Solve RackAttack throttling packageregistry endpoints
Now that we have allowed more through to package registry endpoints on https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/11748 we are seeing some of these requests in RackAttack dry-run logs, which is, given the set limit (7K/minute) vs RackAttack limits (2K/minute for authenticated), somewhat predictable.
There are at least two possible resolutions:
- Create an additional throttle with configuration for it in RackAttack
- In haproxy set the bypass header in haproxy for any packageregistry traffic that we've let through.
The first is the more robust solution; the second will get us there quickly and is more consistent (we won't run into the mismatch of limits where haproxy only sees IPs, but RackAttack sees per-user for authenticated traffic possibly across multiple IPs), but ties us even more to haproxy when the Reliability teams want to move that rate-limiting out to CloudFlare.
See also go-get=1 (#713 (closed)) as part of the same basic problem.