Add latest changes from gitlab-org/gitlab@master

7 files changed, 45 insertions, 23 deletions

diff --git a/doc/administration/geo/index.md b/doc/administration/geo/index.md
index 731f16822fd..31de7f5c62f 100644
--- a/doc/administration/geo/index.md
+++ b/doc/administration/geo/index.md
@@ -9,8 +9,6 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 Geo is the solution for widely distributed development teams and for providing
 a warm-standby as part of a disaster recovery strategy.
 
-## Overview
-
 WARNING:
 Geo undergoes significant changes from release to release. Upgrades are
 supported and [documented](#upgrading-geo), but you should ensure that you're
diff --git a/doc/administration/git_protocol.md b/doc/administration/git_protocol.md
index df9bdb0ee8d..b996b9efae9 100644
--- a/doc/administration/git_protocol.md
+++ b/doc/administration/git_protocol.md
@@ -17,7 +17,7 @@ More details about the new features and improvements are available in
 the [Google Open Source Blog](https://opensource.googleblog.com/2018/05/introducing-git-protocol-version-2.html)
 and the [protocol documentation](https://github.com/git/git/blob/master/Documentation/gitprotocol-v2.txt).
 
-## Requirements
+## Prerequisites
 
 From the client side, `git` `v2.18.0` or newer must be installed.
 
diff --git a/doc/administration/monitoring/prometheus/index.md b/doc/administration/monitoring/prometheus/index.md
index 37a7445c290..013c4515268 100644
--- a/doc/administration/monitoring/prometheus/index.md
+++ b/doc/administration/monitoring/prometheus/index.md
@@ -22,7 +22,7 @@ Prometheus services are on by default.
 Prometheus and its exporters don't authenticate users, and are available to anyone who can access
 them.
 
-## Overview
+## How Prometheus works
 
 Prometheus works by periodically connecting to data sources and collecting their
 performance metrics through the [various exporters](#bundled-software-metrics). To view
diff --git a/doc/administration/pages/index.md b/doc/administration/pages/index.md
index 9188f84d890..1626a4fd41a 100644
--- a/doc/administration/pages/index.md
+++ b/doc/administration/pages/index.md
@@ -14,7 +14,7 @@ This guide is for Omnibus GitLab installations. If you have installed
 GitLab from source, see
 [GitLab Pages administration for source installations](source.md).
 
-## Overview
+## The GitLab Pages daemon
 
 GitLab Pages makes use of the [GitLab Pages daemon](https://gitlab.com/gitlab-org/gitlab-pages), a basic HTTP server
 written in Go that can listen on an external IP address and provide support for
@@ -299,6 +299,10 @@ control over how the Pages daemon runs and serves content in your environment.
 | `rate_limit_source_ip_burst`            | Rate limit per source IP maximum burst allowed per second. |
 | `rate_limit_domain`                     | Rate limit per domain in number of requests per second. Set to `0` to disable this feature. |
 | `rate_limit_domain_burst`               | Rate limit per domain maximum burst allowed per second. |
+| `rate_limit_tls_source_ip`              | Rate limit per source IP in number of TLS connections per second. Set to `0` to disable this feature. |
+| `rate_limit_tls_source_ip_burst`        | Rate limit per source IP maximum TLS connections burst allowed per second. |
+| `rate_limit_tls_domain`                 | Rate limit per domain in number of TLS connections per second. Set to `0` to disable this feature. |
+| `rate_limit_tls_domain_burst`           | Rate limit per domain maximum TLS connections burst allowed per second. |
 | `server_read_timeout`                   | Maximum duration to read the request headers and body. For no timeout, set to `0` or a negative value. Default: `5s` |
 | `server_read_header_timeout`            | Maximum duration to read the request headers. For no timeout, set to `0` or a negative value. Default: `1s` |
 | `server_write_timeout`                  | Maximum duration to write all files in the response. Larger files require more time. For no timeout, set to `0` or a negative value. Default: `0` |
@@ -1138,14 +1142,14 @@ than GitLab to prevent XSS attacks.
 
 You can enforce rate limits to help minimize the risk of a Denial of Service (DoS) attack. GitLab Pages
 uses a [token bucket algorithm](https://en.wikipedia.org/wiki/Token_bucket) to enforce rate limiting. By default,
-requests that exceed the specified limits are reported but not rejected.
+requests or TLS connections that exceed the specified limits are reported but not rejected.
 
 GitLab Pages supports the following types of rate limiting:
 
-- Per `source_ip`. It limits how many requests are allowed from the single client IP address.
-- Per `domain`. It limits how many requests are allowed per domain hosted on GitLab Pages. It can be a custom domain like `example.com`, or group domain like `group.gitlab.io`.
+- Per `source_ip`. It limits how many requests or TLS connections are allowed from the single client IP address.
+- Per `domain`. It limits how many requests or TLS connections are allowed per domain hosted on GitLab Pages. It can be a custom domain like `example.com`, or group domain like `group.gitlab.io`.
 
-Rate limits are enforced using the following:
+HTTP request-based rate limits are enforced using the following:
 
 - `rate_limit_source_ip`: Set the maximum threshold in number of requests per client IP per second. Set to 0 to disable this feature.
 - `rate_limit_source_ip_burst`: Sets the maximum threshold of number of requests allowed in an initial outburst of requests per client IP.
@@ -1153,7 +1157,15 @@ Rate limits are enforced using the following:
 - `rate_limit_domain`: Set the maximum threshold in number of requests per hosted pages domain per second. Set to 0 to disable this feature.
 - `rate_limit_domain_burst`: Sets the maximum threshold of number of requests allowed in an initial outburst of requests per hosted pages domain.
 
-#### Enable source-IP rate limits
+TLS connection-based rate limits are enforced using the following:
+
+- `rate_limit_tls_source_ip`: Set the maximum threshold in number of TLS connections per client IP per second. Set to 0 to disable this feature.
+- `rate_limit_tls_source_ip_burst`: Sets the maximum threshold of number of TLS connections allowed in an initial outburst of TLS connections per client IP.
+  For example, when you load a web page from different web browsers at the same time.
+- `rate_limit_tls_domain`: Set the maximum threshold in number of TLS connections per hosted pages domain per second. Set to 0 to disable this feature.
+- `rate_limit_tls_domain_burst`: Sets the maximum threshold of number of TLS connections allowed in an initial outburst of TLS connections per hosted pages domain.
+
+#### Enable HTTP requests rate limits by source-IP
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab-pages/-/issues/631) in GitLab 14.5.
 
@@ -1164,31 +1176,43 @@ Rate limits are enforced using the following:
    gitlab_pages['rate_limit_source_ip_burst'] = 600
    ```
 
-1. To reject requests that exceed the specified limits, enable the `FF_ENFORCE_IP_RATE_LIMITS` feature flag in
-   `/etc/gitlab/gitlab.rb`:
+1. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure).
+
+#### Enable HTTP requests rate limits by domain
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-pages/-/issues/630) in GitLab 14.7.
+
+1. Set rate limits in `/etc/gitlab/gitlab.rb`:
 
    ```ruby
-   gitlab_pages['env'] = {'FF_ENFORCE_IP_RATE_LIMITS' => 'true'}
+   gitlab_pages['rate_limit_domain'] = 1000
+   gitlab_pages['rate_limit_domain_burst'] = 5000
    ```
 
 1. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure).
 
-#### Enable domain rate limits
+#### Enable TLS connections rate limits by source-IP
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab-pages/-/issues/630) in GitLab 14.7.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-pages/-/issues/632) in GitLab 14.9.
 
 1. Set rate limits in `/etc/gitlab/gitlab.rb`:
 
    ```ruby
-   gitlab_pages['rate_limit_domain'] = 1000
-   gitlab_pages['rate_limit_domain_burst'] = 5000
+   gitlab_pages['rate_limit_tls_source_ip'] = 20.0
+   gitlab_pages['rate_limit_tls_source_ip_burst'] = 600
    ```
 
-1. To reject requests that exceed the specified limits, enable the `FF_ENFORCE_DOMAIN_RATE_LIMITS` feature flag in
-   `/etc/gitlab/gitlab.rb`:
+1. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure).
+
+#### Enable TLS connections rate limits by domain
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-pages/-/issues/632) in GitLab 14.9.
+
+1. Set rate limits in `/etc/gitlab/gitlab.rb`:
 
    ```ruby
-   gitlab_pages['env'] = {'FF_ENFORCE_DOMAIN_RATE_LIMITS' => 'true'}
+   gitlab_pages['rate_limit_tls_domain'] = 1000
+   gitlab_pages['rate_limit_tls_domain_burst'] = 5000
    ```
 
 1. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure).
diff --git a/doc/administration/pages/source.md b/doc/administration/pages/source.md
index 88b88f3225b..7027feadb59 100644
--- a/doc/administration/pages/source.md
+++ b/doc/administration/pages/source.md
@@ -20,7 +20,7 @@ We also highly recommend that you use the Omnibus GitLab packages. We
 optimize them specifically for GitLab, and we take care of upgrading GitLab
 Pages to the latest supported version.
 
-## Overview
+## How GitLab Pages works
 
 GitLab Pages makes use of the [GitLab Pages daemon](https://gitlab.com/gitlab-org/gitlab-pages), a lightweight HTTP server that listens on an external IP address and provides support for
 custom domains and certificates. It supports dynamic certificates through
diff --git a/doc/administration/raketasks/uploads/sanitize.md b/doc/administration/raketasks/uploads/sanitize.md
index 831abee9739..567a20a37f3 100644
--- a/doc/administration/raketasks/uploads/sanitize.md
+++ b/doc/administration/raketasks/uploads/sanitize.md
@@ -11,7 +11,7 @@ In GitLab 11.9 and later, EXIF data is automatically stripped from JPG or TIFF i
 EXIF data may contain sensitive information (for example, GPS location), so you
 can remove EXIF data from existing images that were uploaded to an earlier version of GitLab.
 
-## Requirements
+## Prerequisite
 
 To run this Rake task, you need `exiftool` installed on your system. If you installed GitLab:
 
diff --git a/doc/administration/reply_by_email.md b/doc/administration/reply_by_email.md
index 5172a9613ee..b632108b103 100644
--- a/doc/administration/reply_by_email.md
+++ b/doc/administration/reply_by_email.md
@@ -9,7 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 GitLab can be set up to allow users to comment on issues and merge requests by
 replying to notification emails.
 
-## Requirement
+## Prerequisite
 
 Make sure [incoming email](incoming_email.md) is set up.