Document GitLab.com's rate limits

Follow up https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18040#note_73885694:

We do not document GitLab.com's rate limits anywhere, which has caused confusion for some users. Plus, there is more than one potential source of rate-limits:

HAProxy https://gitlab.com/gitlab-cookbooks/gitlab-haproxy/blob/master/attributes/default.rb#L22-27
Rack Attack (original usage) https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/security/rack_attack.md https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/configuration.md#configuring-rack-attack
Rack Attack (Application Settings usage) https://gitlab.com/gitlab-org/gitlab-ce/issues/30053

GitLab.com does not currently use the Application Setting throttles.

HAProxy config enforces this:

API rate-limit: 600 req/min

Also GitLab.com uses the "git_basic_auth" setting:

*** PRODUCTION *** production> Settings.rack_attack
=> {"git_basic_auth"=>{"enabled"=>true, "ip_whitelist"=>["127.0.0.1"], "maxretry"=>30, "findtime"=>180, "bantime"=>3600}}

These are the omnibus-gitlab defaults (which it doesn't look like we diverge from):

So if I'm reading this correctly, we throttle all authentication endpoints to:

10 req/min
And ban for 1 hour upon hitting 30 req/3 mins.

Is this correct?

Document GitLab.com's rate limits on https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/user/gitlab_com/index.md
- Why this page? Because https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18040#note_65608427: "The docs should reflect the truth for self-hosted instances (docs are available in-app at /help). Where GitLab.com differs, it's usually documented here: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/user/gitlab_com/index.md"
Cross-link/reconcile the various related docs to make more sense of the situation

Edited May 25, 2018 by Michael Kozono