Update GitLab.com rate limit documentation

We are changing this in January 2021, so for a time our documentation should contain the old and new limits.

Update GitLab.com rate limit documentation
We are changing this in January 2021, so for a time our documentation should contain the old and new limits.
b29342cd · Sean McGivern · 1e4dbfbc · b29342cd
Commit b29342cd authored Dec 15, 2020 by Sean McGivern
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 42 deletions

doc/user/gitlab_com/index.md doc/user/gitlab_com/index.md +43 -42

No files found.
--- a/doc/user/gitlab_com/index.md
+++ b/doc/user/gitlab_com/index.md
@@ -509,50 +509,38 @@ NOTE:
 See [Rate limits](../../security/rate_limits.md) for administrator
 documentation.

-IP blocks usually happen when GitLab.com receives unusual traffic from a single
-IP address that the system views as potentially malicious based on rate limit
-settings. After the unusual traffic ceases, the IP address is automatically
-released depending on the type of block, as described below.
-
-If you receive a `403 Forbidden` error for all requests to GitLab.com, please
-check for any automated processes that may be triggering a block. For
-assistance, contact [GitLab Support](https://support.gitlab.com/hc/en-us)
-with details, such as the affected IP address.
-
-### HAProxy API throttle
+When a request is rate limited, GitLab responds with a `429` status
+code. The client should wait before attempting the request again. There
+are also informational headers with this response detailed in [rate
+limiting responses](#rate-limiting-responses).

-GitLab.com responds with HTTP status code `429` to API requests that exceed 10
-requests
-per second per IP address.
+GitLab.com's rate limits are changing in January 2021. The table below
+contains the limits that apply before and after this change.

-The following example headers are included for all API requests:
+| Rate limit                                                                | Before 2021-01-18           | From 2021-01-18               |
+|:--------------------------------------------------------------------------|:----------------------------|:------------------------------|
+| **Protected paths** (for a given **IP address**)                          | **10** requests per minute  | **10** requests per minute    |
+| **Raw endpoint** traffic (for a given **project, commit, and file path**) | **300** requests per minute | **300** requests per minute   |
+| **Unauthenticated** traffic (from a given **IP address**)                 | No specific limit           | **500** requests per minute   |
+| **Authenticated** API traffic (for a given **user**)                      | No specific limit           | **2,000** requests per minute |
+| **Authenticated** non-API HTTP traffic (for a given **user**)             | No specific limit           | **1,000** requests per minute |
+| **All** traffic (from a given **IP address**)                             | **600** requests per minute | **2,000** requests per minute |

-```plaintext
-RateLimit-Limit: 600
-RateLimit-Observed: 6
-RateLimit-Remaining: 594
-RateLimit-Reset: 1563325137
-RateLimit-ResetTime: Wed, 17 Jul 2019 00:58:57 GMT
-```
-
-Source:
+More details are available on the rate limits for [protected
+paths](#protected-paths-throttle) and [raw
+endpoints](../../user/admin_area/settings/rate_limits_on_raw_endpoints.md).

- Search for `rate_limit_http_rate_per_minute` and `rate_limit_sessions_per_second` in [GitLab.com's current HAProxy settings](https://gitlab.com/gitlab-cookbooks/gitlab-haproxy/blob/master/attributes/default.rb).
-
-### Pagination response headers
+### Rate limiting responses

-For performance reasons, if a query returns more than 10,000 records, GitLab
-doesn't return the following headers:
+The [`Retry-After`
+header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After)
+will indicate when the client should retry.

- `x-total`.
- `x-total-pages`.
- `rel="last"` `link`.
+In the case that a rate limit is applied by HAProxy, rather than
+Cloudflare or the GitLab application, there will instead be
+`RateLimit-Reset` and `RateLimit-ResetTime` headers.

-### Rack Attack initializer
-
-Details of rate limits enforced by [Rack Attack](../../security/rack_attack.md).
-
-#### Protected paths throttle
+### Protected paths throttle

 GitLab.com responds with HTTP status code `429` to POST requests at protected
 paths that exceed 10 requests per **minute** per IP address.
@@ -568,6 +556,18 @@ Retry-After: 60

 See [Protected Paths](../admin_area/settings/protected_paths.md) for more details.

+### IP blocks
+
+IP blocks usually happen when GitLab.com receives unusual traffic from a single
+IP address that the system views as potentially malicious based on rate limit
+settings. After the unusual traffic ceases, the IP address is automatically
+released depending on the type of block, as described below.
+
+If you receive a `403 Forbidden` error for all requests to GitLab.com, please
+check for any automated processes that may be triggering a block. For
+assistance, contact [GitLab Support](https://support.gitlab.com/hc/en-us)
+with details, such as the affected IP address.
+
 #### Git and container registry failed authentication ban

 GitLab.com responds with HTTP status code `403` for 1 hour, if 30 failed
@@ -585,13 +585,14 @@ This limit:

 No response headers are provided.

-### Admin Area settings
+### Pagination response headers

-GitLab.com:
+For performance reasons, if a query returns more than 10,000 records, GitLab
+doesn't return the following headers:

- Has [rate limits on raw endpoints](../../user/admin_area/settings/rate_limits_on_raw_endpoints.md)
-  set to the default.
- Does not have the user and IP rate limits settings enabled.
+- `x-total`.
+- `x-total-pages`.
+- `rel="last"` `link`.

 ### Visibility settings