Wrap with haproxy rate limiting

Author: pimterry

Dockerfile

@@ -1,16 +1,22 @@
 FROM node:24-alpine
 
+RUN apk update && apk add --no-cache haproxy bash
+
 WORKDIR /usr/src/app
 
 RUN mkdir /usr/src/app/cert_dir
 ENV CERT_CACHE_DIR=/usr/src/app/cert_dir
 
 COPY package.json package-lock.json ./
-
 RUN npm ci --omit=dev
 
 COPY src/ src/
 
+COPY haproxy.cfg /etc/haproxy/haproxy.cfg
+COPY start.sh ./
+RUN chmod +x start.sh
+
 ARG GIT_HASH
 ENV VERSION_HASH=${GIT_HASH}
-CMD ["npm", "start"]
+
+CMD ["./start.sh"]

fly.toml

@@ -7,7 +7,7 @@ primary_region = 'cdg'
   image = 'httptoolkit/testserver:latest'
 
 [env]
-  PORTS = '8080'
+  PORTS = '3000'
   CERT_CACHE_DIR = '/usr/src/app/cert_dir'
 
   # If deploying a separate instance and wanting real certificates, customize these:
@@ -23,11 +23,14 @@ primary_region = 'cdg'
 
   [[services.ports]]
     port = "80"
+    handlers = ["proxy_proto"]
   [[services.ports]]
     port = "443"
+    handlers = ["proxy_proto"]
   [[services.ports]]
     start_port = 8000
     end_port = 10000
+    handlers = ["proxy_proto"]
 
   # Continually check /echo can return a valid HTTPS response
   [[services.http_checks]]

haproxy.cfg

@@ -0,0 +1,25 @@
+global
+    log stdout format raw local0
+
+defaults
+    mode tcp
+    log global
+    timeout client 10m
+    timeout server 10m
+    timeout connect 5s
+
+frontend public_shield
+    bind *:8080 accept-proxy
+
+    # Track IP connection rate (100k IP storage, expires in 30s)
+    stick-table type ip size 100k expire 30s store conn_rate(5s)
+    tcp-request connection track-sc0 src
+
+    # Block if >100 connections in 5 seconds
+    tcp-request connection reject if { sc0_conn_rate gt 100 }
+
+    default_backend node_app
+
+backend node_app
+    # Forward to Node on localhost
+    server local_node 127.0.0.1:3000

start.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+npm start &
+NODE_PID=$!
+
+haproxy -f /etc/haproxy/haproxy.cfg &
+HAPROXY_PID=$!
+
+wait -n
+exit $?