GitLab

Instead of using a list of frontends IP addresses to determine if the backend can trust the frontend's X-Forwarded-For header, use the same authenticate-to-backend approach as with ERP5: the frontend connects to the backend with a client certificate and if the backend can verify this certificate, it trusts X-Forwarded-For from the frontend and uses this as client IP. Otherwise, without a verified certificate, the frontend's own IP address is uses as client IP.

This means that:

• frontend shared instances must use authenticate-to-backend in parameters
• gitlab instance must use frontend-caucase-url-list in parameters
• gitlab instance no longer use nginx_real_ip_trusted_addresses in parameters

This branch also contains some mitigation for 503 errors we observed when too many clients were downloading archives (we had several hundreds of ongoing requests preparing archives), the approach is simply to rate-limit the download archives, implemented in nginx because gitlab does not expose rack-attack configuration for this.