HAProxy config supporting an active/active setup with shared table used for rate limiting

haproxy.cfg

# tested with HAProxy 2.0 LTS on Debian 9
global
    stats socket /tmp/haproxy_admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy

defaults
    mode http
    maxconn 500
    balance roundrobin
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    timeout http-request 5s
    option http-server-close
    option forwardfor if-none
    option redispatch
    stats enable
    stats refresh 30s
    stats auth haproxy:password
    stats uri  /haproxy?stats
    stats hide-version
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

peers haproxy-peers
    peer haproxy-1 172.20.0.100:10000
    peer haproxy-2 172.20.0.101:10000
    # shared table
    table ha-shared type string len 64 size 1m expire 15m store http_err_rate(5m),http_req_rate(5m)

frontend haproxy-1_fe
    bind *:80
    mode http
    ###################
    # rate/err limiting
    ###################
    tcp-request inspect-delay 5s
    tcp-request content track-sc0 hdr(x-forwarded-for,-1) table haproxy-peers/ha-shared
    acl err_abuse hdr(X-Forwarded-For,-1),table_http_err_rate(haproxy-peers/ha-shared) ge 5
    acl rate_abuse hdr(X-Forwarded-For,-1),table_http_req_rate(haproxy-peers/ha-shared) ge 25
    ###################
    use_backend err_limiter if err_abuse
    use_backend rate_limiter if rate_abuse !err_abuse
    default_backend default

backend default
    balance roundrobin
    option tcp-check
    default-server inter 15s fall 3 rise 2
    ###################
    # stick on xff
    ###################
    stick on hdr(X-Forwarded-For,-1) table haproxy-peers/ha-shared
    ###################
    server default_httpbin httpbin.org:443 ssl verify none check port 443 maxconn 100

backend rate_limiter
    mode http
    http-request deny deny_status 429

backend err_limiter
    mode http
    http-request reject

validate_counts.txt

you can display counters in haproxy-peers/ha-shared table
---------------------------------------------------------
echo "show table haproxy-peers/ha-shared" | socat stdio /tmp/haproxy_admin.sock

example output
---------------------------------------------------------
root@haproxy-2:~# echo "show table haproxy-peers/ha-shared" | socat stdio /tmp/haproxy_admin.sock
# table: haproxy-peers/ha-shared, type: string, size:1048576, used:0

after hitting haproxy-1 with a 404 using no XFF (note http_req_rate AND http_err_rate remains 0)
---------------------------------------------------------
root@haproxy-2:~# echo "show table haproxy-peers/ha-shared" | socat stdio /tmp/haproxy_admin.sock
# table: haproxy-peers/ha-shared, type: string, size:1048576, used:1
0x7f43f801e3d8: key=172.20.0.1 use=0 exp=896691 server_id=1 http_req_rate(300000)=0 http_err_rate(300000)=0 server_name=default_httpbin

after hitting haproxy-1 with a 404 using XFF (note http_req_rate AND http_err_rate increments)
---------------------------------------------------------
root@haproxy-2:~# echo "show table haproxy-peers/ha-shared" | socat stdio /tmp/haproxy_admin.sock
# table: haproxy-peers/ha-shared, type: string, size:1048576, used:2
0x7f43f801e3d8: key=172.20.0.1 use=0 exp=789090 server_id=1 http_req_rate(300000)=0 http_err_rate(300000)=0 server_name=default_httpbin
0x7f43f801e558: key=192.168.1.50 use=0 exp=894193 server_id=1 http_req_rate(300000)=1 http_err_rate(300000)=1 server_name=default_httpbin