the method, route and requests.

  • Instances: Should show the number of active instances for your application where Zen is installed.

6

hashtag
Enable Rate limiting and User blocking

Enable additional features like Rate limiting and User blocking from within your code. Check out these examples below. Keep in mind that your specific setup might need adjustments based on your framework and configuration.

# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  private

  def current_user
    return unless session[:user_id]
    User.find(session[:user_id])
  end

  def authenticate_user!
    # Your authentication logic here
    # ...
    # Optional, if you want to use user based rate limiting or block specific users
    Aikido::Zen.set_user(
      id: current_user.id,
      name: current_user.name
    )
  end
end
7

hashtag
Setup rate limiting in the dashboard

After you've added the Aikido middleware, you can test it out by logging in to your Aikido account and navigating to the Zen dashboard.

Agent start event logged with info severity and timestamp shown.

To protect a route from brute force attacks, set up rate limiting in the Aikido Dashboard:

  1. Click on the created app.

  2. Go to the Routes tab.

  3. Find the route you would like to limit and click Setup rate limiting.

  4. Follow the instructions to configure the rate limit (e.g., 5 requests per minute).

API route management interface showing authentication routes with protection and rate limiting options.
Set rate limiting for POST /auth/login to 5 requests per minute.

Verify Rate Limiting

Start your app and try to access the route you've rate limited 5 times within a minute. After the fifth attempt, you should receive a rate limit error:

8

hashtag
Success & Next Steps

Congrats you've successfully installed Aikido Zen. If you encountered any problems, have concerns or have feature requests, don't hesitate to reach out to support.

You can now go and explore the many features that Zen provides:

Additional information:

Last updated

Was this helpful?