Added configurable MQTT rate limiting

Author: richturner

README.md

@@ -26,6 +26,7 @@ requested (this is a multi-value alternative to DOMAINNAME)
 * `LE_EXTRA_ARGS` - Can be used to add additional arguments to the certbot command (default `none`)
 * `SISH_HOST` - Defines the destination hostname for forwarding requests that begin with `gw-` used in combination with `SISH_PORT`
 * `SISH_PORT` - Defined the destination port for forwarding requests tha begin with `gw-` used in combination with `SISH_HOST`
+* `MQTT_RATE_LIMIT` - Enable rate limiting for MQTT connections (connections/s)
 
 ## Custom certificate format
 Any custom certificate volume mapped into `/etc/haproxy/certs` should be in PEM format and must include the full certificate chain and the private key, i.e.:

haproxy.cfg

@@ -125,6 +125,13 @@ frontend https
 listen mqtt
     bind *:8883 ssl crt /etc/haproxy/certs crt "${CERT_DIR}" no-tls-tickets
     mode tcp
+
+    .if defined(MQTT_RATE_LIMIT)
+       # Rate limiting
+       acl too_fast fe_sess_rate ge ${MQTT_RATE_LIMIT}
+       tcp-request connection reject if too_fast
+    .endif
+
     #Use this to avoid the connection loss when client subscribed for a topic and its idle for sometime
     option clitcpka # For TCP keep-alive
     timeout client 3h #By default TCP keep-alive interval is 2hours in OS kernal, 'cat /proc/sys/net/ipv4/tcp_keepalive_time'