diff options
Diffstat (limited to 'doc/security')
-rw-r--r-- | doc/security/asset_proxy.md | 2 | ||||
-rw-r--r-- | doc/security/passwords_for_integrated_authentication_methods.md | 2 | ||||
-rw-r--r-- | doc/security/project_import_decompressed_archive_size_limits.md | 2 | ||||
-rw-r--r-- | doc/security/rack_attack.md | 2 | ||||
-rw-r--r-- | doc/security/rate_limits.md | 19 | ||||
-rw-r--r-- | doc/security/two_factor_authentication.md | 13 |
6 files changed, 35 insertions, 5 deletions
diff --git a/doc/security/asset_proxy.md b/doc/security/asset_proxy.md index 91a35c2f2a9..fdceecdf386 100644 --- a/doc/security/asset_proxy.md +++ b/doc/security/asset_proxy.md @@ -25,7 +25,7 @@ A Camo server is used to act as the proxy. To install a Camo server as an asset proxy: 1. Deploy a `go-camo` server. Helpful instructions can be found in - [building catus/go-camo](https://github.com/cactus/go-camo#building). + [building cactus/go-camo](https://github.com/cactus/go-camo#building). 1. Make sure your instance of GitLab is running, and that you have created a private API token. Using the API, configure the asset proxy settings on your GitLab instance. For example: diff --git a/doc/security/passwords_for_integrated_authentication_methods.md b/doc/security/passwords_for_integrated_authentication_methods.md index 704af49b2d2..f2597ef1578 100644 --- a/doc/security/passwords_for_integrated_authentication_methods.md +++ b/doc/security/passwords_for_integrated_authentication_methods.md @@ -11,4 +11,4 @@ However, to maintain data consistency, GitLab requires passwords for all user ac For such accounts, we use the [`friendly_token`](https://github.com/heartcombo/devise/blob/f26e05c20079c9acded3c0ee16da0df435a28997/lib/devise.rb#L492) method provided by the Devise gem to generate a random, unique and secure password and sets it as the account password during sign up. -The length of the generated password is the set based on the value of [maximum password length](password_length_limits.md#modify-maximum-password-length-using-configuration-file) as set in the Devise configuation. The default value is 128 characters. +The length of the generated password is the set based on the value of [maximum password length](password_length_limits.md#modify-maximum-password-length-using-configuration-file) as set in the Device configuration. The default value is 128 characters. diff --git a/doc/security/project_import_decompressed_archive_size_limits.md b/doc/security/project_import_decompressed_archive_size_limits.md index dd67db23d6b..16821e1f192 100644 --- a/doc/security/project_import_decompressed_archive_size_limits.md +++ b/doc/security/project_import_decompressed_archive_size_limits.md @@ -17,7 +17,7 @@ If you have a project with decompressed size exceeding this limit, it is possible to disable the validation by turning off the `validate_import_decompressed_archive_size` feature flag. -Start a [Rails console](../administration/troubleshooting/debug.md#starting-a-rails-console-session). +Start a [Rails console](../administration/operations/rails_console.md#starting-a-rails-console-session). ```ruby # Disable diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md index d3de2222c39..b386917f399 100644 --- a/doc/security/rack_attack.md +++ b/doc/security/rack_attack.md @@ -4,8 +4,6 @@ type: reference, howto # Rack Attack initializer -## Overview - [Rack Attack](https://github.com/kickstarter/rack-attack), also known as Rack::Attack, is a Ruby gem that is meant to protect GitLab with the ability to customize throttling and to block user IP addresses. diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md index af2c14be2cd..9e754cf1917 100644 --- a/doc/security/rate_limits.md +++ b/doc/security/rate_limits.md @@ -28,6 +28,25 @@ similarly mitigated by a rate limit. - [Protected paths](../user/admin_area/settings/protected_paths.md). - [Import/Export rate limits](../user/admin_area/settings/import_export_rate_limits.md). +## Non-configurable limits + +### Repository archives + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/25750) in GitLab 12.9. + +There is a rate limit for [downloading repository archives](../api/repositories.md#get-file-archive), +which applies to the project and to the user initiating the download either through the UI or the API. + +The **rate limit** is 5 requests per minute per user. + +### Webhook Testing + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/commit/35bc85c3ca093fee58d60dacdc9ed1fd9a15adec) in GitLab 13.4. + +There is a rate limit for [testing webhooks](../user/project/integrations/webhooks.md#testing-webhooks), which prevents abuse of the webhook functionality. + +The **rate limit** is 5 requests per minute per user. + ## Rack Attack initializer This method of rate limiting is cumbersome, but has some advantages. It allows diff --git a/doc/security/two_factor_authentication.md b/doc/security/two_factor_authentication.md index 9d49e1d3af2..995dea7809e 100644 --- a/doc/security/two_factor_authentication.md +++ b/doc/security/two_factor_authentication.md @@ -65,9 +65,22 @@ The following are important notes about 2FA: 2FA enabled, 2FA is **not** required for those individually added members. - If there are multiple 2FA requirements (for example, group + all users, or multiple groups) the shortest grace period will be used. +- It is possible to disallow subgroups from setting up their own 2FA requirements. + Navigate to the top-level group's **Settings > General > Permissions, LFS, 2FA > Two-factor authentication** and uncheck the **Allow subgroups to set up their own two-factor authentication rule** field. This action will cause all subgroups with 2FA requirements to stop requiring that from their members. ## Disabling 2FA for everyone +CAUTION: **Caution:** +Disabling 2FA for everyone does not disable the [enforce 2FA for all users](#enforcing-2fa-for-all-users) +or [enforce 2FA for all users in a group](#enforcing-2fa-for-all-users-in-a-group) +settings. In addition to the steps in this section, you will need to disable any enforced 2FA +settings so users aren't asked to set up 2FA again, the next time the user signs in to GitLab. +Disabling 2FA for everyone does not disable the [enforce 2FA for all users](#enforcing-2fa-for-all-users) +or [enforce 2FA for all users in a group](#enforcing-2fa-for-all-users-in-a-group) +settings if they have been configured. In addition to the steps in this section, +you will need to disable any enforced 2FA settings so users aren't asked to setup +2FA again when the next login to GitLab. + There may be some special situations where you want to disable 2FA for everyone even when forced 2FA is disabled. There is a Rake task for that: |