diff options
author | Mayra Cabrera <mcabrera@gitlab.com> | 2019-09-06 13:07:07 -0500 |
---|---|---|
committer | Mayra Cabrera <mcabrera@gitlab.com> | 2019-09-10 13:17:53 -0500 |
commit | 3758dbad664d861011393f0412cdbbf189b4b1d3 (patch) | |
tree | a851272fe8707e6527e6c3faac4da8c1f550394b | |
parent | 08b0613302ec813c0735e2c0447a3f7683d7ab87 (diff) | |
download | gitlab-ce-updates-protected-paths-docs.tar.gz |
Update protected paths documentationupdates-protected-paths-docs
States that protected paths are now configured on Admin UI and
deprecated on Omnibus for 12.3
https://gitlab.com/gitlab-org/gitlab-ce/issues/64278
-rw-r--r-- | doc/security/rack_attack.md | 36 | ||||
-rw-r--r-- | doc/user/admin_area/settings/img/protected_paths.png | bin | 0 -> 68587 bytes | |||
-rw-r--r-- | doc/user/admin_area/settings/index.md | 1 | ||||
-rw-r--r-- | doc/user/admin_area/settings/protected_paths.md | 49 | ||||
-rw-r--r-- | doc/user/gitlab_com/index.md | 4 |
5 files changed, 54 insertions, 36 deletions
diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md index 09d29bf3446..a03042254c9 100644 --- a/doc/security/rack_attack.md +++ b/doc/security/rack_attack.md @@ -36,38 +36,10 @@ will be enabled: ### Protected paths throttle -GitLab responds with HTTP status code `429` to POST requests at protected paths -that exceed 10 requests per minute per IP address. +Starting with GitLab 12.3: -By default, protected paths are: - -```ruby -default['gitlab']['gitlab-rails']['rack_attack_protected_paths'] = [ - '/users/password', - '/users/sign_in', - '/api/#{API::API.version}/session.json', - '/api/#{API::API.version}/session', - '/users', - '/users/confirmation', - '/unsubscribes/', - '/import/github/personal_access_token' -] -``` - -This header is included in responses to blocked requests: - -``` -Retry-After: 60 -``` - -For example, the following are limited to a maximum 10 requests per minute: - -- User sign-in -- User sign-up (if enabled) -- User password reset - -After 10 requests, the client must wait a minute before it can -try again. +- [Protected Paths](../user/admin_area/settings/protected_paths.md) are configured on the GitLab admin UI area. Please see that section for more details. +- [Omnibus Protected Paths](https://docs.gitlab.com/omnibus/settings/configuration.html#setting-up-paths-to-be-protected-by-rack-attack) are considered deprecated, and will be removed in an upcoming release. ### Git and container registry failed authentication ban @@ -135,8 +107,6 @@ taken in order to enable protection for your GitLab instance: ``` 1. Copy `config/initializers/rack_attack.rb.example` to `config/initializers/rack_attack.rb` -1. Open `config/initializers/rack_attack.rb`, review the - `paths_to_be_protected`, and add any other path you need protecting 1. Restart GitLab: ```sh diff --git a/doc/user/admin_area/settings/img/protected_paths.png b/doc/user/admin_area/settings/img/protected_paths.png Binary files differnew file mode 100644 index 00000000000..dac3b4e2f30 --- /dev/null +++ b/doc/user/admin_area/settings/img/protected_paths.png diff --git a/doc/user/admin_area/settings/index.md b/doc/user/admin_area/settings/index.md index 2a12614e325..f544f4f7e41 100644 --- a/doc/user/admin_area/settings/index.md +++ b/doc/user/admin_area/settings/index.md @@ -20,6 +20,7 @@ include: - [Visibility and access controls](visibility_and_access_controls.md) - [User and IP rate limits](user_and_ip_rate_limits.md) - [Custom templates repository](instance_template_repository.md) **(PREMIUM)** +- [Protected paths](protected_paths.md) NOTE: **Note:** You can change the [first day of the week](../../profile/preferences.md) for the entire GitLab instance diff --git a/doc/user/admin_area/settings/protected_paths.md b/doc/user/admin_area/settings/protected_paths.md new file mode 100644 index 00000000000..7947601b7bb --- /dev/null +++ b/doc/user/admin_area/settings/protected_paths.md @@ -0,0 +1,49 @@ +--- +type: reference +--- + +# Protected paths **(CORE ONLY)** + +Note: **Note** Available from [GitLab 12.3](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31246). + +GitLab protects by default the following paths with Rack Attack: + +``` +'/users/password', +'/users/sign_in', +'/api/#{API::API.version}/session.json', +'/api/#{API::API.version}/session', +'/users', +'/users/confirmation', +'/unsubscribes/', +'/import/github/personal_access_token' +``` + +GitLab responds with HTTP status code `429` to POST requests at protected paths +that exceed 10 requests per minute per IP address. + +This header is included in responses to blocked requests: + +``` +Retry-After: 60 +``` + +For example, the following are limited to a maximum 10 requests per minute: + +- User sign-in +- User sign-up (if enabled) +- User password reset + +After 10 requests, the client must wait a minute before it can +try again. + +Throttling of protected paths is enabled by default and can be disabled on +**Admin > Network > Protected Paths** along with: + +- Highes number of requests per period per user. +- Rate limit period in seconds. +- Paths to be protected. + +![protected-paths](img/protected_paths.png) + +Requests over the rate limit are logged into `auth.log`. diff --git a/doc/user/gitlab_com/index.md b/doc/user/gitlab_com/index.md index 2f2955f5a1c..5f18e40401d 100644 --- a/doc/user/gitlab_com/index.md +++ b/doc/user/gitlab_com/index.md @@ -286,9 +286,7 @@ RateLimit-Reset: 1563325137 RateLimit-ResetTime: Wed, 17 Jul 2019 00:58:57 GMT ``` -Source: - -- Search for `rate_limit_http_rate_per_minute` and `rate_limit_sessions_per_second` in [GitLab.com's current HAProxy settings](https://gitlab.com/gitlab-cookbooks/gitlab-haproxy/blob/master/attributes/default.rb). +See [Protected Paths](../admin_area/settings/protected_paths.md) for more details. ### Rack Attack initializer |