Merge branch 'patch-182' into 'master'

Improve details about object storage proxy download See merge request gitlab-org/gitlab!36284

Merge branch 'patch-182' into 'master'
Improve details about object storage proxy download See merge request gitlab-org/gitlab!36284
1e4701d6 · Stan Hu · 9cda1414 · c1203307 · 1e4701d6
Commit 1e4701d6 authored Jul 27, 2020 by Stan Hu
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 6 deletions

doc/administration/object_storage.md doc/administration/object_storage.md +14 -6

No files found.
--- a/doc/administration/object_storage.md
+++ b/doc/administration/object_storage.md
@@ -494,16 +494,18 @@ If you configure GitLab to use object storage for CI logs and artifacts,

 ### Proxy Download

-A number of the use cases for object storage allow client traffic to be redirected to the
-object storage back end, like when Git clients request large files via LFS or when
-downloading CI artifacts and logs.
+Clients can download files in object storage by receiving a pre-signed, time-limited URL,
+or by GitLab proxying the data from object storage to the client.
+Downloading files from object storage directly
+helps reduce the amount of egress traffic GitLab
+needs to process.

 When the files are stored on local block storage or NFS, GitLab has to act as a proxy.
 This is not the default behavior with object storage.

 The `proxy_download` setting controls this behavior: the default is generally `false`.
-Verify this in the documentation for each use case. Set it to `true` so that GitLab proxies
-the files.
+Verify this in the documentation for each use case. Set it to `true` if you want
+GitLab to proxy the files.

 When not proxying files, GitLab returns an
 [HTTP 302 redirect with a pre-signed, time-limited object storage URL](https://gitlab.com/gitlab-org/gitlab/-/issues/32117#note_218532298).
@@ -524,7 +526,9 @@ certificate, or may return common TLS errors such as:
   x509: certificate signed by unknown authority
   ```

- Clients will need network access to the object storage. Errors that might result
+- Clients will need network access to the object storage.
+Network firewalls could block access.
+Errors that might result
 if this access is not in place include:

   ```plaintext
@@ -535,6 +539,10 @@ Getting a `403 Forbidden` response is specifically called out on the
 [package repository documentation](packages/index.md#using-object-storage)
 as a side effect of how some build tools work.

+Additionally for a short time period users could share pre-signed, time-limited object storage URLs
+with others without authentication. Also bandwidth charges may be incurred
+between the object storage provider and the client.
+
 ### ETag mismatch

 Using the default GitLab settings, some object storage back-ends such as