config/haproxy.cfg

global
    log stdout local0 debug

    stats socket /tmp/api.sock user haproxy group haproxy mode 600 level admin expose-fd listeners
    stats timeout 30s

    # Find a good resources for setting maxconn below:
    # https://www.haproxy.com/blog/protect-servers-with-haproxy-connection-limits-and-queues/
    maxconn 1024

    # st_global limits
    set-var proc.vv_global_conn_cur_limit str("vv_global_conn_cur_limit"),map_str(/usr/local/etc/haproxy/maps/config.map,30)
    set-var proc.vv_global_conn_rate_limit str("vv_global_conn_rate_limit"),map_str(/usr/local/etc/haproxy/maps/config.map,31)
    set-var proc.vv_global_http_rate_limit str("vv_global_http_rate_limit"),map_str(/usr/local/etc/haproxy/maps/config.map,32)

    # st_path limits
    set-var proc.vv_path_default_http_rate_limit str("vv_path_default_http_rate_limit"),map_str(/usr/local/etc/haproxy/maps/config.map,33)
    set-var proc.vv_path_static_http_rate_limit str("vv_path_static_http_rate_limit"),map_str(/usr/local/etc/haproxy/maps/config.map,34)
    set-var proc.vv_path_api_http_rate_limit str("vv_path_api_http_rate_limit"),map_str(/usr/local/etc/haproxy/maps/config.map,35)


defaults
    log    global

    mode   http
    option httplog
    option dontlognull

    timeout connect 5000
    timeout client  50000
    timeout server  50000

    errorfile 429 /usr/local/etc/haproxy/errors/vv-error-html-429.http


frontend fe_metrics
    bind "${VV_HAPROXY_FE_METRICS_LISTEN_ADDR-:8901}"
    http-request use-service prometheus-exporter if { path /metrics }
    stats enable
    stats uri /stats
    stats refresh 10s


http-errors http_errors_html
    errorfile 429 /usr/local/etc/haproxy/errors/vv-error-html-429.http


http-errors http_errors_json
    errorfile 429 /usr/local/etc/haproxy/errors/vv-error-json-429.http


frontend fe_http
    bind "${VV_HAPROXY_FE_HTTP_LISTEN_ADDR-:8900}"

    tcp-request inspect-delay 5s
    tcp-request connection track-sc0 src table st_global

    # IP Blacklist
    acl is_blacklisted src -f /usr/local/etc/haproxy/lists/blacklist.lst

    # Since acls are ran once evaluated, you can use short circuiting to
    # conditionally exec an acl like a function, here I inc a counter.
    acl do_inc_gpc0 sc0_inc_gpc0(st_global) gt 0

    # Reject request and inc gpc0 if blacklisted
    tcp-request connection reject if is_blacklisted do_inc_gpc0
    tcp-request connection reject if { sc0_get_gpc0 gt 0 }

    # Path acls
    acl is_path_v1 path_beg -i /v1
    acl is_static_content path_end .js .css .png .jpeg .svg .gif .ttf .ico
    acl is_static_content path_beg -i /static/

    # Set current conns, conn rate & global requests rate
    http-request set-var(txn.vv_global_conn_cur_current) src,table_conn_cur(st_global)
    http-request set-var(txn.vv_global_conn_rate_current) src,table_conn_rate(st_global)
    http-request set-var(txn.vv_global_http_rate_current) src,table_http_req_rate(st_global)

    # Create acls for current conns, conn rate & global requests rate
    acl is_global_conn_cur_limited var(proc.vv_global_conn_cur_limit),sub(txn.vv_global_conn_cur_current) lt 0
    acl is_global_conn_rate_limited var(proc.vv_global_conn_rate_limit),sub(txn.vv_global_conn_rate_current) lt 0
    acl is_global_http_rate_limited var(proc.vv_global_http_rate_limit),sub(txn.vv_global_http_rate_current) lt 0

    # Global conn checks - also inc gpc0
    http-request deny deny_status 429 errorfiles http_errors_json if is_path_v1 is_global_conn_cur_limited do_inc_gpc0
    http-request deny deny_status 429 errorfiles http_errors_html if is_global_conn_cur_limited do_inc_gpc0
    http-request deny deny_status 429 errorfiles http_errors_json if is_path_v1 is_global_conn_rate_limited do_inc_gpc0
    http-request deny deny_status 429 errorfiles http_errors_html if is_global_conn_rate_limited do_inc_gpc0

    # Global http rate check
    http-request deny deny_status 429 errorfiles http_errors_json if is_path_v1 is_global_http_rate_limited
    http-request deny deny_status 429 errorfiles http_errors_html if is_global_http_rate_limited

    # Set current rates for this path by looking them up in st_paths
    http-request set-var(txn.vv_path_http_rate_current) base32+src,table_http_req_rate(st_paths)

    # Set rate limit for this path from the rates-by-ip.map if it
    # exists, otherwise leave it unset.
    http-request set-var(txn.vv_path_http_rate_limit) src,map_ip(/usr/local/etc/haproxy/maps/rates-by-ip.map)

    # Set rate limit for this path from the rates-by-url.map if it
    # exists, otherwise leave it unset.
    http-request set-var(txn.vv_path_http_rate_limit,ifnotset) path,map_beg(/usr/local/etc/haproxy/maps/rates-by-url.map)

    # If no rate was set yet, check if this is an API request and use that
    # for the default.
    http-request set-var(txn.vv_path_http_rate_limit,ifnotset) var(proc.vv_path_api_http_rate_limit) if is_path_v1

    # If no rate was set yet, check if this is a static request and use that
    # for the default.
    http-request set-var(txn.vv_path_http_rate_limit,ifnotset) var(proc.vv_path_static_http_rate_limit) if is_static_content

    # If no rate was set yet, use the default rate limit
    http-request set-var(txn.vv_path_http_rate_limit,ifnotset) var(proc.vv_path_default_http_rate_limit)

    # Create acl for http path rates
    acl is_path_http_rate_limited var(txn.vv_path_http_rate_limit),sub(txn.vv_path_http_rate_current) lt 0

    # Track sc1 for path (if not rate limited)
    http-request track-sc1 base32+src table st_paths if !is_path_http_rate_limited
 
    # If the env var VV_HAPROXY_DEBUG exists we enable a special route
    # with useful information.
    #
    # Note on whitespace and string literals:
    #
    #   INVALID: streq("${VV_HAPROXY_DEBUG}", "true")  # matches: ' "true"'
    #   INVALID: streq("${VV_HAPROXY_DEBUG}", true)    # matches: ' true'
    #   CORRECT: streq("${VV_HAPROXY_DEBUG}",true)     # matches: 'true'
    #
    # This also applies for other things, such as:
    #
    #   http-request set-var(txn.vv_path_http_rate_limit, ifnotset)  # Fails
    #   http-request set-var(txn.vv_path_http_rate_limit,ifnotset)   # Works
    #
    .if streq("${VV_HAPROXY_DEBUG}",true)
        .notice "debug route at /haproxy enabled (${VV_HAPROXY_DEBUG}=true)"

        # This is a simple pattern for printing the current values of acls
        http-request set-var(txn.vv_acl_str_is_global_conn_cur_limited) str("is_global_conn_cur_limited: true") if is_global_conn_cur_limited
        http-request set-var(txn.vv_acl_str_is_global_conn_cur_limited) str("is_global_conn_cur_limited: false") if !is_global_conn_cur_limited

        http-request set-var(txn.vv_acl_str_is_global_conn_rate_limited) str("is_global_conn_rate_limited: true") if is_global_conn_rate_limited
        http-request set-var(txn.vv_acl_str_is_global_conn_rate_limited) str("is_global_conn_rate_limited: false") if !is_global_conn_rate_limited

        http-request set-var(txn.vv_acl_str_is_global_http_rate_limited) str("is_global_http_rate_limited: true") if is_global_http_rate_limited
        http-request set-var(txn.vv_acl_str_is_global_http_rate_limited) str("is_global_http_rate_limited: false") if !is_global_http_rate_limited
        
        http-request set-var(txn.vv_acl_str_is_path_http_rate_limited) str("is_path_http_rate_limited: true") if is_path_http_rate_limited
        http-request set-var(txn.vv_acl_str_is_path_http_rate_limited) str("is_path_http_rate_limited: false") if !is_path_http_rate_limited
        
        # Check to see if we are using a special debugging path.
        acl is_haproxy_debug path_beg -i /haproxy
        acl is_haproxy_debug path_beg -i /v1/haproxy
        
        # Use backend if it's a debug path.
        use_backend be_debug if is_haproxy_debug

    .endif

    # Check http rate limiting.
    use_backend be_tarpit_json if is_path_http_rate_limited is_path_v1
    use_backend be_tarpit_html if is_path_http_rate_limited

    # Some simple backend selection acls for testing
    acl is_host_localhost hdr_dom(Host) -i localhost
    acl is_host_svc01.example.test hdr_dom(Host) -i svc01.example.test
    acl is_host_svc02.example.test hdr_dom(Host) -i svc02.example.test

    # Select a backend based on acl
    use_backend be_localhost_ui if is_host_localhost
    use_backend be_example_svc01 if is_host_svc01.example.test 
    use_backend be_example_svc02 if is_host_svc01.example.test 

    # Dynamic backend selection from hosts.map
    use_backend %[req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/maps/hosts.map,be_errors_json)] if !is_path_v1
    use_backend %[req.hdr(host),lower,map_dom(/usr/local/etc/haproxy/maps/hosts.map,be_errors_html)]


# Debug
backend be_debug
    http-request return status 200 content-type text/html lf-file /usr/local/etc/haproxy/debug.html


# Stick Table - ipv6 - rate limiting by src ip
# https://docs.haproxy.org/2.7/configuration.html#4.2-stick-table%20type
backend st_global

    # For local testing I have this set to 1k, tweak to 100k-1m for prod
    # depending on your systems memory.
    stick-table  type ipv6  size 1k  expire 10s  store gpc0,conn_cur,conn_rate(10s),http_req_rate(10s)


# Stick Table - binary - rate limiting by (src + host + path)
# https://docs.haproxy.org/2.7/configuration.html#7.3.6-base
backend st_paths

    # This has much more entries in it, so setting it to be st_global * N
    # is a good idea, where N is something factoring the total src+host+path
    # combinations you want to track.
    stick-table  type binary  len 32  size 10k  expire 10s  store gpc0,conn_rate(10s),http_req_rate(10s)


# Tarpit - ui
backend be_tarpit_html
    errorfiles http_errors_html
    timeout tarpit 2s
    http-request tarpit deny_status 429


# Tarpit - api
backend be_tarpit_json
    errorfiles http_errors_json
    timeout tarpit 2s
    http-request tarpit deny_status 429


# Errors - ui
backend be_errors_html
    mode http
    errorfiles http_errors_html


# Errors - api
backend be_errors_json
    mode http
    errorfiles http_errors_json


backend be_localhost_ui
    mode http
    errorfiles http_errors_html
    http-request return status 200 content-type text/plain lf-string "backend: be_localhost_ui"


backend be_example_ui
    mode http
    errorfiles http_errors_html
    http-request return status 200 content-type text/plain lf-string "backend: be_example_ui"


backend be_example_api
    mode http
    errorfiles http_errors_json
    http-request return status 200 content-type text/plain lf-string "backend: be_example_api"


backend be_example_docs
    mode http
    errorfiles http_errors_html
    http-request return status 200 content-type text/plain lf-string "backend: be_example_docs"


backend be_example_svc01
    mode http
    errorfiles http_errors_json
    http-request return status 200 content-type text/plain lf-string "backend: backend be_example_svc01"


backend be_example_svc02
    mode http
    errorfiles http_errors_json
    http-request return status 200 content-type text/plain lf-string "backend: backend be_example_svc02"