Commit f5fcb9a1 authored by Evan Read's avatar Evan Read

Merge branch 'docs/65499-amend-add-rate-limit-docs' into 'master'

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/65499

Closes #65499

See merge request gitlab-org/gitlab-ce!31458
parents 1e69e67d 0eafd744
...@@ -697,10 +697,10 @@ programming languages. Visit the [GitLab website] for a complete list. ...@@ -697,10 +697,10 @@ programming languages. Visit the [GitLab website] for a complete list.
## Rate limits ## Rate limits
For administrator documentation on rate limit settings, check out For administrator documentation on rate limit settings, see
[Rate limits](../security/rate_limits.md). To find the settings that are [Rate limits](../security/rate_limits.md). To find the settings that are
specifically used by GitLab.com, see specifically used by GitLab.com, see
[GitLab.com-specific rate limits](../user/gitlab_com/index.md). [GitLab.com-specific rate limits](../user/gitlab_com/index.md#gitlabcom-specific-rate-limits).
[GitLab website]: https://about.gitlab.com/applications/#api-clients "Clients using the GitLab API" [GitLab website]: https://about.gitlab.com/applications/#api-clients "Clients using the GitLab API"
[lib-api-url]: https://gitlab.com/gitlab-org/gitlab-ce/tree/master/lib/api/api.rb [lib-api-url]: https://gitlab.com/gitlab-org/gitlab-ce/tree/master/lib/api/api.rb
......
...@@ -20,9 +20,9 @@ For more information on how to use these options see the [Rack Attack README](ht ...@@ -20,9 +20,9 @@ For more information on how to use these options see the [Rack Attack README](ht
NOTE: **Note:** See NOTE: **Note:** See
[User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md) [User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md)
for simpler throttles that are configured in UI. for simpler limits that are configured in the UI.
NOTE: **Note:** Starting with 11.2, Rack Attack is disabled by default. If your NOTE: **Note:** Starting with GitLab 11.2, Rack Attack is disabled by default. If your
instance is not exposed to the public internet, it is recommended that you leave instance is not exposed to the public internet, it is recommended that you leave
Rack Attack disabled. Rack Attack disabled.
...@@ -31,13 +31,13 @@ Rack Attack disabled. ...@@ -31,13 +31,13 @@ Rack Attack disabled.
If set up as described in the [Settings](#settings) section below, two behaviors If set up as described in the [Settings](#settings) section below, two behaviors
will be enabled: will be enabled:
- Protected paths will be throttled - Protected paths will be throttled.
- Failed authentications for Git and container registry requests will trigger a temporary IP ban - Failed authentications for Git and container registry requests will trigger a temporary IP ban.
### Protected paths throttle ### Protected paths throttle
GitLab responds with HTTP status code 429 to POST requests at protected paths GitLab responds with HTTP status code `429` to POST requests at protected paths
over 10 requests per minute per IP address. that exceed 10 requests per minute per IP address.
By default, protected paths are: By default, protected paths are:
...@@ -62,16 +62,16 @@ Retry-After: 60 ...@@ -62,16 +62,16 @@ Retry-After: 60
For example, the following are limited to a maximum 10 requests per minute: For example, the following are limited to a maximum 10 requests per minute:
- user sign-in - User sign-in
- user sign-up (if enabled) - User sign-up (if enabled)
- user password reset - User password reset
After trying for 10 times, the client will After 10 requests, the client must wait a minute before it can
have to wait a minute before to be able to try again. try again.
### Git and container registry failed authentication ban ### Git and container registry failed authentication ban
GitLab responds with HTTP status code 403 for 1 hour, if 30 failed GitLab responds with HTTP status code `403` for 1 hour, if 30 failed
authentication requests were received in a 3-minute period from a single IP address. authentication requests were received in a 3-minute period from a single IP address.
This applies only to Git requests and container registry (`/jwt/auth`) requests This applies only to Git requests and container registry (`/jwt/auth`) requests
...@@ -145,7 +145,7 @@ If you want more restrictive/relaxed throttle rules, edit ...@@ -145,7 +145,7 @@ If you want more restrictive/relaxed throttle rules, edit
For example, more relaxed throttle rules will be if you set For example, more relaxed throttle rules will be if you set
`limit: 3` and `period: 1.seconds` (this will allow 3 requests per second). `limit: 3` and `period: 1.seconds` (this will allow 3 requests per second).
You can also add other paths to the protected list by adding to `paths_to_be_protected` You can also add other paths to the protected list by adding to `paths_to_be_protected`
variable. If you change any of these settings do not forget to restart your variable. If you change any of these settings you must restart your
GitLab instance. GitLab instance.
## Remove blocked IPs from Rack Attack via Redis ## Remove blocked IPs from Rack Attack via Redis
......
...@@ -316,7 +316,8 @@ with details, such as the affected IP address. ...@@ -316,7 +316,8 @@ with details, such as the affected IP address.
### HAProxy API throttle ### HAProxy API throttle
GitLab.com responds with HTTP status code 429 to API requests over 10 requests GitLab.com responds with HTTP status code `429` to API requests that exceed 10
requests
per second per IP address. per second per IP address.
The following example headers are included for all API requests: The following example headers are included for all API requests:
...@@ -335,10 +336,12 @@ Source: ...@@ -335,10 +336,12 @@ Source:
### Rack Attack initializer ### Rack Attack initializer
Details of rate limits enforced by [Rack Attack](../../security/rack_attack.md).
#### Protected paths throttle #### Protected paths throttle
GitLab.com responds with HTTP status code 429 to POST requests at protected GitLab.com responds with HTTP status code `429` to POST requests at protected
paths over 10 requests per **minute** per IP address. paths that exceed 10 requests per **minute** per IP address.
See the source below for which paths are protected. This includes user creation, See the source below for which paths are protected. This includes user creation,
user confirmation, user sign in, and password reset. user confirmation, user sign in, and password reset.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment