Commit c1203307 authored by Ben Bodenmiller's avatar Ben Bodenmiller Committed by Stan Hu

Improve details about object storage proxy download

parent 85d00751
...@@ -494,16 +494,18 @@ If you configure GitLab to use object storage for CI logs and artifacts, ...@@ -494,16 +494,18 @@ If you configure GitLab to use object storage for CI logs and artifacts,
### Proxy Download ### Proxy Download
A number of the use cases for object storage allow client traffic to be redirected to the Clients can download files in object storage by receiving a pre-signed, time-limited URL,
object storage back end, like when Git clients request large files via LFS or when or by GitLab proxying the data from object storage to the client.
downloading CI artifacts and logs. Downloading files from object storage directly
helps reduce the amount of egress traffic GitLab
needs to process.
When the files are stored on local block storage or NFS, GitLab has to act as a proxy. When the files are stored on local block storage or NFS, GitLab has to act as a proxy.
This is not the default behavior with object storage. This is not the default behavior with object storage.
The `proxy_download` setting controls this behavior: the default is generally `false`. The `proxy_download` setting controls this behavior: the default is generally `false`.
Verify this in the documentation for each use case. Set it to `true` so that GitLab proxies Verify this in the documentation for each use case. Set it to `true` if you want
the files. GitLab to proxy the files.
When not proxying files, GitLab returns an When not proxying files, GitLab returns an
[HTTP 302 redirect with a pre-signed, time-limited object storage URL](https://gitlab.com/gitlab-org/gitlab/-/issues/32117#note_218532298). [HTTP 302 redirect with a pre-signed, time-limited object storage URL](https://gitlab.com/gitlab-org/gitlab/-/issues/32117#note_218532298).
...@@ -524,7 +526,9 @@ certificate, or may return common TLS errors such as: ...@@ -524,7 +526,9 @@ certificate, or may return common TLS errors such as:
x509: certificate signed by unknown authority x509: certificate signed by unknown authority
``` ```
- Clients will need network access to the object storage. Errors that might result - Clients will need network access to the object storage.
Network firewalls could block access.
Errors that might result
if this access is not in place include: if this access is not in place include:
```plaintext ```plaintext
...@@ -535,6 +539,10 @@ Getting a `403 Forbidden` response is specifically called out on the ...@@ -535,6 +539,10 @@ Getting a `403 Forbidden` response is specifically called out on the
[package repository documentation](packages/index.md#using-object-storage) [package repository documentation](packages/index.md#using-object-storage)
as a side effect of how some build tools work. as a side effect of how some build tools work.
Additionally for a short time period users could share pre-signed, time-limited object storage URLs
with others without authentication. Also bandwidth charges may be incurred
between the object storage provider and the client.
### ETag mismatch ### ETag mismatch
Using the default GitLab settings, some object storage back-ends such as Using the default GitLab settings, some object storage back-ends such as
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment