diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-17 11:59:07 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-12-17 11:59:07 +0000 |
commit | 8b573c94895dc0ac0e1d9d59cf3e8745e8b539ca (patch) | |
tree | 544930fb309b30317ae9797a9683768705d664c4 /doc/user/admin_area/settings/user_and_ip_rate_limits.md | |
parent | 4b1de649d0168371549608993deac953eb692019 (diff) | |
download | gitlab-ce-8b573c94895dc0ac0e1d9d59cf3e8745e8b539ca.tar.gz |
Add latest changes from gitlab-org/gitlab@13-7-stable-eev13.7.0-rc42
Diffstat (limited to 'doc/user/admin_area/settings/user_and_ip_rate_limits.md')
-rw-r--r-- | doc/user/admin_area/settings/user_and_ip_rate_limits.md | 62 |
1 files changed, 60 insertions, 2 deletions
diff --git a/doc/user/admin_area/settings/user_and_ip_rate_limits.md b/doc/user/admin_area/settings/user_and_ip_rate_limits.md index af3e0c5b63b..3f0d75dc682 100644 --- a/doc/user/admin_area/settings/user_and_ip_rate_limits.md +++ b/doc/user/admin_area/settings/user_and_ip_rate_limits.md @@ -1,7 +1,7 @@ --- stage: none group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference --- @@ -53,12 +53,70 @@ users to not set that header and bypass the GitLab rate limiter. Note that the bypass only works if the header is set to `1`. Requests that bypassed the rate limiter because of the bypass header -will be marked with `"throttle_safelist":"throttle_bypass_header"` in +are marked with `"throttle_safelist":"throttle_bypass_header"` in [`production_json.log`](../../../administration/logs.md#production_jsonlog). To disable the bypass mechanism, make sure the environment variable `GITLAB_THROTTLE_BYPASS_HEADER` is unset or empty. +## Allowing specific users to bypass authenticated request rate limiting + +Similarly to the bypass header described above, it is possible to allow +a certain set of users to bypass the rate limiter. This only applies +to authenticated requests: with unauthenticated requests, by definition +GitLab does not know who the user is. + +The allowlist is configured as a comma-separated list of user IDs in +the `GITLAB_THROTTLE_USER_ALLOWLIST` environment variable. If you want +users 1, 53 and 217 to bypass the authenticated request rate limiter, +the allowlist configuration would be `1,53,217`. + +- For [Omnibus](https://docs.gitlab.com/omnibus/settings/environment-variables.html), + set `'GITLAB_THROTTLE_USER_ALLOWLIST' => '1,53,217'` in `gitlab_rails['env']`. +- For source installations, set `export GITLAB_THROTTLE_USER_ALLOWLIST=1,53,217` + in `/etc/default/gitlab`. + +Requests that bypassed the rate limiter because of the user allowlist +are marked with `"throttle_safelist":"throttle_user_allowlist"` in +[`production_json.log`](../../../administration/logs.md#production_jsonlog). + +At application startup, the allowlist is logged in [`auth.log`](../../../administration/logs.md#authlog). + +## Trying out throttling settings before enforcing them + +> [Introduced](https://gitlab.com/gitlab-com/gl-infra/scalability/-/issues/629) in GitLab 13.6. + +Trying out throttling settings can be done by setting the +`GITLAB_THROTTLE_DRY_RUN` environment variable to a comma-separated +list of throttle names. + +The possible names are: + +- `throttle_unauthenticated` +- `throttle_authenticated_api` +- `throttle_authenticated_web` +- `throttle_unauthenticated_protected_paths` +- `throttle_authenticated_protected_paths_api` +- `throttle_authenticated_protected_paths_web` + +For example: trying out throttles for all authenticated requests to +non-protected paths could be done by setting +`GITLAB_THROTTLE_DRY_RUN='throttle_authenticated_web,throttle_authenticated_api'`. + +To enable the dry-run mode for all throttles, the variable can be set +to `*`. + +Setting a throttle to dry-run mode will log a message to the +[`auth.log`](../../../administration/logs.md#authlog) when it would +hit the limit, while letting the request continue as normal. The log +message will contain an `env` field set to `track`. The `matched` +field will contain the name of throttle that was hit. + +It is important to set the environment variable **before** enabling +the rate limiting in the settings. The settings in the admin panel +take effect immediately, while setting the environment variable +requires a restart of all the Puma processes. + <!-- ## Troubleshooting Include any troubleshooting steps that you can foresee. If you know beforehand what issues |