Skip to content

Add RateLimit-* headers to RackAttack responses

Quang-Minh Nguyen requested to merge qmnguyen0711/731-add-ratelimit-headers-to-rackattack-responses into master

What does this MR do?

Closes gitlab-com/gl-infra/scalability#731 (closed), #296680 (closed), and #20482 (closed).

Recently, HAProxy returns a list of RateLimit-* headers when a request is throttled. These headers are specific to GitLab.com only. Some clients are using these headers for calculation. This creates some problems:

  • The behaviors are different between GitLab.com and self-managed instances.
  • In future, when the rate limiting function is moved out of HAProxy to the application completely, we still need to maintain those headers for backward compatibility.

The list of returned headers include:

{
            'RateLimit-Name' => 'throttle_unauthenticated',
            'RateLimit-Limit' => '60',
            'RateLimit-Observed' => '3700',
            'RateLimit-Remaining' => '0',
            'RateLimit-Reset' => '1800',
            'RateLimit-ResetTime' => 'Wed, 06 Jan 2021 00:00:00 GMT', # Next day
            'Retry-After' => '1800'
}

Besides, this MR adds validation to throttle_* application setting. This saves us from crashing and weird behavior when an admin sets the period to 0.

Screenshots (strongly suggested)

Screenshot_from_2021-01-06_22-22-59

Screenshot_from_2021-01-05_18-40-41

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Quang-Minh Nguyen

Merge request reports