Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/security
diff options
context:
space:
mode:
Diffstat (limited to 'doc/security')
-rw-r--r--doc/security/asset_proxy.md6
-rw-r--r--doc/security/rate_limits.md20
-rw-r--r--doc/security/ssh_keys_restrictions.md2
-rw-r--r--doc/security/unlock_user.md2
-rw-r--r--doc/security/webhooks.md2
5 files changed, 26 insertions, 6 deletions
diff --git a/doc/security/asset_proxy.md b/doc/security/asset_proxy.md
index e4849b1b658..1ccc9bfd9be 100644
--- a/doc/security/asset_proxy.md
+++ b/doc/security/asset_proxy.md
@@ -48,11 +48,11 @@ To install a Camo server as an asset proxy:
| Attribute | Description |
|:-------------------------|:-------------------------------------------------------------------------------------------------------------------------------------|
- | `asset_proxy_enabled` | Enable proxying of assets. If enabled, requires: `asset_proxy_url`). |
+ | `asset_proxy_enabled` | Enable proxying of assets. If enabled, requires: `asset_proxy_url`. |
| `asset_proxy_secret_key` | Shared secret with the asset proxy server. |
| `asset_proxy_url` | URL of the asset proxy server. |
- | `asset_proxy_whitelist` | (Deprecated: Use `asset_proxy_allowlist` instead) Assets that match these domain(s) are NOT proxied. Wildcards allowed. Your GitLab installation URL is automatically allowed. |
- | `asset_proxy_allowlist` | Assets that match these domain(s) are NOT proxied. Wildcards allowed. Your GitLab installation URL is automatically allowed. |
+ | `asset_proxy_whitelist` | (Deprecated: Use `asset_proxy_allowlist` instead) Assets that match these domains are NOT proxied. Wildcards allowed. Your GitLab installation URL is automatically allowed. |
+ | `asset_proxy_allowlist` | Assets that match these domains are NOT proxied. Wildcards allowed. Your GitLab installation URL is automatically allowed. |
1. Restart the server for the changes to take effect. Each time you change any values for the asset
proxy, you need to restart the server.
diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md
index cdf99e8377d..ac532ee491a 100644
--- a/doc/security/rate_limits.md
+++ b/doc/security/rate_limits.md
@@ -70,6 +70,26 @@ For configuration information, see
## Non-configurable limits
+### Git operations using SSH
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78373) in GitLab 14.7.
+> - [Enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79419) in GitLab 14.8.
+
+GitLab rate limits Git operations using SSH by user account and project. If a request from a user for a Git operation
+on a project exceeds the rate limit, GitLab drops further connection requests from that user for the project.
+
+The rate limit applies at the Git command ([plumbing](https://git-scm.com/book/en/v2/Git-Internals-Plumbing-and-Porcelain)) level.
+Each command has a rate limit of 600 per minute. For example:
+
+- `git push` has a rate limit of 600 per minute.
+- `git pull` has its own rate limit of 600 per minute.
+
+Because the same commands are shared by `git-upload-pack`, `git pull`, and `git clone`, they share a rate limit.
+
+The requests/minute threshold for this rate limit is not configurable. Self-managed customers can disable this
+rate limit by [disabling the feature flag](../administration/feature_flags.md#enable-or-disable-the-feature)
+with `Feature.disable(:rate_limit_gitlab_shell)`.
+
### Repository archives
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/25750) in GitLab 12.9.
diff --git a/doc/security/ssh_keys_restrictions.md b/doc/security/ssh_keys_restrictions.md
index 03bc0207cf5..272d840ef13 100644
--- a/doc/security/ssh_keys_restrictions.md
+++ b/doc/security/ssh_keys_restrictions.md
@@ -24,7 +24,7 @@ the minimum key length for each technology:
1. On the left sidebar, select **Settings > General** (`/admin/application_settings/general`).
1. Expand the **Visibility and access controls** section:
- ![SSH keys restriction admin settings](img/ssh_keys_restrictions_settings.png)
+ ![SSH keys restriction Admin Area settings](img/ssh_keys_restrictions_settings.png)
If a restriction is imposed on any key type, users cannot upload new SSH keys that don't meet the
requirement. Any existing keys that don't meet it are disabled but not removed and users cannot
diff --git a/doc/security/unlock_user.md b/doc/security/unlock_user.md
index f2ad6696b9a..efe9c5784ad 100644
--- a/doc/security/unlock_user.md
+++ b/doc/security/unlock_user.md
@@ -10,7 +10,7 @@ type: howto
Users are locked after ten failed sign-in attempts. These users remain locked:
- For 10 minutes, after which time they are automatically unlocked.
-- Until an admin unlocks them from the [Admin Area](../user/admin_area/index.md) or the command line in under 10 minutes.
+- Until an administrator unlocks them from the [Admin Area](../user/admin_area/index.md) or the command line in under 10 minutes.
## Unlock a user from the Admin Area
diff --git a/doc/security/webhooks.md b/doc/security/webhooks.md
index 07b35ccebe8..c3d445103c4 100644
--- a/doc/security/webhooks.md
+++ b/doc/security/webhooks.md
@@ -49,7 +49,7 @@ This behavior can be overridden:
1. On the top bar, select **Menu > Admin**.
1. On the left sidebar, select **Settings > Network**.
1. Expand the **Outbound requests** section:
- ![Outbound requests admin settings](img/outbound_requests_section_v12_2.png)
+ ![Outbound requests Admin Area settings](img/outbound_requests_section_v12_2.png)
1. Select **Allow requests to the local network from web hooks and services**.
NOTE:
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-12 03:53:54 +0300