From a96942ac837026cb515b40a1bce5b3d022701551 Mon Sep 17 00:00:00 2001
From: Daria Anton <daria.anton@sap.com>
Date: Mon, 20 Apr 2026 17:11:08 +0200
Subject: [PATCH 1/2] Rate limiting via socket

---
 jobs/haproxy/templates/haproxy.config.erb | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/jobs/haproxy/templates/haproxy.config.erb b/jobs/haproxy/templates/haproxy.config.erb
index 07c14cf5..e9452560 100644
--- a/jobs/haproxy/templates/haproxy.config.erb
+++ b/jobs/haproxy/templates/haproxy.config.erb
@@ -319,6 +319,14 @@ global
   <%- if backend_match_http_protocol && backends.length == 2 -%>
     set-var proc.h2_alpn_tag str(h2)
   <%- end -%>
+  <%- if_p("ha_proxy.connections_rate_limit.table_size", "ha_proxy.connections_rate_limit.window_size") do -%>
+    <%- if_p("ha_proxy.connections_rate_limit.connections") do |connections| -%>
+      set-var proc.conn_rate_limit int(<%= connections %>)
+    <%- end -%>
+    <%- if_p("ha_proxy.connections_rate_limit.block") do |block| -%>
+      set-var proc.conn_rate_limit_enabled bool(<%= block ? 1 : 0 %>)
+    <%- end -%>
+  <%- end -%>
   <%- if p("ha_proxy.always_allow_body_http10") %>
     h1-accept-payload-with-any-method
   <%- end %>
@@ -432,10 +440,8 @@ frontend http-in
     tcp-request connection reject if layer4_block
   <%- if_p("ha_proxy.connections_rate_limit.table_size", "ha_proxy.connections_rate_limit.window_size") do -%>
     tcp-request connection track-sc0 src table st_tcp_conn_rate
-    <%- if_p("ha_proxy.connections_rate_limit.block", "ha_proxy.connections_rate_limit.connections") do |block, connections| -%>
-      <%-if block -%>
-    tcp-request connection reject if { sc_conn_rate(0) gt <%= connections %> }
-      <%- end -%>
+    <%- if_p("ha_proxy.connections_rate_limit.connections") do -%>
+    tcp-request connection reject if { var(proc.conn_rate_limit_enabled) -m bool } { sc_conn_rate(0),sub(proc.conn_rate_limit) gt 0 }
     <%- end -%>
   <%- end -%>
   <%- if_p("ha_proxy.requests_rate_limit.table_size", "ha_proxy.requests_rate_limit.window_size") do -%>

From 9f592171652c0945d2b595e0d2a4e9eac06b0378 Mon Sep 17 00:00:00 2001
From: Daria Anton <daria.anton@sap.com>
Date: Mon, 20 Apr 2026 17:25:44 +0200
Subject: [PATCH 2/2] Rate limiting via socket

---
 jobs/haproxy/templates/haproxy.config.erb | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/jobs/haproxy/templates/haproxy.config.erb b/jobs/haproxy/templates/haproxy.config.erb
index e9452560..54d42a93 100644
--- a/jobs/haproxy/templates/haproxy.config.erb
+++ b/jobs/haproxy/templates/haproxy.config.erb
@@ -572,10 +572,8 @@ frontend https-in
     tcp-request connection reject if layer4_block
   <%- if_p("ha_proxy.connections_rate_limit.table_size", "ha_proxy.connections_rate_limit.window_size") do -%>
     tcp-request connection track-sc0 src table st_tcp_conn_rate
-    <%- if_p("ha_proxy.connections_rate_limit.block", "ha_proxy.connections_rate_limit.connections") do |block, connections| -%>
-      <%-if block -%>
-    tcp-request connection reject if { sc_conn_rate(0) gt <%= connections %> }
-      <%- end -%>
+    <%- if_p("ha_proxy.connections_rate_limit.connections") do -%>
+    tcp-request connection reject if { var(proc.conn_rate_limit_enabled) -m bool } { sc_conn_rate(0),sub(proc.conn_rate_limit) gt 0 }
     <%- end -%>
   <%- end -%>
   <%- if_p("ha_proxy.requests_rate_limit.table_size", "ha_proxy.requests_rate_limit.window_size") do -%>