haproxy limits, blocklist, trustlist

docker/haproxy/config/blocklist.txt

@@ -0,0 +1,3 @@
+# Blocked subnets and IPs. Use CIDR or IP by one per line
+5.136.0.0/13
+217.199.254.1

docker/haproxy/config/haproxy.cfg

@@ -41,6 +41,15 @@ listen stats
 listen mqtt-in
  bind *:${MQTT_PORT}
  mode tcp
+
+ stick-table type ip size 60k expire 60s store conn_cur
+
+ acl trustlist src -f /config/trustlist.txt
+ acl blocklist src -f /config/blocklist.txt
+ tcp-request connection accept if trustlist
+ tcp-request connection reject if blocklist or { src_conn_cur ge 50 }
+ tcp-request connection track-sc1 src
+
  option clitcpka # For TCP keep-alive
  timeout client 3h
  timeout server 3h
@@ -52,6 +61,15 @@ listen mqtt-in
 listen edges-rpc-in
  bind *:${EDGES_RPC_PORT}
  mode tcp
+
+ stick-table type ip size 60k expire 60s store conn_cur
+
+ acl trustlist src -f /config/trustlist.txt
+ acl blocklist src -f /config/blocklist.txt
+ tcp-request connection accept if trustlist
+ tcp-request connection reject if blocklist or { src_conn_cur ge 5 }
+ tcp-request connection track-sc1 src
+
  option clitcpka # For TCP keep-alive
  timeout client 3h
  timeout server 3h
@@ -63,18 +81,28 @@ listen edges-rpc-in
 frontend http-in
  bind *:${HTTP_PORT} alpn h2,http/1.1
 
+ stick-table type ip size 60k expire 60s store conn_cur
+
+ acl trustlist src -f /config/trustlist.txt
+ acl blocklist src -f /config/blocklist.txt
+ tcp-request connection accept if trustlist
+ tcp-request connection reject if blocklist or { src_conn_cur ge 50 }
+ tcp-request connection track-sc1 src
+
  option forwardfor
 
  http-request add-header "X-Forwarded-Proto" "http"
 
  acl transport_http_acl path_beg /api/v1/
  acl letsencrypt_http_acl path_beg /.well-known/acme-challenge/
+ acl tb_images_api_acl path_beg /api/images/
  acl tb_api_acl path_beg /api/ /swagger /webjars /v2/ /v3/ /static/rulenode/ /oauth2/ /login/oauth2/ /static/widgets/
 
  redirect scheme https if !letsencrypt_http_acl !transport_http_acl { env(FORCE_HTTPS_REDIRECT) -m str true }
 
  use_backend letsencrypt_http if letsencrypt_http_acl
  use_backend tb-http-backend if transport_http_acl
+ use_backend tb-images-api-backend if tb_images_api_acl
  use_backend tb-api-backend if tb_api_acl
 
  default_backend tb-web-backend
@@ -82,14 +110,24 @@ frontend http-in
 frontend https_in
   bind *:${HTTPS_PORT} ssl crt /usr/local/etc/haproxy/default.pem crt /usr/local/etc/haproxy/certs.d ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM alpn h2,http/1.1
 
+  stick-table type ip size 60k expire 60s store conn_cur
+
+  acl trustlist src -f /config/trustlist.txt
+  acl blocklist src -f /config/blocklist.txt
+  tcp-request connection accept if trustlist
+  tcp-request connection reject if blocklist or { src_conn_cur ge 50 }
+  tcp-request connection track-sc1 src
+
   option forwardfor
 
   http-request add-header "X-Forwarded-Proto" "https"
 
   acl transport_http_acl path_beg /api/v1/
+  acl tb_images_api_acl path_beg /api/images/
   acl tb_api_acl path_beg /api/ /swagger /webjars /v2/ /v3/ /static/rulenode/ /oauth2/ /login/oauth2/ /static/widgets/
 
   use_backend tb-http-backend if transport_http_acl
+  use_backend tb-images-api-backend if tb_images_api_acl
   use_backend tb-api-backend if tb_api_acl
 
   default_backend tb-web-backend
@@ -98,24 +136,76 @@ backend letsencrypt_http
   server letsencrypt_http_srv 127.0.0.1:8080
 
 backend tb-web-backend
+  timeout queue 60s
   balance leastconn
   option tcp-check
   option log-health-checks
-  server tbWeb1 tb-web-ui1:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4
+  server tbWeb1 tb-web-ui1:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
-  server tbWeb2 tb-web-ui2:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4
+  server tbWeb2 tb-web-ui2:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
   http-request set-header X-Forwarded-Port %[dst_port]
 
 backend tb-http-backend
+  timeout queue 60s
   balance leastconn
   option tcp-check
   option log-health-checks
-  server tbHttp1 tb-http-transport1:8081 check inter 5s resolvers docker_resolver resolve-prefer ipv4
+  server tbHttp1 tb-http-transport1:8081 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
-  server tbHttp2 tb-http-transport2:8081 check inter 5s resolvers docker_resolver resolve-prefer ipv4
+  server tbHttp2 tb-http-transport2:8081 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
+
+# Dummy backends for a stick-table purpose only.
+# There is only one stick-table per proxy. At the moment of writing this doc,
+# it does not seem useful to have multiple tables per proxy. If this happens
+# to be required, simply create a dummy backend with a stick-table in it and
+# reference it
+# https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#stick-table
+backend st_src_rate10s
+    stick-table type ip size 60k expire 10s store http_req_rate(10s)
+
+backend st_src_rate1m
+    stick-table type ip size 60k expire 1m store http_req_rate(1m)
 
 backend tb-api-backend
+  timeout queue 60s
   balance source
   option tcp-check
   option log-health-checks
-  server tbApi1 tb-core1:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4
+
-  server tbApi2 tb-core2:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4
+  http-request track-sc0 src table st_src_rate10s
+  http-request track-sc1 src table st_src_rate1m
+
+  acl trustlist src -f /config/trustlist.txt
+  http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 } !trustlist
+  http-request deny deny_status 429 if { sc_http_req_rate(1) gt 300 } !trustlist
+
   http-request set-header X-Forwarded-Port %[dst_port]
+  server tbApi1 tb-core1:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
+  server tbApi2 tb-core2:8080 check inter 5s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
+
+# Dummy backends for a stick-table purpose only.
+# There is only one stick-table per proxy. At the moment of writing this doc,
+# it does not seem useful to have multiple tables per proxy. If this happens
+# to be required, simply create a dummy backend with a stick-table in it and
+# reference it
+# https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#stick-table
+backend st_images_src_rate10s
+    stick-table type ip size 60k expire 10s store http_req_rate(10s)
+
+backend st_images_src_rate1m
+    stick-table type ip size 60k expire 1m store http_req_rate(1m)
+
+backend tb-images-api-backend
+  timeout queue 60s
+  balance source
+  option tcp-check
+  option log-health-checks
+
+  http-request track-sc0 src table st_images_src_rate10s
+  http-request track-sc1 src table st_images_src_rate1m
+
+  acl trustlist src -f /config/trustlist.txt
+  http-request deny deny_status 429 if { sc_http_req_rate(0) gt 1000 } !trustlist
+  http-request deny deny_status 429 if { sc_http_req_rate(1) gt 3000 } !trustlist
+
+  http-request set-header X-Forwarded-Port %[dst_port]
+  server tbImagesApi1 tb-core1:8080 check inter 10s resolvers docker_resolver resolve-prefer ipv4 maxconn 50
+  server tbImagesApi2 tb-core2:8080 check inter 10s resolvers docker_resolver resolve-prefer ipv4 maxconn 50

docker/haproxy/config/trustlist.txt

@@ -0,0 +1,12 @@
+# Trusted list is intended to do not apply any limitations for trustees
+#
+# Private subnet example
+# 10.0.0.0/8
+# Docker-compose subnet
+172.16.0.0/12
+# Local network subnet
+192.168.0.0/16
+# Allow loopback interface
+127.0.0.1
+::1
+# Allow trusted IPs or CIDRs below