Move the protected paths throttle from Omnibus to GitLab rails
After https://gitlab.com/gitlab-org/gitlab-ce/issues/62756 / https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30467, we're logging the user information on auth.log, but only for Rack::Attack throttle events. It'd be useful to have the same information for blacklist events.
Technical bits
From https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30467#note_189543725:
It looks like in Omnibus (
/opt/gitlab/embedded/service/gitlab-rails/config/initializers/rack_attack.rb), we have:
Rack::Attack.throttle('protected paths', limit: 10, period: 60.seconds) do |req|
if req.post? && req.path =~ paths_regex
req.ip
end
endIn this case we're returning the IP, and I think there are cases from support where we would like to have the username in this case.
Backend Plan
On %12.3
-
Move the protected paths into GitLab-Rails - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31246 -
Handle the throttle like the other ones on RackAttackGlobal- https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31246 -
Update GitLab rails documentation - https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/32773 -
Deprecate protected paths on Omnibus - Users who have configured Omnibus can continue to use their deprecated settings.
- Deprecation might be done with https://docs.gitlab.com/omnibus/development/adding-deprecation-messages.html
-
Update Omnibus documentation to indicate the setting is deprecated.
On %12.4
-
Restore rack_attack_global.rbfile on GitLab-Rails (It was renamedrack_attack_gitlab_rails.rbto avoid collusions with the Omnibus file) -
Remove protected paths and rack attack from Omnibus -
Update omnibus documentation.
Development log
- Merge request was created to add Protected paths configuration into GitLab-rails https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31246
- GitLab documentation is going to be updated on https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/32773
Edited by Mayra Cabrera