2.4 KiB
type |
---|
reference |
Protected paths (CORE ONLY)
GitLab protects the following paths with Rack Attack by default:
'/users/password',
'/users/sign_in',
'/api/#{API::API.version}/session.json',
'/api/#{API::API.version}/session',
'/users',
'/users/confirmation',
'/unsubscribes/',
'/import/github/personal_access_token',
'/admin/session'
GitLab responds with HTTP status code 429
to POST requests at protected paths
that exceed 10 requests per minute per IP address.
This header is included in responses to blocked requests:
Retry-After: 60
For example, the following are limited to a maximum 10 requests per minute:
- User sign-in
- User sign-up (if enabled)
- User password reset
After 10 requests, the client must wait 60 seconds before it can try again.
Configure using GitLab UI
Introduced in GitLab 12.4.
Throttling of protected paths is enabled by default and can be disabled or customized on Admin > Network > Protected Paths, along with these options:
- Maximum number of requests per period per user.
- Rate limit period in seconds.
- Paths to be protected.
Requests over the rate limit are logged into auth.log
.
Migrate settings from GitLab 12.3 and earlier
Omnibus GitLab protected paths throttle is deprecated and is scheduled for removal in GitLab 13.0. Please see the GitLab issue and the Omnibus GitLab issue for more information.
NOTE: Note: If Omnibus settings are present, applications settings will be automatically ignored to avoid generating multiple requests blocks.
To migrate from Omnibus GitLab 12.3 and earlier settings:
-
Disable the Protected Paths throttle from Omnibus, by changing
rack_attack_enabled
value tofalse
onrack_attack.rb.erb
:rack_attack_enabled = false
-
Customize and enable your protected paths settings by following Configure using GitLab UI section.
-
Restart GitLab:
sudo gitlab-ctl restart
That's it. Protected paths throttle are now managed by GitLab admin settings.