Add RateLimit-* headers to RackAttack responses
Something I noticed when I was looking at https://docs.gitlab.com/ee/user/gitlab_com/index.html#haproxy-api-throttle is that we document these RateLimit-*
headers we set.
We don't get these for free with Rack Attack, but we could add them: https://github.com/rack/rack-attack#ratelimit-headers-for-well-behaved-clients We already manually add them in HAProxy: https://gitlab.com/gitlab-cookbooks/gitlab-haproxy/-/blob/3a8f7adbc0e0ce5996e529e6dd45b135caf13f2c/templates/default/haproxy-frontend.cfg.erb#L320-324
I think we should, because clients like https://github.com/xanzy/go-gitlab/blob/master/gitlab.go#L47-48 expect these.
So that is:
-
Send these headers for all requests (see also gitlab-org/gitlab#20482 (closed)) -
Update the documentation at https://docs.gitlab.com/ee/user/gitlab_com/index.html#haproxy-api-throttle -
Verify whether the load balancers override these headers? -
Cloudflare -
HAProxy touches the headers. We'll need to open a new MR to conditional set the headers only if the headers are not set by the upstream only.
-
-
Create a section for response headers at https://docs.gitlab.com/ee/security/rate_limits.html#rate-limits -
Update other response header documentations to point to the unified general one above at -
(Done because that blog post is already merged) Update gitlab-com/www-gitlab-com!70143 (merged) if we do this before that's merged -
Close gitlab-org/gitlab#20482 (closed) once we're done
Edited by Quang-Minh Nguyen