haproxy_ex_apps.cfg.template

# SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors
# SPDX-License-Identifier: AGPL-3.0-or-later

frontend ex_apps
    mode http
    BIND_ADDRESS_PLACEHOLDER

    stick-table type ip size 100k expire 144m store gpc0,http_req_rate(5m)

    # Perform Basic Auth
    acl valid_credentials http_auth(app_api_credentials)

    # Increase counter on failed authentication
    http-request track-sc0 src if ! valid_credentials
    http-request sc-inc-gpc0(0) if ! valid_credentials

    # Check if the client IP has more than 5 failed attempts in the last 5 minutes
    acl too_many_auth_failures sc0_http_req_rate gt 5

    # Use 'silent-drop' to drop the connection without a response
    http-request silent-drop if too_many_auth_failures

    http-request auth realm AppAPI unless valid_credentials

    # Replace the Authorization header if there is X-Original-Authorization header of the original request
    http-request set-header Authorization %[req.hdr(X-Original-Authorization)] if { req.hdr(X-Original-Authorization) -m found }

    # We allow anything for ExApps
    http-request allow
    use_backend bk_ex_apps

backend bk_ex_apps
    mode http
    server ex_apps EX_APPS_NET_PLACEHOLDER