diff options
Diffstat (limited to 'doc/user')
| -rw-r--r-- | doc/user/admin_area/settings/img/protected_paths.png | bin | 0 -> 68587 bytes | |||
| -rw-r--r-- | doc/user/admin_area/settings/index.md | 1 | ||||
| -rw-r--r-- | doc/user/admin_area/settings/protected_paths.md | 49 | ||||
| -rw-r--r-- | doc/user/gitlab_com/index.md | 4 |
4 files changed, 51 insertions, 3 deletions
diff --git a/doc/user/admin_area/settings/img/protected_paths.png b/doc/user/admin_area/settings/img/protected_paths.png Binary files differnew file mode 100644 index 00000000000..dac3b4e2f30 --- /dev/null +++ b/doc/user/admin_area/settings/img/protected_paths.png diff --git a/doc/user/admin_area/settings/index.md b/doc/user/admin_area/settings/index.md index 2a12614e325..f544f4f7e41 100644 --- a/doc/user/admin_area/settings/index.md +++ b/doc/user/admin_area/settings/index.md @@ -20,6 +20,7 @@ include: - [Visibility and access controls](visibility_and_access_controls.md) - [User and IP rate limits](user_and_ip_rate_limits.md) - [Custom templates repository](instance_template_repository.md) **(PREMIUM)** +- [Protected paths](protected_paths.md) NOTE: **Note:** You can change the [first day of the week](../../profile/preferences.md) for the entire GitLab instance diff --git a/doc/user/admin_area/settings/protected_paths.md b/doc/user/admin_area/settings/protected_paths.md new file mode 100644 index 00000000000..7947601b7bb --- /dev/null +++ b/doc/user/admin_area/settings/protected_paths.md @@ -0,0 +1,49 @@ +--- +type: reference +--- + +# Protected paths **(CORE ONLY)** + +Note: **Note** Available from [GitLab 12.3](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31246). + +GitLab protects by default the following paths with Rack Attack: + +``` +'/users/password', +'/users/sign_in', +'/api/#{API::API.version}/session.json', +'/api/#{API::API.version}/session', +'/users', +'/users/confirmation', +'/unsubscribes/', +'/import/github/personal_access_token' +``` + +GitLab responds with HTTP status code `429` to POST requests at protected paths +that exceed 10 requests per minute per IP address. + +This header is included in responses to blocked requests: + +``` +Retry-After: 60 +``` + +For example, the following are limited to a maximum 10 requests per minute: + +- User sign-in +- User sign-up (if enabled) +- User password reset + +After 10 requests, the client must wait a minute before it can +try again. + +Throttling of protected paths is enabled by default and can be disabled on +**Admin > Network > Protected Paths** along with: + +- Highes number of requests per period per user. +- Rate limit period in seconds. +- Paths to be protected. + + + +Requests over the rate limit are logged into `auth.log`. diff --git a/doc/user/gitlab_com/index.md b/doc/user/gitlab_com/index.md index 2f2955f5a1c..5f18e40401d 100644 --- a/doc/user/gitlab_com/index.md +++ b/doc/user/gitlab_com/index.md @@ -286,9 +286,7 @@ RateLimit-Reset: 1563325137 RateLimit-ResetTime: Wed, 17 Jul 2019 00:58:57 GMT ``` -Source: - -- Search for `rate_limit_http_rate_per_minute` and `rate_limit_sessions_per_second` in [GitLab.com's current HAProxy settings](https://gitlab.com/gitlab-cookbooks/gitlab-haproxy/blob/master/attributes/default.rb). +See [Protected Paths](../admin_area/settings/protected_paths.md) for more details. ### Rack Attack initializer |
