gitlab forbidden 解决办法(gitlab的rack::attack机制)

版本：GitLab Community Edition 10.8.7

现象：小部分用户web访问gitlab显示403 forbidden。

原因：gitlab有rack::attack模块，来防治恶意ip刷机，其详细文档：https://docs.gitlab.com/ee/security/rack_attack.html

确定是否是这个原因：

1、查日志
# cd /var/log/gitlab/gitlab-rails/
# grep 'Rack_Attack' production.log|more
Rack_Attack: blacklist 192.130.160.212 GET /xxx
Rack_Attack: blacklist 192.130.160.212 GET /xxxxxx
Rack_Attack: blacklist 192.130.160.212 GET /xxxxxxxx
确认这个ip是否是访问者的ip
2、进入redis：
# /opt/gitlab/embedded/bin/redis-cli -s /var/opt/gitlab/redis/redis.socket
redis /var/opt/gitlab/redis/redis.socket> keys *rack::attack*
1) "cache:gitlab:rack::attack:26176509:allow2ban:count:192.130.160.212"
2) "cache:gitlab:rack::attack:allow2ban:ban:192.130.160.212"

通过两步即可确认，就是这个原因。在redis里清除该条即可：
del cache:gitlab:rack::attack:allow2ban:ban:192.130.160.212

总结：从11版本开始，官方默认不开启这个功能：
Note: Starting with GitLab 11.2, Rack Attack is disabled by default. If your instance is not exposed to the public internet, it is recommended that you leave Rack Attack disabled.