diff options
Diffstat (limited to 'doc/administration/pages')
-rw-r--r-- | doc/administration/pages/index.md | 39 | ||||
-rw-r--r-- | doc/administration/pages/source.md | 29 |
2 files changed, 58 insertions, 10 deletions
diff --git a/doc/administration/pages/index.md b/doc/administration/pages/index.md index 8a0d3f552bf..163eb5388b6 100644 --- a/doc/administration/pages/index.md +++ b/doc/administration/pages/index.md @@ -237,6 +237,7 @@ control over how the Pages daemon runs and serves content in your environment. | `log_verbose` | Verbose logging, true/false. | | `propagate_correlation_id` | Set to true (false by default) to re-use existing Correlation ID from the incoming request header `X-Request-ID` if present. If a reverse proxy sets this header, the value is propagated in the request chain. | | `max_connections` | Limit on the number of concurrent connections to the HTTP, HTTPS or proxy listeners. | +| `max_uri_length` | The maximum length of URIs accepted by GitLab Pages. Set to 0 for unlimited length. [Introduced](https://gitlab.com/gitlab-org/gitlab-pages/-/issues/659) in GitLab 14.5. | `metrics_address` | The address to listen on for metrics requests. | | `redirect_http` | Redirect pages from HTTP to HTTPS, true/false. | | `sentry_dsn` | The address for sending Sentry crash reporting to. | @@ -258,8 +259,8 @@ control over how the Pages daemon runs and serves content in your environment. | `FF_ENABLE_REDIRECTS` | Feature flag to enable/disable redirects (enabled by default). Read the [redirects documentation](../../user/project/pages/redirects.md#feature-flag-for-redirects) for more information. | | `FF_ENABLE_PLACEHOLDERS` | Feature flag to enable/disable rewrites (disabled by default). Read the [redirects documentation](../../user/project/pages/redirects.md#feature-flag-for-rewrites) for more information. | | `use_legacy_storage` | Temporarily-introduced parameter allowing to use legacy domain configuration source and storage. [Removed in 14.3](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/6166). | - ---- +| `rate_limit_source_ip` | Rate limit per source IP in number of requests per second. Set to `0` to disable this feature. | +| `rate_limit_source_ip_burst` | Rate limit per source IP maximum burst allowed per second. | ## Advanced configuration @@ -647,7 +648,7 @@ To override the global maximum pages size for a specific group: ## Running GitLab Pages on a separate server You can run the GitLab Pages daemon on a separate server to decrease the load on -your main application server. +your main application server. This configuration does not support mutual TLS (mTLS). See the [corresponding feature proposal](https://gitlab.com/gitlab-org/gitlab-pages/-/issues/548) for more information. To configure GitLab Pages on a separate server: @@ -1031,6 +1032,38 @@ GitLab Pages are part of the [regular backup](../../raketasks/backup_restore.md) You should strongly consider running GitLab Pages under a different hostname than GitLab to prevent XSS attacks. +### Rate limits + +> [Introduced](https://gitlab.com/gitlab-org/gitlab-pages/-/issues/631) in GitLab 14.5. + +You can enforce source-IP rate limits to help minimize the risk of a Denial of Service (DoS) attack. GitLab Pages +uses a [token bucket algorithm](https://en.wikipedia.org/wiki/Token_bucket) to enforce rate limiting. By default, +requests that exceed the specified limits are reported but not rejected. + +Source-IP rate limits are enforced using the following: + +- `rate_limit_source_ip`: Set the maximum threshold in number of requests per second. Set to 0 to disable this feature. +- `rate_limit_source_ip_burst`: Sets the maximum threshold of number of requests allowed in an initial outburst of requests. + For example, when you load a web page that loads a number of resources at the same time. + +#### Enable source-IP rate limits + +1. Set rate limits in `/etc/gitlab/gitlab.rb`: + + ```ruby + gitlab_pages['rate_limit_source_ip'] = 20.0 + gitlab_pages['rate_limit_source_ip_burst'] = 600 + ``` + +1. To reject requests that exceed the specified limits, enable the `FF_ENABLE_RATE_LIMITER` feature flag in + `/etc/gitlab/gitlab.rb`: + + ```ruby + gitlab_pages['env'] = {'FF_ENABLE_RATE_LIMITER' => 'true'} + ``` + +1. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure). + <!-- ## Troubleshooting Include any troubleshooting steps that you can foresee. If you know beforehand what issues diff --git a/doc/administration/pages/source.md b/doc/administration/pages/source.md index 278d792052a..3a277204d21 100644 --- a/doc/administration/pages/source.md +++ b/doc/administration/pages/source.md @@ -132,11 +132,11 @@ The Pages daemon doesn't listen to the outside world. https: false artifacts_server: false external_http: ["127.0.0.1:8090"] - secret_file: /home/git/gitlab/gitlab-pages/gitlab-pages-secret + secret_file: /home/git/gitlab/gitlab-pages-secret ``` 1. Add the following configuration file to - `/home/git/gitlab/gitlab-pages/gitlab-pages.conf`, and be sure to change + `/home/git/gitlab-pages/gitlab-pages.conf`, and be sure to change `example.io` to the FQDN from which you want to serve GitLab Pages and `gitlab.example.com` to the URL of your GitLab instance: @@ -159,12 +159,27 @@ The Pages daemon doesn't listen to the outside world. sudo -u git -H openssl rand -base64 32 > /home/git/gitlab/gitlab-pages-secret ``` -1. Edit `/etc/default/gitlab` and set `gitlab_pages_enabled` to `true` in - order to enable the pages daemon: +1. To enable the pages daemon: - ```ini - gitlab_pages_enabled=true - ``` + - If your system uses systemd as init, run: + + ```shell + sudo systemctl edit gitlab.target + ``` + + In the editor that opens, add the following and save the file: + + ```plaintext + [Unit] + Wants=gitlab-pages.service + ``` + + - If your system uses SysV init instead, edit `/etc/default/gitlab` and set + `gitlab_pages_enabled` to `true`: + + ```ini + gitlab_pages_enabled=true + ``` 1. Copy the `gitlab-pages` NGINX configuration file: |