feat: apply sliding window rate limiting

pillar/base/haproxy.sls

@@ -17,6 +17,7 @@ haproxy:
         - docs.python.org
         - doc.python.org
       check: "HEAD /_check HTTP/1.1\\r\\nHost:\\ docs.python.org"
+      rate_limit: 100
 
     downloads:
       domains:
@@ -75,6 +76,7 @@ haproxy:
         - {{ config.server_name }}
       verify_host: bugs.psf.io
       check: "HEAD / HTTP/1.1\\r\\nHost:\\ {{ config.server_name }}"
+      rate_limit: {{ config.get('rate_limit', 10) }}
     {% endfor %}
 
     moin:

salt/haproxy/config/haproxy.cfg.jinja

@@ -52,7 +52,6 @@ global
     # Lower the amount of space we reserve for header rewriting
     tune.maxrewrite 1024
 
-
 defaults
     log     global
 
@@ -117,6 +116,22 @@ frontend main
     bind :::80
     bind 127.0.0.1:19001  # This is our TLS socket.
 
+    # Apply rate limits per srvice
+    {% for service, config in haproxy.services.items() %}
+    {% if config.get('rate_limit') and loop.index <= 2 %}
+    stick-table type ip size 100k expire 30s store http_req_rate(1s)
+    {% endif %}
+    {% endfor %}
+
+    # Apply rate limits
+    {% for service, config in haproxy.services.items() %}
+    {% if config.get('rate_limit') and loop.index <= 2 %}
+    acl is_{{ service }} hdr(host) -i {% for domain in config.domains %}{{ domain }} {% endfor %}
+    http-request track-sc{{ loop.index }} src if is_{{ service }}
+    http-request deny deny_status 429 if is_{{ service }} { sc{{ loop.index }}_http_req_rate() gt {{ config.rate_limit }} }
+    {% endif %}
+    {% endfor %}
+
     # Custom logging format, this is the same as the normal "httplog" in
     # HAProxy except information about the TLS connection is included.
     log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %sslv/%sslc\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r