Update protected paths documentationupdates-protected-paths-docs

States that protected paths are now configured on Admin UI and
deprecated on Omnibus for 12.3

https://gitlab.com/gitlab-org/gitlab-ce/issues/64278

4 files changed, 51 insertions, 3 deletions

diff --git a/doc/user/admin_area/settings/img/protected_paths.png b/doc/user/admin_area/settings/img/protected_paths.png
new file mode 100644
index 00000000000..dac3b4e2f30
--- /dev/null
+++ b/doc/user/admin_area/settings/img/protected_paths.png
diff --git a/doc/user/admin_area/settings/index.md b/doc/user/admin_area/settings/index.md
index 2a12614e325..f544f4f7e41 100644
--- a/doc/user/admin_area/settings/index.md
+++ b/doc/user/admin_area/settings/index.md
@@ -20,6 +20,7 @@ include:
 - [Visibility and access controls](visibility_and_access_controls.md)
 - [User and IP rate limits](user_and_ip_rate_limits.md)
 - [Custom templates repository](instance_template_repository.md) **(PREMIUM)**
+- [Protected paths](protected_paths.md)
 
 NOTE: **Note:**
 You can change the [first day of the week](../../profile/preferences.md) for the entire GitLab instance
diff --git a/doc/user/admin_area/settings/protected_paths.md b/doc/user/admin_area/settings/protected_paths.md
new file mode 100644
index 00000000000..7947601b7bb
--- /dev/null
+++ b/doc/user/admin_area/settings/protected_paths.md
@@ -0,0 +1,49 @@
+---
+type: reference
+---
+
+# Protected paths **(CORE ONLY)**
+
+Note: **Note** Available from [GitLab 12.3](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31246).
+
+GitLab protects by default the following paths with Rack Attack:
+
+```
+'/users/password',
+'/users/sign_in',
+'/api/#{API::API.version}/session.json',
+'/api/#{API::API.version}/session',
+'/users',
+'/users/confirmation',
+'/unsubscribes/',
+'/import/github/personal_access_token'
+```
+
+GitLab responds with HTTP status code `429` to POST requests at protected paths
+that exceed 10 requests per minute per IP address.
+
+This header is included in responses to blocked requests:
+
+```
+Retry-After: 60
+```
+
+For example, the following are limited to a maximum 10 requests per minute:
+
+- User sign-in
+- User sign-up (if enabled)
+- User password reset
+
+After 10 requests, the client must wait a minute before it can
+try again.
+
+Throttling of protected paths is enabled by default and can be disabled on
+**Admin > Network > Protected Paths** along with:
+
+- Highes number of requests per period per user.
+- Rate limit period in seconds.
+- Paths to be protected.
+
+![protected-paths](img/protected_paths.png)
+
+Requests over the rate limit are logged into `auth.log`.
diff --git a/doc/user/gitlab_com/index.md b/doc/user/gitlab_com/index.md
index 2f2955f5a1c..5f18e40401d 100644
--- a/doc/user/gitlab_com/index.md
+++ b/doc/user/gitlab_com/index.md
@@ -286,9 +286,7 @@ RateLimit-Reset: 1563325137
 RateLimit-ResetTime: Wed, 17 Jul 2019 00:58:57 GMT
 ```
 
-Source:
-
-- Search for `rate_limit_http_rate_per_minute` and `rate_limit_sessions_per_second` in [GitLab.com's current HAProxy settings](https://gitlab.com/gitlab-cookbooks/gitlab-haproxy/blob/master/attributes/default.rb).
+See [Protected Paths](../admin_area/settings/protected_paths.md) for more details.
 
 ### Rack Attack initializer