Gitlab: use frontends' authenticate-to-backend and rate limit archive downloads
Instead of using a list of frontends IP addresses to determine if the backend can trust the frontend's X-Forwarded-For
header, use the same authenticate-to-backend
approach as with ERP5: the frontend connects to the backend with a client certificate and if the backend can verify this certificate, it trusts X-Forwarded-For
from the frontend and uses this as client IP.
Otherwise, without a verified certificate, the frontend's own IP address is uses as client IP.
This means that:
- frontend shared instances must use
authenticate-to-backend
in parameters - gitlab instance must use
frontend-caucase-url-list
in parameters - gitlab instance no longer use
nginx_real_ip_trusted_addresses
in parameters
This branch also contains some mitigation for 503 errors we observed when too many clients were downloading archives (we had several hundreds of ongoing requests preparing archives), the approach is simply to rate-limit the download archives, implemented in nginx because gitlab does not expose rack-attack configuration for this.