I eventually had to give up with this. I pushed my code to a private repo on GitLab.com and repointed the external services at that, and now I have no problem with blocking, even though the clients are doing exactly the same thing. This tells me that the policies embedded in GitLab-CE are inappropriate, and more critically, are not controllable or visible by admins, so we are stuck with them. I can’t even tell which part of gitlab is doing the blocking, other than that it’s not rack attack, even though that is exactly the component that is meant to be responsible for blocking potentially malicious access attempts. It’s a bug.