2019-08-02 02:41:52 +00:00
---
2021-10-06 18:12:19 +00:00
stage: Manage
group: Access
2020-11-26 06:09:20 +00:00
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2019-08-02 02:41:52 +00:00
type: reference, howto
---
2021-06-13 21:10:11 +00:00
# Rate limits **(FREE SELF)**
2019-08-02 02:41:52 +00:00
2020-12-04 21:09:29 +00:00
NOTE:
2019-08-02 02:41:52 +00:00
For GitLab.com, please see
2021-07-13 18:08:57 +00:00
[GitLab.com-specific rate limits ](../user/gitlab_com/index.md#gitlabcom-specific-rate-limits ).
2019-08-02 02:41:52 +00:00
Rate limiting is a common technique used to improve the security and durability
of a web application.
2021-10-26 18:09:19 +00:00
For example, a simple script can make thousands of web requests per second. The requests could be:
- Malicious.
- Apathetic.
- Just a bug.
Your application and infrastructure may not be able to cope with the load. For more details, see
2019-08-02 02:41:52 +00:00
[Denial-of-service attack ](https://en.wikipedia.org/wiki/Denial-of-service_attack ).
Most cases can be mitigated by limiting the rate of requests from a single IP address.
Most [brute-force attacks ](https://en.wikipedia.org/wiki/Brute-force_attack ) are
similarly mitigated by a rate limit.
## Admin Area settings
2021-10-26 18:09:19 +00:00
You can set these rate limits in the Admin Area of your instance:
2021-02-09 21:09:19 +00:00
- [Import/Export rate limits ](../user/admin_area/settings/import_export_rate_limits.md )
- [Issues rate limits ](../user/admin_area/settings/rate_limit_on_issues_creation.md )
- [Notes rate limits ](../user/admin_area/settings/rate_limit_on_notes_creation.md )
- [Protected paths ](../user/admin_area/settings/protected_paths.md )
- [Raw endpoints rate limits ](../user/admin_area/settings/rate_limits_on_raw_endpoints.md )
- [User and IP rate limits ](../user/admin_area/settings/user_and_ip_rate_limits.md )
2021-04-21 15:09:35 +00:00
- [Package registry rate limits ](../user/admin_area/settings/package_registry_rate_limits.md )
2021-09-01 18:08:49 +00:00
- [Git LFS rate limits ](../user/admin_area/settings/git_lfs_rate_limits.md )
2021-09-22 00:09:28 +00:00
- [Files API rate limits ](../user/admin_area/settings/files_api_rate_limits.md )
2021-09-28 12:11:10 +00:00
- [Deprecated API rate limits ](../user/admin_area/settings/deprecated_api_rate_limits.md )
2019-08-02 02:41:52 +00:00
2021-10-26 18:09:19 +00:00
## Failed authentication ban for Git and container registry
GitLab returns HTTP status code `403` for 1 hour, if 30 failed authentication requests were received
in a 3-minute period from a single IP address. This applies only to combined:
- Git requests.
- Container registry (`/jwt/auth`) requests.
This limit:
- Is reset by requests that authenticate successfully. For example, 29 failed authentication
requests followed by 1 successful request, followed by 29 more failed authentication requests
would not trigger a ban.
- Does not apply to JWT requests authenticated by `gitlab-ci-token` .
- Is disabled by default.
No response headers are provided.
For configuration information, see
[Omnibus GitLab configuration options ](https://docs.gitlab.com/omnibus/settings/configuration.html#configure-a-failed-authentication-ban ).
2020-10-08 12:08:31 +00:00
## Non-configurable limits
### Repository archives
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/25750) in GitLab 12.9.
2021-10-26 18:09:19 +00:00
A rate limit for [downloading repository archives ](../api/repositories.md#get-file-archive ) is
available. The limit applies to the project and to the user initiating the download either through
the UI or the API.
2020-10-08 12:08:31 +00:00
The **rate limit** is 5 requests per minute per user.
### Webhook Testing
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/commit/35bc85c3ca093fee58d60dacdc9ed1fd9a15adec) in GitLab 13.4.
2021-10-17 18:11:46 +00:00
There is a rate limit for [testing webhooks ](../user/project/integrations/webhooks.md#test-a-webhook ), which prevents abuse of the webhook functionality.
2020-10-08 12:08:31 +00:00
The **rate limit** is 5 requests per minute per user.
2021-10-26 18:09:19 +00:00
## Troubleshooting
### Rack Attack is denylisting the load balancer
Rack Attack may block your load balancer if all traffic appears to come from
the load balancer. In that case, you must:
1. [Configure `nginx[real_ip_trusted_addresses]` ](https://docs.gitlab.com/omnibus/settings/nginx.html#configuring-gitlab-trusted_proxies-and-the-nginx-real_ip-module).
This keeps users' IPs from being listed as the load balancer IPs.
1. Allowlist the load balancer's IP addresses.
1. Reconfigure GitLab:
```shell
sudo gitlab-ctl reconfigure
```
### Remove blocked IPs from Rack Attack with Redis
To remove a blocked IP:
1. Find the IPs that have been blocked in the production log:
```shell
grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log
```
1. Since the denylist is stored in Redis, you must open up `redis-cli` :
```shell
/opt/gitlab/embedded/bin/redis-cli -s /var/opt/gitlab/redis/redis.socket
```
1. You can remove the block using the following syntax, replacing `<ip>` with
the actual IP that is denylisted:
```plaintext
del cache:gitlab:rack::attack:allow2ban:ban:< ip >
```
1. Confirm that the key with the IP no longer shows up:
```plaintext
keys *rack::attack*
```
2019-08-02 02:41:52 +00:00
2021-10-26 18:09:19 +00:00
1. Optionally, add [the IP to the allowlist ](https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-rack-attack )
to prevent it being denylisted again.
