Document GitLab.com's rate limits
Follow up https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18040#note_73885694:
We do not document GitLab.com's rate limits anywhere, which has caused confusion for some users. Plus, there is more than one potential source of rate-limits:
- HAProxy https://gitlab.com/gitlab-cookbooks/gitlab-haproxy/blob/master/attributes/default.rb#L22-27
- Rack Attack (original usage) https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/security/rack_attack.md https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/configuration.md#configuring-rack-attack
- Rack Attack (Application Settings usage) https://gitlab.com/gitlab-org/gitlab-ce/issues/30053
GitLab.com does not currently use the Application Setting throttles.
HAProxy config enforces this:
- API rate-limit: 600 req/min
Also GitLab.com uses the "git_basic_auth" setting:
*** PRODUCTION *** production> Settings.rack_attack
=> {"git_basic_auth"=>{"enabled"=>true, "ip_whitelist"=>["127.0.0.1"], "maxretry"=>30, "findtime"=>180, "bantime"=>3600}}
These are the omnibus-gitlab defaults (which it doesn't look like we diverge from):
- https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/attributes/default.rb#L80-81
- https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/attributes/default.rb#L244-253
So if I'm reading this correctly, we throttle all authentication endpoints to:
- 10 req/min
- And ban for 1 hour upon hitting 30 req/3 mins.
Is this correct?
-
Document GitLab.com's rate limits on https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/user/gitlab_com/index.md - Why this page? Because https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18040#note_65608427: "The docs should reflect the truth for self-hosted instances (docs are available in-app at
/help
). Where GitLab.com differs, it's usually documented here: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/user/gitlab_com/index.md"
- Why this page? Because https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18040#note_65608427: "The docs should reflect the truth for self-hosted instances (docs are available in-app at
-
Cross-link/reconcile the various related docs to make more sense of the situation
Edited by Michael Kozono