haproxy.cfg

global
    log stdout format raw local0 info 

    # Runtime API
    stats socket :9999 level admin expose-fd listeners

    # Load JWT library
    lua-load /usr/local/share/lua/5.3/jwtverify.lua

    # Configure JWT library
    setenv OAUTH_ISSUER http://localhost/auth/realms/weather-services
    setenv OAUTH_AUDIENCE http://localhost/api/weather-services
    setenv OAUTH_PUBKEY_PATH /etc/haproxy/pem/pubkey.pem

defaults
    # standard default settings...
    log global
    mode http
    timeout client 5s
    timeout server 5s
    timeout connect 5s
    option httplog

frontend fe_api
    bind :80

    # a stick table stores the count of requests each clients makes
    stick-table  type ip  size 100k  expire 1m  store http_req_cnt

    # allow 'auth' request to go straight through to Keycloak
    http-request allow if { path_beg /auth/ }
    use_backend keycloak if { path_beg /auth/ }

    # deny requests that don't send an access token
    http-request deny unless { req.hdr(authorization) -m found }

    # verify access tokens
    http-request lua.jwtverify
    http-request deny unless { var(txn.authorized) -m bool }    

    # add the client's subscription level to the access logs: bronze, silver, gold
    http-request capture var(txn.oauth_scopes) len 10
    
    # deny requests after the client exceeds their allowed requests per minute
    http-request deny deny_status 429 if { var(txn.oauth_scopes) -m sub bronze } { src,table_http_req_cnt gt 10 }
    http-request deny deny_status 429 if { var(txn.oauth_scopes) -m sub silver } { src,table_http_req_cnt gt 100 }
    http-request deny deny_status 429 if { var(txn.oauth_scopes) -m sub gold }   { src,table_http_req_cnt gt 1000 }

    # track clients' request counts. This line will not be called
    # once the client is denied above, which prevents them from perpetually
    # locking themselves out.
    http-request track-sc0 src

    default_backend be_api

backend be_api
    server s1 172.25.0.12:8080 check
    server s2 172.25.0.13:8080 check
    server s3 172.25.0.14:8080 check

backend keycloak
    server keycloak 172.25.0.15:8080

frontend stats
   bind :8404
   http-request use-service prometheus-exporter if { path /metrics }
   stats enable
   stats uri /
   stats refresh 10s
   no log