gitlab-org/gitlab
Rate limiting
Centralized Redis-based throttle for protecting GitLab from abuse and overload.
Source
| Concern | Location |
|---|---|
| Core API | lib/gitlab/application_rate_limiter.rb (~22K LoC) |
| Per-action configs | lib/gitlab/application_rate_limiter/ |
| Rack middleware | Gitlab::RackAttack (lib/gitlab/rack_attack.rb), config/initializers/rack_attack.rb |
| Abusive request throttle | Gitlab::RackAttack::RequestRateLimiter |
| Repository archive limiter | lib/gitlab/repository_archive_rate_limiter.rb |
| Resource usage limiter | lib/gitlab/resource_usage_limiter.rb |
Two layers
- Rack-level throttling via
rack-attack— coarse rate limits applied as middleware. Configured inconfig/initializers/rack_attack.rb. Catches login attacks, API floods, etc. - Application-level throttling via
Gitlab::ApplicationRateLimiter— per-action throttles applied inside services and controllers. Catches "creating too many issues per minute".
Application rate limiter
A throttle is declared with a key, threshold, and interval:
# Inside a service / controller
return error if Gitlab::ApplicationRateLimiter.throttled?(
:issue_creation,
scope: [current_user, project]
)The matching definition lives in the rate limiter's per-key registry. Each key declares:
threshold— number of allowed actions.interval— seconds.scope— what to key on (user, project, IP, etc.).
Keys are documented at https://docs.gitlab.com/ee/security/rate_limits.html.
Rack-attack rules
config/initializers/rack_attack.rb defines:
- Authenticated API throttle.
- Unauthenticated API throttle.
- Web throttle.
- Protected paths throttle (login, password reset).
- Plus per-IP and per-user buckets.
These are configurable via Admin area settings (ApplicationSetting) and feature flags.
Customizing
Self-managed admins can tune limits per instance via:
- Admin Area → Settings → Network → Rate limits.
- API:
PUT /api/v4/application/settings.
GitLab.com's limits are shown in the docs.
Special-purpose limiters
RepositoryArchiveRateLimiter(lib/gitlab/repository_archive_rate_limiter.rb) — guards/-/archive/...endpoints.ResourceUsageLimiter(lib/gitlab/resource_usage_limiter.rb) — coarse-grained CPU/memory backpressure.- Sidekiq concurrency limits (
app/workers/concurrency_limit/) — see Sidekiq jobs.
Telemetry
Every throttle increment publishes a Prometheus counter and an internal event. Dashboards and alerts watch for spike behavior (see Metrics).
Related
- Authentication — login throttle protections.
- Architecture — middleware stack.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.