Commit c59f4a59 authored by Enrique Alcántara's avatar Enrique Alcántara

Merge branch '330220-admin-area-network-user-rate-limits' into 'master'

OKR: Admin Area - User and IP Rate Limits-  UI text

See merge request gitlab-org/gitlab!70127
parents f8c5d57d c2ec37e3
...@@ -2,60 +2,55 @@ ...@@ -2,60 +2,55 @@
= form_errors(@application_setting) = form_errors(@application_setting)
%fieldset %fieldset
%legend.h5.gl-border-none = _("Rate limits can help reduce request volume (like from crawlers or abusive bots).")
= _('Unauthenticated API request rate limit')
%fieldset
.form-group .form-group
= f.gitlab_ui_checkbox_component :throttle_unauthenticated_api_enabled, = f.gitlab_ui_checkbox_component :throttle_unauthenticated_api_enabled,
_("Enable unauthenticated API request rate limit"), _("Enable unauthenticated API request rate limit"),
help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"), checkbox_options: { data: { qa_selector: 'throttle_unauthenticated_api_checkbox' } },
checkbox_options: { data: { qa_selector: 'throttle_unauthenticated_api_checkbox' } } label_options: { class: 'label-bold' }
.form-group .form-group
= f.label :throttle_unauthenticated_api_requests_per_period, _('Max unauthenticated API requests per period per IP'), class: 'label-bold' = f.label :throttle_unauthenticated_api_requests_per_period, _('Maximum unauthenticated API requests per rate limit period per IP'), class: 'label-bold'
= f.number_field :throttle_unauthenticated_api_requests_per_period, class: 'form-control gl-form-input' = f.number_field :throttle_unauthenticated_api_requests_per_period, class: 'form-control gl-form-input'
.form-group .form-group
= f.label :throttle_unauthenticated_api_period_in_seconds, _('Unauthenticated API rate limit period in seconds'), class: 'label-bold' = f.label :throttle_unauthenticated_api_period_in_seconds, _('Unauthenticated API rate limit period in seconds'), class: 'label-bold'
= f.number_field :throttle_unauthenticated_api_period_in_seconds, class: 'form-control gl-form-input' = f.number_field :throttle_unauthenticated_api_period_in_seconds, class: 'form-control gl-form-input'
%fieldset %fieldset
%legend.h5.gl-border-none
= _('Unauthenticated web request rate limit')
.form-group .form-group
= f.gitlab_ui_checkbox_component :throttle_unauthenticated_enabled, = f.gitlab_ui_checkbox_component :throttle_unauthenticated_enabled,
_("Enable unauthenticated web request rate limit"), _("Enable unauthenticated web request rate limit"),
help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"), checkbox_options: { data: { qa_selector: 'throttle_unauthenticated_web_checkbox' } },
checkbox_options: { data: { qa_selector: 'throttle_unauthenticated_web_checkbox' } } label_options: { class: 'label-bold' }
.form-group .form-group
= f.label :throttle_unauthenticated_requests_per_period, _('Max unauthenticated web requests per period per IP'), class: 'label-bold' = f.label :throttle_unauthenticated_requests_per_period, _('Maximum unauthenticated web requests per rate limit period per IP'), class: 'label-bold'
= f.number_field :throttle_unauthenticated_requests_per_period, class: 'form-control gl-form-input' = f.number_field :throttle_unauthenticated_requests_per_period, class: 'form-control gl-form-input'
.form-group .form-group
= f.label :throttle_unauthenticated_period_in_seconds, _('Unauthenticated web rate limit period in seconds'), class: 'label-bold' = f.label :throttle_unauthenticated_period_in_seconds, _('Unauthenticated web rate limit period in seconds'), class: 'label-bold'
= f.number_field :throttle_unauthenticated_period_in_seconds, class: 'form-control gl-form-input' = f.number_field :throttle_unauthenticated_period_in_seconds, class: 'form-control gl-form-input'
%fieldset %fieldset
%legend.h5.gl-border-none
= _('Authenticated API request rate limit')
.form-group .form-group
= f.gitlab_ui_checkbox_component :throttle_authenticated_api_enabled, = f.gitlab_ui_checkbox_component :throttle_authenticated_api_enabled,
_("Enable authenticated API request rate limit"), _("Enable authenticated API request rate limit"),
help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"), checkbox_options: { data: { qa_selector: 'throttle_authenticated_api_checkbox' }},
checkbox_options: { data: { qa_selector: 'throttle_authenticated_api_checkbox' }} label_options: { class: 'label-bold' }
.form-group .form-group
= f.label :throttle_authenticated_api_requests_per_period, _('Max authenticated API requests per period per user'), class: 'label-bold' = f.label :throttle_authenticated_api_requests_per_period, _('Maximum authenticated API requests per rate limit period per user'), class: 'label-bold'
= f.number_field :throttle_authenticated_api_requests_per_period, class: 'form-control gl-form-input' = f.number_field :throttle_authenticated_api_requests_per_period, class: 'form-control gl-form-input'
.form-group .form-group
= f.label :throttle_authenticated_api_period_in_seconds, _('Authenticated API rate limit period in seconds'), class: 'label-bold' = f.label :throttle_authenticated_api_period_in_seconds, _('Authenticated API rate limit period in seconds'), class: 'label-bold'
= f.number_field :throttle_authenticated_api_period_in_seconds, class: 'form-control gl-form-input' = f.number_field :throttle_authenticated_api_period_in_seconds, class: 'form-control gl-form-input'
%fieldset %fieldset
%legend.h5.gl-border-none
= _('Authenticated web request rate limit')
.form-group .form-group
= f.gitlab_ui_checkbox_component :throttle_authenticated_web_enabled, = f.gitlab_ui_checkbox_component :throttle_authenticated_web_enabled,
_("Enable authenticated web request rate limit"), _("Enable authenticated web request rate limit"),
help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"), checkbox_options: { data: { qa_selector: 'throttle_authenticated_web_checkbox' } },
checkbox_options: { data: { qa_selector: 'throttle_authenticated_web_checkbox' } } label_options: { class: 'label-bold' }
.form-group .form-group
= f.label :throttle_authenticated_web_requests_per_period, _('Max authenticated web requests per period per user'), class: 'label-bold' = f.label :throttle_authenticated_web_requests_per_period, _('Maximum authenticated web requests per rate limit period per user'), class: 'label-bold'
= f.number_field :throttle_authenticated_web_requests_per_period, class: 'form-control gl-form-input' = f.number_field :throttle_authenticated_web_requests_per_period, class: 'form-control gl-form-input'
.form-group .form-group
= f.label :throttle_authenticated_web_period_in_seconds, _('Authenticated web rate limit period in seconds'), class: 'label-bold' = f.label :throttle_authenticated_web_period_in_seconds, _('Authenticated web rate limit period in seconds'), class: 'label-bold'
...@@ -66,7 +61,9 @@ ...@@ -66,7 +61,9 @@
= _('Response text') = _('Response text')
.form-group .form-group
= f.label :rate_limiting_response_text, class: 'label-bold' do = f.label :rate_limiting_response_text, class: 'label-bold' do
= _('A plain-text response to show to clients that hit the rate limit.') = _('Plain-text response to send to clients that hit a rate limit')
= f.text_area :rate_limiting_response_text, placeholder: ::Gitlab::Throttle::DEFAULT_RATE_LIMITING_RESPONSE_TEXT, class: 'form-control gl-form-input', rows: 5 = f.text_area :rate_limiting_response_text, placeholder: ::Gitlab::Throttle::DEFAULT_RATE_LIMITING_RESPONSE_TEXT, class: 'form-control gl-form-input', rows: 5
.form-text.text-muted
= html_escape(_("If blank, defaults to %{code_open}Retry later%{code_close}.")) % { code_open: '<code>'.html_safe, code_close: '</code>'.html_safe }
= f.submit _('Save changes'), class: "gl-button btn btn-confirm", data: { qa_selector: 'save_changes_button' } = f.submit _('Save changes'), class: "gl-button btn btn-confirm", data: { qa_selector: 'save_changes_button' }
...@@ -16,11 +16,12 @@ ...@@ -16,11 +16,12 @@
%section.settings.as-ip-limits.no-animate#js-ip-limits-settings{ class: ('expanded' if expanded_by_default?), data: { qa_selector: 'ip_limits_content' } } %section.settings.as-ip-limits.no-animate#js-ip-limits-settings{ class: ('expanded' if expanded_by_default?), data: { qa_selector: 'ip_limits_content' } }
.settings-header .settings-header
%h4 %h4
= _('User and IP Rate Limits') = _('User and IP rate limits')
%button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' } %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
= expanded_by_default? ? _('Collapse') : _('Expand') = expanded_by_default? ? _('Collapse') : _('Expand')
%p %p
= _('Configure limits for web and API requests.') = _('Set limits for web and API requests.')
= link_to _('Learn more.'), help_page_path('user/admin_area/settings/user_and_ip_rate_limits.md'), target: '_blank', rel: 'noopener noreferrer'
.settings-content .settings-content
= render 'ip_limits' = render 'ip_limits'
......
...@@ -13,31 +13,78 @@ of a web application. For more details, see ...@@ -13,31 +13,78 @@ of a web application. For more details, see
The following limits are disabled by default: The following limits are disabled by default:
- Unauthenticated API requests - [Unauthenticated API requests (per IP)](#enable-unauthenticated-api-request-rate-limit).
- Unauthenticated web requests - [Unauthenticated web requests (per IP)](#enable-unauthenticated-web-request-rate-limit).
- Authenticated API requests - [Authenticated API requests (per user)](#enable-authenticated-api-request-rate-limit).
- Authenticated web requests - [Authenticated web requests (per user)](#enable-authenticated-web-request-rate-limit).
To enforce any or all of them: NOTE:
By default, all Git operations are first tried unauthenticated. Because of this, HTTP Git operations
may trigger the rate limits configured for unauthenticated requests.
## Enable unauthenticated API request rate limit
To enable the unauthenticated request rate limit:
1. On the top bar, select **Menu > Admin**.
1. On the left sidebar, select **Settings > Network**, and expand **User and IP rate limits**.
1. Select **Enable unauthenticated API request rate limit**.
- Optional. Update the **Maximum unauthenticated API requests per rate limit period per IP** value.
Defaults to `3600`.
- Optional. Update the **Unauthenticated rate limit period in seconds** value.
Defaults to `3600`.
## Enable unauthenticated web request rate limit
To enable the unauthenticated request rate limit:
1. On the top bar, select **Menu > Admin**.
1. On the left sidebar, select **Settings > Network**, and expand **User and IP rate limits**.
1. Select **Enable unauthenticated web request rate limit**.
- Optional. Update the **Maximum unauthenticated web requests per rate limit period per IP** value.
Defaults to `3600`.
- Optional. Update the **Unauthenticated rate limit period in seconds** value.
Defaults to `3600`.
## Enable authenticated API request rate limit
To enable the authenticated API request rate limit:
1. On the top bar, select **Menu > Admin**. 1. On the top bar, select **Menu > Admin**.
1. On the left sidebar, select **Settings > Network**, and expand **User and IP rate limits**: 1. On the left sidebar, select **Settings > Network**, and expand **User and IP rate limits**.
![user-and-ip-rate-limits](img/user_and_ip_rate_limits_v14_3.png) 1. Select **Enable authenticated API request rate limit**.
NOTE: - Optional. Update the **Maximum authenticated API requests per rate limit period per user** value.
By default, all Git operations are first tried unauthenticated. Because of this, HTTP Git operations Defaults to `7200`.
may trigger the rate limits configured for unauthenticated requests. - Optional. Update the **Authenticated API rate limit period in seconds** value.
Defaults to `3600`.
## Response text ## Enable authenticated web request rate limit
To enable the unauthenticated request rate limit:
1. On the top bar, select **Menu > Admin**.
1. On the left sidebar, select **Settings > Network**, and expand **User and IP rate limits**.
1. Select **Enable authenticated web request rate limit**.
- Optional. Update the **Maximum authenticated web requests per rate limit period per user** value.
Defaults to `7200`.
- Optional. Update the **Authenticated web rate limit period in seconds** value.
Defaults to `3600`.
## Use a custom rate limit response
A request that exceeds a rate limit returns a 429 response code and a A request that exceeds a rate limit returns a 429 response code and a
plain-text body, which by default is: plain-text body, which by default is `Retry later`.
```plaintext To use a custom response:
Retry later
```
It is possible to customize this response text in the Admin Area. 1. On the top bar, select **Menu > Admin**.
1. On the left sidebar, select **Settings > Network**, and expand **User and IP rate limits**.
1. In the **Plain-text response to send to clients that hit a rate limit** text box,
add the plain-text response message.
## Response headers ## Response headers
......
...@@ -306,7 +306,7 @@ endpoints](../../user/admin_area/settings/rate_limits_on_raw_endpoints.md). ...@@ -306,7 +306,7 @@ endpoints](../../user/admin_area/settings/rate_limits_on_raw_endpoints.md).
For information on rate limiting responses, see: For information on rate limiting responses, see:
- [List of headers on responses to blocked requests](../admin_area/settings/user_and_ip_rate_limits.md#response-headers). - [List of headers on responses to blocked requests](../admin_area/settings/user_and_ip_rate_limits.md#response-headers).
- [Customizable response text](../admin_area/settings/user_and_ip_rate_limits.md#response-text). - [Customizable response text](../admin_area/settings/user_and_ip_rate_limits.md#use-a-custom-rate-limit-response).
### Protected paths throttle ### Protected paths throttle
......
...@@ -1495,9 +1495,6 @@ msgstr "" ...@@ -1495,9 +1495,6 @@ msgstr ""
msgid "A plain HTML site that uses Netlify for CI/CD instead of GitLab, but still with all the other great GitLab features" msgid "A plain HTML site that uses Netlify for CI/CD instead of GitLab, but still with all the other great GitLab features"
msgstr "" msgstr ""
msgid "A plain-text response to show to clients that hit the rate limit."
msgstr ""
msgid "A platform value can be web, mob or app." msgid "A platform value can be web, mob or app."
msgstr "" msgstr ""
...@@ -4786,9 +4783,6 @@ msgstr "" ...@@ -4786,9 +4783,6 @@ msgstr ""
msgid "Authenticated web rate limit period in seconds" msgid "Authenticated web rate limit period in seconds"
msgstr "" msgstr ""
msgid "Authenticated web request rate limit"
msgstr ""
msgid "Authenticated web requests" msgid "Authenticated web requests"
msgstr "" msgstr ""
...@@ -8562,9 +8556,6 @@ msgstr "" ...@@ -8562,9 +8556,6 @@ msgstr ""
msgid "Configure existing installation" msgid "Configure existing installation"
msgstr "" msgstr ""
msgid "Configure limits for web and API requests."
msgstr ""
msgid "Configure paths to be protected by Rack Attack." msgid "Configure paths to be protected by Rack Attack."
msgstr "" msgstr ""
...@@ -16934,6 +16925,9 @@ msgstr "" ...@@ -16934,6 +16925,9 @@ msgstr ""
msgid "If any indexed field exceeds this limit it will be truncated to this number of characters and the rest will not be indexed or searchable. This does not apply to repository and wiki indexing. Setting this to 0 means it is unlimited." msgid "If any indexed field exceeds this limit it will be truncated to this number of characters and the rest will not be indexed or searchable. This does not apply to repository and wiki indexing. Setting this to 0 means it is unlimited."
msgstr "" msgstr ""
msgid "If blank, defaults to %{code_open}Retry later%{code_close}."
msgstr ""
msgid "If blank, set allowable lifetime to %{instance_level_policy_in_words}, as defined by the instance admin. Once set, existing tokens for users in this group may be revoked." msgid "If blank, set allowable lifetime to %{instance_level_policy_in_words}, as defined by the instance admin. Once set, existing tokens for users in this group may be revoked."
msgstr "" msgstr ""
...@@ -20765,15 +20759,9 @@ msgstr "" ...@@ -20765,15 +20759,9 @@ msgstr ""
msgid "Max 20 characters" msgid "Max 20 characters"
msgstr "" msgstr ""
msgid "Max authenticated API requests per period per user"
msgstr ""
msgid "Max authenticated Git LFS requests per period per user" msgid "Max authenticated Git LFS requests per period per user"
msgstr "" msgstr ""
msgid "Max authenticated web requests per period per user"
msgstr ""
msgid "Max file size is 200 KB." msgid "Max file size is 200 KB."
msgstr "" msgstr ""
...@@ -20783,12 +20771,6 @@ msgstr "" ...@@ -20783,12 +20771,6 @@ msgstr ""
msgid "Max session time" msgid "Max session time"
msgstr "" msgstr ""
msgid "Max unauthenticated API requests per period per IP"
msgstr ""
msgid "Max unauthenticated web requests per period per IP"
msgstr ""
msgid "MaxBuilds" msgid "MaxBuilds"
msgstr "" msgstr ""
...@@ -20828,6 +20810,9 @@ msgstr "" ...@@ -20828,6 +20810,9 @@ msgstr ""
msgid "Maximum authenticated API requests per rate limit period per user" msgid "Maximum authenticated API requests per rate limit period per user"
msgstr "" msgstr ""
msgid "Maximum authenticated web requests per rate limit period per user"
msgstr ""
msgid "Maximum bulk request size (MiB)" msgid "Maximum bulk request size (MiB)"
msgstr "" msgstr ""
...@@ -20981,6 +20966,9 @@ msgstr "" ...@@ -20981,6 +20966,9 @@ msgstr ""
msgid "Maximum unauthenticated API requests per rate limit period per IP" msgid "Maximum unauthenticated API requests per rate limit period per IP"
msgstr "" msgstr ""
msgid "Maximum unauthenticated web requests per rate limit period per IP"
msgstr ""
msgid "May" msgid "May"
msgstr "" msgstr ""
...@@ -25171,6 +25159,9 @@ msgstr "" ...@@ -25171,6 +25159,9 @@ msgstr ""
msgid "Plain diff" msgid "Plain diff"
msgstr "" msgstr ""
msgid "Plain-text response to send to clients that hit a rate limit"
msgstr ""
msgid "Plan:" msgid "Plan:"
msgstr "" msgstr ""
...@@ -27688,6 +27679,9 @@ msgstr "" ...@@ -27688,6 +27679,9 @@ msgstr ""
msgid "Rate limit" msgid "Rate limit"
msgstr "" msgstr ""
msgid "Rate limits can help reduce request volume (like from crawlers or abusive bots)."
msgstr ""
msgid "Raw blob request rate limit per minute" msgid "Raw blob request rate limit per minute"
msgstr "" msgstr ""
...@@ -30799,6 +30793,9 @@ msgstr "" ...@@ -30799,6 +30793,9 @@ msgstr ""
msgid "Set limit to 0 to allow any file size." msgid "Set limit to 0 to allow any file size."
msgstr "" msgstr ""
msgid "Set limits for web and API requests."
msgstr ""
msgid "Set max session time for web terminal." msgid "Set max session time for web terminal."
msgstr "" msgstr ""
...@@ -36032,9 +36029,6 @@ msgstr "" ...@@ -36032,9 +36029,6 @@ msgstr ""
msgid "Unauthenticated web rate limit period in seconds" msgid "Unauthenticated web rate limit period in seconds"
msgstr "" msgstr ""
msgid "Unauthenticated web request rate limit"
msgstr ""
msgid "Undo" msgid "Undo"
msgstr "" msgstr ""
...@@ -36734,7 +36728,7 @@ msgstr "" ...@@ -36734,7 +36728,7 @@ msgstr ""
msgid "User Settings" msgid "User Settings"
msgstr "" msgstr ""
msgid "User and IP Rate Limits" msgid "User and IP rate limits"
msgstr "" msgstr ""
msgid "User does not have a pending request" msgid "User does not have a pending request"
......
...@@ -551,22 +551,22 @@ RSpec.describe 'Admin updates settings' do ...@@ -551,22 +551,22 @@ RSpec.describe 'Admin updates settings' do
page.within('.as-ip-limits') do page.within('.as-ip-limits') do
check 'Enable unauthenticated API request rate limit' check 'Enable unauthenticated API request rate limit'
fill_in 'Max unauthenticated API requests per period per IP', with: 100 fill_in 'Maximum unauthenticated API requests per rate limit period per IP', with: 100
fill_in 'Unauthenticated API rate limit period in seconds', with: 200 fill_in 'Unauthenticated API rate limit period in seconds', with: 200
check 'Enable unauthenticated web request rate limit' check 'Enable unauthenticated web request rate limit'
fill_in 'Max unauthenticated web requests per period per IP', with: 300 fill_in 'Maximum unauthenticated web requests per rate limit period per IP', with: 300
fill_in 'Unauthenticated web rate limit period in seconds', with: 400 fill_in 'Unauthenticated web rate limit period in seconds', with: 400
check 'Enable authenticated API request rate limit' check 'Enable authenticated API request rate limit'
fill_in 'Max authenticated API requests per period per user', with: 500 fill_in 'Maximum authenticated API requests per rate limit period per user', with: 500
fill_in 'Authenticated API rate limit period in seconds', with: 600 fill_in 'Authenticated API rate limit period in seconds', with: 600
check 'Enable authenticated web request rate limit' check 'Enable authenticated web request rate limit'
fill_in 'Max authenticated web requests per period per user', with: 700 fill_in 'Maximum authenticated web requests per rate limit period per user', with: 700
fill_in 'Authenticated web rate limit period in seconds', with: 800 fill_in 'Authenticated web rate limit period in seconds', with: 800
fill_in 'A plain-text response to show to clients that hit the rate limit.', with: 'Custom message' fill_in 'Plain-text response to send to clients that hit a rate limit', with: 'Custom message'
click_button 'Save changes' click_button 'Save changes'
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment