Clarify Rack Attack settings in gitlab.rb for throttle enable, whitelisting, and limits

Summary

Users are instructed to enable these settings for Rack Attack throttling and Fail2Ban basic auth brute-forcing:

 gitlab_rails['rack_attack_git_basic_auth'] = {
   'enabled' => true,
   'ip_whitelist' => ["127.0.0.1"],
   'maxretry' => 10,
   'findtime' => 60,
   'bantime' => 3600
 }
gitlab_rails['rate_limit_requests_per_period'] = 10
gitlab_rails['rate_limit_period'] = 60

The rack_attack_git_basic_auth configuration is used to enable throttling and basic auth protections but the whitelisting and limit settings are only applied to basic auth brute-force protections and not throttling. The throttling limits are defined in the rate_limit settings.

Steps to reproduce

Enable Rack Attack in gitlab.rb, rename the example rack_attack config files if needed (not needed for omnibus).

Add an IP address to the whitelist, run gitlab-ctl reconfigure, and run the following from that source IP:

for i in {1..50}; do curl -X POST -q -o /dev/null http://gitlab-instance/users/password; done

Expected behavior

The whitelisted IP will be allowed to run these queries.

Actual behavior

The IP is blocked and the query eventually results in a retry warning.

Possible fixes

I'm working on a patch to enable whitelisting for throttling as well as basic auth brute-forcing and to clarify which settings apply to each protection type.

@DouweM @stanhu

Edited Sep 22, 2025 by 🤖 GitLab Bot 🤖