Unauthenticated Rate Limit Effects Authenticated Users
Summary
When using gitlab by SSH with unauthenticated rate limiting turned on, attempts to access the GitLab API (such as a git pull) will count against the rate limit. Should this be reached, an authenticated user will be denied access.
Steps to reproduce
Set "Enable unauthenticated request rate limit" with a small limit.
Make repeated requests with an authenticated user account.
What is the current bug behavior?
Authenticated user is blocked.
What is the expected correct behavior?
Unauthenticated users are blocked, while authenticated users are allowed access.
Relevant logs and/or screenshots
Git output with ssh debugging.
debug1: Sending command: git-upload-pack '<project>'
debug2: channel 0: request exec confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0
debug2: channel 0: rcvd ext data 30
GitLab: API is not accessible
debug2: channel 0: written 30 to efd 7
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: rcvd close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 2624, received 3400 bytes, in 1.7 seconds
Bytes per second: sent 1504.6, received 1949.6
debug1: Exit status 1
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
GitLab-Shell Log:
W, [2018-02-09T14:36:07.211956 #19209] WARN -- : gitlab-shell: Access denied for git command <git-upload-pack '<Project>'> by user with key key-28.
I, [2018-02-09T14:36:17.869828 #19276] INFO -- : POST http://127.0.0.1:8080/api/v4/internal/allowed 0.02472
E, [2018-02-09T14:36:17.870171 #19276] ERROR -- : API call <POST http://127.0.0.1:8080/api/v4/internal/allowed> failed: 429 => <Retry later
Results of GitLab environment info
System information
System: Ubuntu 16.04
Current User: git
Using RVM: no
Ruby Version: 2.3.6p384
Gem Version: 2.6.13
Bundler Version:1.13.7
Rake Version: 12.3.0
Redis Version: 3.2.11
Git Version: 2.14.3
Sidekiq Version:5.0.5
Go Version: unknown
GitLab information
Version: 10.4.3
Revision: 183dd5d
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: postgresql
URL: https://
HTTP Clone URL: https://
SSH Clone URL: git@
Using LDAP: no
Using Omniauth: no
GitLab Shell
Version: 5.11.0
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks
Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Checking GitLab Shell ...
GitLab Shell version >= 5.11.0 ? ... OK (5.11.0)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:root, or git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
6/1 ... ok
12/2 ... ok
4/3 ... ok
13/5 ... ok
13/6 ... ok
13/7 ... ok
13/8 ... ok
21/9 ... ok
12/10 ... ok
4/11 ... ok
14/12 ... ok
21/13 ... ok
21/14 ... ok
14/16 ... ok
14/18 ... ok
4/19 ... ok
21/20 ... ok
3/21 ... ok
21/22 ... ok
4/24 ... ok
21/25 ... ok
12/26 ... ok
3/29 ... ok
12/32 ... ok
3/33 ... ok
16/34 ... ok
16/35 ... ok
18/36 ... ok
19/37 ... ok
3/38 ... ok
23/39 ... ok
3/42 ... ok
4/43 ... ok
4/44 ... ok
3/45 ... ok
28/46 ... ok
28/47 ... ok
4/48 ... ok
3/49 ... ok
29/51 ... ok
31/52 ... ok
31/53 ... ok
4/54 ... ok
35/55 ... ok
36/56 ... ok
3/57 ... ok
35/58 ... ok
36/59 ... ok
4/60 ... ok
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Reply by email is disabled in config/gitlab.yml
Checking LDAP ...
LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
6/1 ... yes
12/2 ... yes
4/3 ... yes
13/5 ... yes
13/6 ... yes
13/7 ... yes
13/8 ... yes
21/9 ... yes
12/10 ... yes
4/11 ... yes
14/12 ... yes
21/13 ... yes
21/14 ... yes
14/16 ... yes
14/18 ... yes
4/19 ... yes
21/20 ... yes
3/21 ... yes
21/22 ... yes
4/24 ... yes
21/25 ... yes
12/26 ... yes
3/29 ... yes
12/32 ... yes
3/33 ... yes
16/34 ... yes
16/35 ... yes
18/36 ... yes
19/37 ... yes
3/38 ... yes
23/39 ... yes
3/42 ... yes
4/43 ... yes
4/44 ... yes
3/45 ... yes
28/46 ... yes
28/47 ... yes
4/48 ... yes
3/49 ... yes
29/51 ... yes
31/52 ... yes
31/53 ... yes
4/54 ... yes
35/55 ... yes
36/56 ... yes
3/57 ... yes
35/58 ... yes
36/59 ... yes
4/60 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.3.6)
Git version >= 2.7.3 ? ... yes (2.14.3)
Git user has default SSH configuration? ... yes
Active users: ... 7
Checking GitLab ... Finished