User and IP rate limits (CORE ONLY)
Rate limiting is a common technique used to improve the security and durability of a web application. For more details, see Rate limits.
The following limits can be enforced in Admin Area > Settings > Network > User and IP rate limits:
- Unauthenticated requests
- Authenticated API requests
- Authenticated web requests
These limits are disabled by default.
Use an HTTP header to bypass rate limiting
Introduced in GitLab 13.6.
Depending on the needs of your organization, you may want to enable rate limiting but have some requests bypass the rate limiter.
You can do this by marking requests that should bypass the rate limiter with a custom header. You must do this somewhere in a load balancer or reverse proxy in front of GitLab. For example:
- Pick a name for your bypass header. For example,
Gitlab-Bypass-Rate-Limiting. - Configure your load balancer to set
Gitlab-Bypass-Rate-Limiting: 1on requests that should bypass GitLab rate limiting. - Configure your load balancer to either:
- Erase
Gitlab-Bypass-Rate-Limiting. - Set
Gitlab-Bypass-Rate-Limitingto a value other than1on all requests that should be affected by rate limiting.
- Erase
- Set the environment variable
GITLAB_THROTTLE_BYPASS_HEADER.- For Omnibus,
set
'GITLAB_THROTTLE_BYPASS_HEADER' => 'Gitlab-Bypass-Rate-Limiting'ingitlab_rails['env']. - For source installations, set
export GITLAB_THROTTLE_BYPASS_HEADER=Gitlab-Bypass-Rate-Limitingin/etc/default/gitlab.
- For Omnibus,
set
It is important that your load balancer erases or overwrites the bypass header on all incoming traffic, because otherwise you must trust your users to not set that header and bypass the GitLab rate limiter.
Note that the bypass only works if the header is set to 1.
Requests that bypassed the rate limiter because of the bypass header
are marked with "throttle_safelist":"throttle_bypass_header" in
production_json.log.
To disable the bypass mechanism, make sure the environment variable
GITLAB_THROTTLE_BYPASS_HEADER is unset or empty.
Allowing specific users to bypass authenticated request rate limiting
Similarly to the bypass header described above, it is possible to allow a certain set of users to bypass the rate limiter. This only applies to authenticated requests: with unauthenticated requests, by definition GitLab does not know who the user is.
The allowlist is configured as a comma-separated list of user IDs in
the GITLAB_THROTTLE_USER_ALLOWLIST environment variable. If you want
users 1, 53 and 217 to bypass the authenticated request rate limiter,
the allowlist configuration would be 1,53,217.
- For Omnibus,
set
'GITLAB_THROTTLE_USER_ALLOWLIST' => '1,53,217'ingitlab_rails['env']. - For source installations, set
export GITLAB_THROTTLE_USER_ALLOWLIST=1,53,217in/etc/default/gitlab.
Requests that bypassed the rate limiter because of the user allowlist
are marked with "throttle_safelist":"throttle_user_allowlist" in
production_json.log.
At application startup, the allowlist is logged in auth.log.
Trying out throttling settings before enforcing them
Introduced in GitLab 13.6.
Trying out throttling settings can be done by setting the
GITLAB_THROTTLE_DRY_RUN environment variable to a comma-separated
list of throttle names.
The possible names are:
throttle_unauthenticatedthrottle_authenticated_apithrottle_authenticated_webthrottle_unauthenticated_protected_pathsthrottle_authenticated_protected_paths_apithrottle_authenticated_protected_paths_web
For example: trying out throttles for all authenticated requests to
non-protected paths could be done by setting
GITLAB_THROTTLE_DRY_RUN='throttle_authenticated_web,throttle_authenticated_api'.
To enable the dry-run mode for all throttles, the variable can be set
to *.
Setting a throttle to dry-run mode will log a message to the
auth.log when it would
hit the limit, while letting the request continue as normal. The log
message will contain an env field set to track. The matched
field will contain the name of throttle that was hit.
It is important to set the environment variable before enabling the rate limiting in the settings. The settings in the admin panel take effect immediately, while setting the environment variable requires a restart of all the Puma processes.