NickMRamirez/haproxy-1.cfg

## gistfile1.cfg
backend st_src_global
    stick-table type ip size 1m expire 10m store http_req_rate(10m)

backend st_src_login
    stick-table type ip size 1m expire 10m store http_req_rate(10m)

backend st_src_api
    stick-table type ip size 1m expire 10m store http_req_rate(10m)

frontend fe_main
    bind *:80
    http-request track-sc0 src table st_src_global
    http-request track-sc1 src table st_src_login if
      ↪ { path_beg /login }
    http-request track-sc1 src table st_src_api if { path_beg /api }

## haproxy-1.cfg
frontend fe_main
  bind :80
  default_backend be_main

 backend be_main
   balance roundrobin
   server srv1 127.0.0.1:8080 check

## haproxy.cfg
global
    log /dev/log local0
    debug
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options ssl-min-ver TLSv1.1
    chroot /var/lib/haproxy
    user haproxy
    group haproxy
    lua-load /usr/local/share/lua/5.3/jwtverify.lua

    setenv OAUTH_PUBKEY_PATH /usr/local/etc/haproxy/pem/pubkey.pem
    setenv OAUTH_ISSUER https://nickram44.auth0.com/
    setenv OAUTH_AUDIENCE https://api.mywebsite.com

defaults
    log global
    mode http
    option httplog
    timeout connect 10s
    timeout client 30s
    timeout server 30s
    option http-buffer-request

frontend api_gateway
    bind :443 ssl crt /usr/local/etc/haproxy/pem/test.com.pem alpn h2,http1.1
    default_backend apiservers
    http-request deny if { req.hdr_cnt(authorization) le 0 }
    http-request lua.jwtverify
    http-request deny if ! { var(req.authorized) eq 1 }
    http-request deny if { path_beg /api/hamsters } { method GET }             ! { var(req.oauth_scopes) -m sub read:hamsters }
    http-request deny if { path_beg /api/hamsters } { method POST PUT DELETE } ! { var(req.oauth_scopes) -m sub write:hamsters }

backend apiservers
    balance roundrobin
    server server1 127.0.0.1:8080
	backend st_src_global
	stick-table type ip size 1m expire 10m store http_req_rate(10m)

	backend st_src_login
	stick-table type ip size 1m expire 10m store http_req_rate(10m)

	backend st_src_api
	stick-table type ip size 1m expire 10m store http_req_rate(10m)

	frontend fe_main
	bind *:80
	http-request track-sc0 src table st_src_global
	http-request track-sc1 src table st_src_login if
	↪ { path_beg /login }
	http-request track-sc1 src table st_src_api if { path_beg /api }
	frontend fe_main
	bind :80
	default_backend be_main

	backend be_main
	balance roundrobin
	server srv1 127.0.0.1:8080 check
	global
	log /dev/log local0
	debug
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
	ssl-default-bind-options ssl-min-ver TLSv1.1
	chroot /var/lib/haproxy
	user haproxy
	group haproxy
	lua-load /usr/local/share/lua/5.3/jwtverify.lua

	setenv OAUTH_PUBKEY_PATH /usr/local/etc/haproxy/pem/pubkey.pem
	setenv OAUTH_ISSUER https://nickram44.auth0.com/
	setenv OAUTH_AUDIENCE https://api.mywebsite.com

	defaults
	log global
	mode http
	option httplog
	timeout connect 10s
	timeout client 30s
	timeout server 30s
	option http-buffer-request

	frontend api_gateway
	bind :443 ssl crt /usr/local/etc/haproxy/pem/test.com.pem alpn h2,http1.1
	default_backend apiservers
	http-request deny if { req.hdr_cnt(authorization) le 0 }
	http-request lua.jwtverify
	http-request deny if ! { var(req.authorized) eq 1 }
	http-request deny if { path_beg /api/hamsters } { method GET } ! { var(req.oauth_scopes) -m sub read:hamsters }
	http-request deny if { path_beg /api/hamsters } { method POST PUT DELETE } ! { var(req.oauth_scopes) -m sub write:hamsters }

	backend apiservers
	balance roundrobin
	server server1 127.0.0.1:8080