Clarify Rack Attack settings in gitlab.rb for throttle enable, whitelisting, and limits
Summary
Users are instructed to enable these settings for Rack Attack throttling and Fail2Ban basic auth brute-forcing:
gitlab_rails['rack_attack_git_basic_auth'] = {
'enabled' => true,
'ip_whitelist' => ["127.0.0.1"],
'maxretry' => 10,
'findtime' => 60,
'bantime' => 3600
}
gitlab_rails['rate_limit_requests_per_period'] = 10
gitlab_rails['rate_limit_period'] = 60
The rack_attack_git_basic_auth
configuration is used to enable throttling and basic auth protections but the whitelisting and limit settings are only applied to basic auth brute-force protections and not throttling. The throttling limits are defined in the rate_limit settings.
Steps to reproduce
Enable Rack Attack in gitlab.rb
, rename the example rack_attack config files if needed (not needed for omnibus).
Add an IP address to the whitelist, run gitlab-ctl reconfigure
, and run the following from that source IP:
for i in {1..50}; do curl -X POST -q -o /dev/null http://gitlab-instance/users/password; done
Expected behavior
The whitelisted IP will be allowed to run these queries.
Actual behavior
The IP is blocked and the query eventually results in a retry warning.
Possible fixes
I'm working on a patch to enable whitelisting for throttling as well as basic auth brute-forcing and to clarify which settings apply to each protection type.