Disable Rack Attack by default
We have a lot of support tickets relating to Rack Attack bans that quietly cause users to lose access to GitLab with unexplained 401 errors: https://gitlab.com/gitlab-com/support/issues/119
I think we have a few options:
- Turn it off completely by default: this will potentially cause open GitLab instances to be exposed by login spam attempts
- Tune the values so that they rarely ever trigger for most people (hard to get right, as we have seen on GitLab.com)
In any case, we should document this better as https://gitlab.com/gitlab-org/gitlab-ce/issues/24664 covers and add a more descriptive 40x error.
Other related issues:
- https://gitlab.com/gitlab-org/gitlab-ce/issues/36167
- https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/9363
This came from discussion in https://docs.google.com/document/d/1VDXJkvUJasax2VqcvsIVVM_Ll2ri-cI0iXQPPF-cru0/edit?ts=5a2b32c6#heading=h.l0ybh4ui9zys.
Thoughts, @briann, @lbot, @jacobvosmaer-gitlab?
Edited by Stan Hu