Rack attack
To prevent abusive clients doing damage GitLab uses rack-attack gem.
If you installed or upgraded GitLab by following the official guides this should be enabled by default.
If you are missing config/initializers/rack_attack.rb
the following steps need to be taken in order to enable protection for your GitLab instance:
-
In config/application.rb find and uncomment the following line:
config.middleware.use Rack::Attack
Rename
config/initializers/rack_attack.rb.example
toconfig/initializers/rack_attack.rb
.Review the
paths_to_be_protected
and add any other path you need protecting.Restart GitLab instance.
By default, user sign-in, user sign-up(if enabled) and user password reset is limited to 6 requests per minute. After trying for 6 times, client will have to wait for the next minute to be able to try again. These settings can be found in config/initializers/rack_attack.rb
If you want more restrictive/relaxed throttle rule change the limit
or period
values. For example, more relaxed throttle rule will be if you set limit: 3 and period: 1.second(this will allow 3 requests per second). You can also add other paths to the protected list by adding to paths_to_be_protected
variable. If you change any of these settings do not forget to restart your GitLab instance.
In case you find throttling is not enough to protect you against abusive clients, rack-attack gem offers IP whitelisting, blacklisting, Fail2ban style filter and tracking.
For more information on how to use these options check out rack-attack README.