Commit 7d704ed7 authored by Craig Norris's avatar Craig Norris

Merge branch 'update-rate-limiting-docs' into 'master'

Update GitLab.com rate limit documentation

See merge request gitlab-org/gitlab!50050
parents 2aeb2757 47a4b870
...@@ -509,50 +509,38 @@ NOTE: ...@@ -509,50 +509,38 @@ NOTE:
See [Rate limits](../../security/rate_limits.md) for administrator See [Rate limits](../../security/rate_limits.md) for administrator
documentation. documentation.
IP blocks usually happen when GitLab.com receives unusual traffic from a single When a request is rate limited, GitLab responds with a `429` status
IP address that the system views as potentially malicious based on rate limit code. The client should wait before attempting the request again. There
settings. After the unusual traffic ceases, the IP address is automatically are also informational headers with this response detailed in [rate
released depending on the type of block, as described below. limiting responses](#rate-limiting-responses).
If you receive a `403 Forbidden` error for all requests to GitLab.com, please
check for any automated processes that may be triggering a block. For
assistance, contact [GitLab Support](https://support.gitlab.com/hc/en-us)
with details, such as the affected IP address.
### HAProxy API throttle
GitLab.com responds with HTTP status code `429` to API requests that exceed 10
requests
per second per IP address.
The following example headers are included for all API requests:
```plaintext The following table describes the rate limits for GitLab.com, both before and
RateLimit-Limit: 600 after the limits change in January, 2021:
RateLimit-Observed: 6
RateLimit-Remaining: 594
RateLimit-Reset: 1563325137
RateLimit-ResetTime: Wed, 17 Jul 2019 00:58:57 GMT
```
Source: | Rate limit | Before 2021-01-18 | From 2021-01-18 |
|:--------------------------------------------------------------------------|:----------------------------|:------------------------------|
| **Protected paths** (for a given **IP address**) | **10** requests per minute | **10** requests per minute |
| **Raw endpoint** traffic (for a given **project, commit, and file path**) | **300** requests per minute | **300** requests per minute |
| **Unauthenticated** traffic (from a given **IP address**) | No specific limit | **500** requests per minute |
| **Authenticated** API traffic (for a given **user**) | No specific limit | **2,000** requests per minute |
| **Authenticated** non-API HTTP traffic (for a given **user**) | No specific limit | **1,000** requests per minute |
| **All** traffic (from a given **IP address**) | **600** requests per minute | **2,000** requests per minute |
- Search for `rate_limit_http_rate_per_minute` and `rate_limit_sessions_per_second` in [GitLab.com's current HAProxy settings](https://gitlab.com/gitlab-cookbooks/gitlab-haproxy/blob/master/attributes/default.rb). More details are available on the rate limits for [protected
paths](#protected-paths-throttle) and [raw
endpoints](../../user/admin_area/settings/rate_limits_on_raw_endpoints.md).
### Pagination response headers ### Rate limiting responses
For performance reasons, if a query returns more than 10,000 records, GitLab The [`Retry-After`
doesn't return the following headers: header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After)
indicates when the client should retry.
- `x-total`. Rate limits applied by HAProxy (instead of Cloudflare or the
- `x-total-pages`. GitLab application) have `RateLimit-Reset` and `RateLimit-ResetTime`
- `rel="last"` `link`. headers.
### Rack Attack initializer ### Protected paths throttle
Details of rate limits enforced by [Rack Attack](../../security/rack_attack.md).
#### Protected paths throttle
GitLab.com responds with HTTP status code `429` to POST requests at protected GitLab.com responds with HTTP status code `429` to POST requests at protected
paths that exceed 10 requests per **minute** per IP address. paths that exceed 10 requests per **minute** per IP address.
...@@ -568,6 +556,18 @@ Retry-After: 60 ...@@ -568,6 +556,18 @@ Retry-After: 60
See [Protected Paths](../admin_area/settings/protected_paths.md) for more details. See [Protected Paths](../admin_area/settings/protected_paths.md) for more details.
### IP blocks
IP blocks can occur when GitLab.com receives unusual traffic from a single
IP address that the system views as potentially malicious, based on rate limit
settings. After the unusual traffic ceases, the IP address is automatically
released depending on the type of block, as described in a following section.
If you receive a `403 Forbidden` error for all requests to GitLab.com,
check for any automated processes that may be triggering a block. For
assistance, contact [GitLab Support](https://support.gitlab.com/hc/en-us)
with details, such as the affected IP address.
#### Git and container registry failed authentication ban #### Git and container registry failed authentication ban
GitLab.com responds with HTTP status code `403` for 1 hour, if 30 failed GitLab.com responds with HTTP status code `403` for 1 hour, if 30 failed
...@@ -585,13 +585,14 @@ This limit: ...@@ -585,13 +585,14 @@ This limit:
No response headers are provided. No response headers are provided.
### Admin Area settings ### Pagination response headers
GitLab.com: For performance reasons, if a query returns more than 10,000 records, GitLab
doesn't return the following headers:
- Has [rate limits on raw endpoints](../../user/admin_area/settings/rate_limits_on_raw_endpoints.md) - `x-total`.
set to the default. - `x-total-pages`.
- Does not have the user and IP rate limits settings enabled. - `rel="last"` `link`.
### Visibility settings ### Visibility settings
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment