Users getting automatically banned after some intensive MR reviews
Summary
Most active GNOME contributors are getting banned after a certain amount of requests sent to the GNOME's GitLab instance. Rack Attack shows no activity at all regarding their IPs nor any Rack_Attack string is found on the production.log.
Steps to reproduce
- Start reviewing and approving a set of MRs
- After the MRs have been merged into master a set of CI jobs starts
- Ban occurs against the user that performed the MRs and started the CI jobs
Involved configuration files
gitlab_rails['rack_attack_git_basic_auth'] = {
'enabled' => true,
'ip_whitelist' => ["127.0.0.1", "load-balancer-ip-1", "load-balancer-ip-2"],
'maxretry' => 10,
'findtime' => 60,
'bantime' => 3600
}
gitlab_rails['rack_attack_protected_paths'] = [
'/users/password',
'/users/sign_in',
'/api/#{API::API.version}/session.json',
'/api/#{API::API.version}/session',
'/users',
'/users/confirmation',
'/unsubscribes/',
'/import/github/personal_access_token'
]
Commands stdout excerpt
[root@gitlab gitlab-rails]# grep "Rack_Attack" /var/log/gitlab/gitlab-rails/production.log
[root@gitlab gitlab-rails]#
[root@gitlab ~]# /opt/gitlab/embedded/bin/redis-cli -s /var/opt/gitlab/redis/redis.socket
redis /var/opt/gitlab/redis/redis.socket> keys *attack*
(empty list or set)
(0.52s)
Still the person is receiving a set of 403s:
./gitlab-workhorse/current:2018-06-19_11:28:01.57536 gitlab.gnome.org X.X.X.X:50756 - - [2018/06/19:11:28:01 +0000] "GET /GNOME/glib/merge_requests/104.json?serializer=widget HTTP/1.1" 403 0 "https://gitlab.gnome.org/GNOME/glib/merge_requests/104/diffs" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" 0.035
./gitlab-workhorse/current:2018-06-19_11:28:21.31411 gitlab.gnome.org X.X.X.X:51398 - - [2018/06/19:11:28:21 +0000] "GET / HTTP/1.1" 403 0 "" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" 0.022
./gitlab-workhorse/current:2018-06-19_11:28:24.76890 gitlab.gnome.org X.X.X.X:51516 - - [2018/06/19:11:28:24 +0000] "GET /GNOME/glib/merge_requests/117/ci_environments_status HTTP/1.1" 403 0 "https://gitlab.gnome.org/GNOME/glib/merge_requests/117" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" 0.041
Does GitLab make use of any other rate limiting tool other than Rack Attack? If Rack Attack is the tool that performs the ban why aren't the paths shown in rack_attack_protected_paths not honored (as /GNOME/glib* was mainly targeted with GET/POST requests and those seemed to effectively have caused a ban)?