We have gitlab-ce running behind a load balancer. When a flood of failed login attempts come in, rack-attack blacklists the IP of the load balancer, so all users and all traffic gets blocked with 403 forbidden.
We are able to temporarily clear the issue by following "Remove blocked IPs from Rack Attack via Redis" (https://docs.gitlab.com/ee/security/rack_attack.html#remove-blocked-ips-from-rack-attack-via-redis) We have nginx['proxy_set_headers'] and nginx['log_format'] set to support X-Forwarded-For and proxy_add_x_forwarded_for, so nginx logs the real client IP, but I don't see any way to make gitlab_rails['rack_attack_git_basic_auth'] honor the X-Forwarded-For header. We'd like to avoid blocking the entire LB and all users. We'd also like to avoid completely disabling rack-attack. If possible to configure rack-attack to honor the X-Forwarded-For, and selectively blacklist client IP's that flood the server, that's what we'd like to do. Can it be done? Thanks -- You received this message because you are subscribed to the Google Groups "GitLab" group. To unsubscribe from this group and stop receiving emails from it, send an email to gitlabhq+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/gitlabhq/BN3PR04MB22098102AA1BAB571AEDF97BA38B0%40BN3PR04MB2209.namprd04.prod.outlook.com. For more options, visit https://groups.google.com/d/optout.
