Rate limiting is a common technique used to improve the security and durability of a web application. For more details, see Rate limits.
The following limits can be enforced in Admin Area > Settings > Network > User and IP rate limits:
- Unauthenticated requests
- Authenticated API requests
- Authenticated web requests
These limits are disabled by default.
Introduced in GitLab 13.6.
Depending on the needs of your organization, you may want to enable rate limiting but have some requests bypass the rate limiter.
You can do this by marking requests that should bypass the rate limiter with a custom header. You must do this somewhere in a load balancer or reverse proxy in front of GitLab. For example:
- Pick a name for your bypass header. For example,
- Configure your load balancer to set
Gitlab-Bypass-Rate-Limiting: 1on requests that should bypass GitLab rate limiting.
- Configure your load balancer to either:
Gitlab-Bypass-Rate-Limitingto a value other than
1on all requests that should be affected by rate limiting.
- Set the environment variable
- For Omnibus,
'GITLAB_THROTTLE_BYPASS_HEADER' => 'Gitlab-Bypass-Rate-Limiting'in
- For source installations, set
- For Omnibus, set
It is important that your load balancer erases or overwrites the bypass header on all incoming traffic, because otherwise you must trust your users to not set that header and bypass the GitLab rate limiter.
Note that the bypass only works if the header is set to
Requests that bypassed the rate limiter because of the bypass header
are marked with
To disable the bypass mechanism, make sure the environment variable
GITLAB_THROTTLE_BYPASS_HEADER is unset or empty.