Skip to content
Runbooks

Block specific pages domains through HAproxy

GitLab Pages is not fronted by Cloudflare, so this HAProxy-based blocking is the right tool for blocking abusive *.gitlab.io (or custom) Pages domains. For blocking traffic on any service that is behind Cloudflare, see the Cloudflare blocking and managing traffic runbook — Cloudflare is the preferred first option for blocking HTTP/S traffic elsewhere.

If the pages service is saturated you can view which pages domain is getting the most traffic and place a block for that domain through HAproxy.

See what domains are currently blocked

Section titled “See what domains are currently blocked”
  • Add the domain as a new line in deny-403-pages-domains.lst.
  • Refresh mirror on ops by opening the section mirroring repositories and click on the refresh button.
  • Run chef client on pages front end nodes with: knife ssh -C 2 "roles:gprd-base-lb-pages" "sudo chef-client"
  • You can verify that the configuration is applied by checking /etc/haproxy/front-end-security/deny-403-pages-domains.lst on a haproxy node.

You can observe the rate at which haproxy denies front end requests in thanos.

You can also block individual IPs or apply net blocks.