Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
0eafd744
Commit
0eafd744
authored
Aug 07, 2019
by
Russell Dickenson
Committed by
Evan Read
Aug 07, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Closes
https://gitlab.com/gitlab-org/gitlab-ce/issues/65499
parent
1e69e67d
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
21 additions
and
18 deletions
+21
-18
doc/api/README.md
doc/api/README.md
+2
-2
doc/security/rack_attack.md
doc/security/rack_attack.md
+13
-13
doc/user/gitlab_com/index.md
doc/user/gitlab_com/index.md
+6
-3
No files found.
doc/api/README.md
View file @
0eafd744
...
@@ -697,10 +697,10 @@ programming languages. Visit the [GitLab website] for a complete list.
...
@@ -697,10 +697,10 @@ programming languages. Visit the [GitLab website] for a complete list.
## Rate limits
## Rate limits
For administrator documentation on rate limit settings,
check out
For administrator documentation on rate limit settings,
see
[
Rate limits
](
../security/rate_limits.md
)
. To find the settings that are
[
Rate limits
](
../security/rate_limits.md
)
. To find the settings that are
specifically used by GitLab.com, see
specifically used by GitLab.com, see
[
GitLab.com-specific rate limits
](
../user/gitlab_com/index.md
)
.
[
GitLab.com-specific rate limits
](
../user/gitlab_com/index.md
#gitlabcom-specific-rate-limits
)
.
[
GitLab website
]:
https://about.gitlab.com/applications/#api-clients
"Clients using the GitLab API"
[
GitLab website
]:
https://about.gitlab.com/applications/#api-clients
"Clients using the GitLab API"
[
lib-api-url
]:
https://gitlab.com/gitlab-org/gitlab-ce/tree/master/lib/api/api.rb
[
lib-api-url
]:
https://gitlab.com/gitlab-org/gitlab-ce/tree/master/lib/api/api.rb
...
...
doc/security/rack_attack.md
View file @
0eafd744
...
@@ -20,9 +20,9 @@ For more information on how to use these options see the [Rack Attack README](ht
...
@@ -20,9 +20,9 @@ For more information on how to use these options see the [Rack Attack README](ht
NOTE:
**Note:**
See
NOTE:
**Note:**
See
[
User and IP rate limits
](
../user/admin_area/settings/user_and_ip_rate_limits.md
)
[
User and IP rate limits
](
../user/admin_area/settings/user_and_ip_rate_limits.md
)
for simpler
throttles that are configured in
UI.
for simpler
limits that are configured in the
UI.
NOTE:
**Note:**
Starting with 11.2, Rack Attack is disabled by default. If your
NOTE:
**Note:**
Starting with
GitLab
11.2, Rack Attack is disabled by default. If your
instance is not exposed to the public internet, it is recommended that you leave
instance is not exposed to the public internet, it is recommended that you leave
Rack Attack disabled.
Rack Attack disabled.
...
@@ -31,13 +31,13 @@ Rack Attack disabled.
...
@@ -31,13 +31,13 @@ Rack Attack disabled.
If set up as described in the
[
Settings
](
#settings
)
section below, two behaviors
If set up as described in the
[
Settings
](
#settings
)
section below, two behaviors
will be enabled:
will be enabled:
-
Protected paths will be throttled
-
Protected paths will be throttled
.
-
Failed authentications for Git and container registry requests will trigger a temporary IP ban
-
Failed authentications for Git and container registry requests will trigger a temporary IP ban
.
### Protected paths throttle
### Protected paths throttle
GitLab responds with HTTP status code
429
to POST requests at protected paths
GitLab responds with HTTP status code
`429`
to POST requests at protected paths
over
10 requests per minute per IP address.
that exceed
10 requests per minute per IP address.
By default, protected paths are:
By default, protected paths are:
...
@@ -62,16 +62,16 @@ Retry-After: 60
...
@@ -62,16 +62,16 @@ Retry-After: 60
For example, the following are limited to a maximum 10 requests per minute:
For example, the following are limited to a maximum 10 requests per minute:
-
u
ser sign-in
-
U
ser sign-in
-
u
ser sign-up (if enabled)
-
U
ser sign-up (if enabled)
-
u
ser password reset
-
U
ser password reset
After
trying for 10 times, the client will
After
10 requests, the client must wait a minute before it can
have to wait a minute before to be able to
try again.
try again.
### Git and container registry failed authentication ban
### Git and container registry failed authentication ban
GitLab responds with HTTP status code
403
for 1 hour, if 30 failed
GitLab responds with HTTP status code
`403`
for 1 hour, if 30 failed
authentication requests were received in a 3-minute period from a single IP address.
authentication requests were received in a 3-minute period from a single IP address.
This applies only to Git requests and container registry (
`/jwt/auth`
) requests
This applies only to Git requests and container registry (
`/jwt/auth`
) requests
...
@@ -145,7 +145,7 @@ If you want more restrictive/relaxed throttle rules, edit
...
@@ -145,7 +145,7 @@ If you want more restrictive/relaxed throttle rules, edit
For example, more relaxed throttle rules will be if you set
For example, more relaxed throttle rules will be if you set
`limit: 3`
and
`period: 1.seconds`
(this will allow 3 requests per second).
`limit: 3`
and
`period: 1.seconds`
(this will allow 3 requests per second).
You can also add other paths to the protected list by adding to
`paths_to_be_protected`
You can also add other paths to the protected list by adding to
`paths_to_be_protected`
variable. If you change any of these settings
do not forget to
restart your
variable. If you change any of these settings
you must
restart your
GitLab instance.
GitLab instance.
## Remove blocked IPs from Rack Attack via Redis
## Remove blocked IPs from Rack Attack via Redis
...
...
doc/user/gitlab_com/index.md
View file @
0eafd744
...
@@ -316,7 +316,8 @@ with details, such as the affected IP address.
...
@@ -316,7 +316,8 @@ with details, such as the affected IP address.
### HAProxy API throttle
### HAProxy API throttle
GitLab.com responds with HTTP status code 429 to API requests over 10 requests
GitLab.com responds with HTTP status code
`429`
to API requests that exceed 10
requests
per second per IP address.
per second per IP address.
The following example headers are included for all API requests:
The following example headers are included for all API requests:
...
@@ -335,10 +336,12 @@ Source:
...
@@ -335,10 +336,12 @@ Source:
### Rack Attack initializer
### Rack Attack initializer
Details of rate limits enforced by
[
Rack Attack
](
../../security/rack_attack.md
)
.
#### Protected paths throttle
#### Protected paths throttle
GitLab.com responds with HTTP status code
429
to POST requests at protected
GitLab.com responds with HTTP status code
`429`
to POST requests at protected
paths
over
10 requests per
**minute**
per IP address.
paths
that exceed
10 requests per
**minute**
per IP address.
See the source below for which paths are protected. This includes user creation,
See the source below for which paths are protected. This includes user creation,
user confirmation, user sign in, and password reset.
user confirmation, user sign in, and password reset.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment