Protected paths

GitLab protects the following paths with Rack Attack by default:

'/users/password',
'/users/sign_in',
'/api/#{API::API.version}/session.json',
'/api/#{API::API.version}/session',
'/users',
'/users/confirmation',
'/unsubscribes/',
'/import/github/personal_access_token'

GitLab responds with HTTP status code 429 to POST requests at protected paths that exceed 10 requests per minute per IP address.

This header is included in responses to blocked requests:

Retry-After: 60

For example, the following are limited to a maximum 10 requests per minute:

  • User sign-in
  • User sign-up (if enabled)
  • User password reset

After 10 requests, the client must wait 60 seconds before it can try again.

Configure using GitLab UI

Introduced in GitLab 12.4.

Throttling of protected paths is enabled by default and can be disabled or customized on Admin > Network > Protected Paths, along with these options:

  • Maximum number of requests per period per user.
  • Rate limit period in seconds.
  • Paths to be protected.

protected-paths

Requests over the rate limit are logged into auth.log.

Migrate settings from GitLab 12.3 and earlier

Omnibus GitLab protected paths throttle is deprecated and is scheduled for removal in GitLab 13.0. Please see the GitLab issue and the Omnibus GitLab issue for more information.

Note: If Omnibus settings are present, applications settings will be automatically ignored to avoid generating multiple requests blocks.

To migrate from Omnibus GitLab 12.3 and earlier settings:

  1. Disable the Protected Paths throttle from Omnibus, by changing rack_attack_enabled value to false on rack_attack.rb.erb:

    rack_attack_enabled = false
    
  2. Customize and enable your protected paths settings by following Configure using GitLab UI section.

  3. Restart GitLab:

    sudo gitlab-ctl restart
    

That’s it. Protected paths throttle are now managed by GitLab admin settings.