Gitlab: use frontends' authenticate-to-backend and rate limit archive downloads
Instead of using a list of frontends IP addresses to determine if the backend can trust the frontend's `X-Forwarded-For` header, use the same [`authenticate-to-backend`](https://lab.nexedi.com/nexedi/slapos/-/blob/d48d682dfc67d7845f0346f01772573c9e4edc8e/software/rapid-cdn/instance-slave-input-schema.json#L215-223) approach as with ERP5: the frontend connects to the backend with a client certificate and if the backend can verify this certificate, it trusts `X-Forwarded-For` from the frontend and uses this as client IP. Otherwise, without a verified certificate, the frontend's own IP address is uses as client IP. This means that: - frontend shared instances must use `authenticate-to-backend` in parameters - gitlab instance must use `frontend-caucase-url-list` in parameters - gitlab instance no longer use `nginx_real_ip_trusted_addresses` in parameters This branch also contains some mitigation for 503 errors we observed when too many clients were downloading archives (we had several hundreds of ongoing requests preparing archives), the approach is simply to rate-limit the download archives, implemented in nginx because gitlab does not expose rack-attack configuration for this. See merge request nexedi/slapos!1676
Showing
Please register or sign in to comment