HAProxy + RDS Farm

haproxy.cfg
global
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     16000
    user        haproxy
    group       haproxy
    daemon
    stats socket /var/run/haproxy.stat mode 600 level admin
    ssl-server-verify none

# RDP / TSE configuration
frontend ft_rdp
  bind 10.1.1.2:3389 name rdp
  mode tcp
  timeout client 1h
  option tcplog
  option tcpka
  # Protection 1 - wait up to 5s for the mstshash cookie, and reject the client if none
  tcp-request inspect-delay 5s
  tcp-request content accept if RDP_COOKIE
  default_backend bk_rdp

backend bk_rdp
  mode tcp
  balance roundrobin
  timeout server 1h
  timeout connect 4s
  option redispatch
  option tcpka
  option tcplog
  #  stick-table type string len 32 size 10k expire 1d store conn_cur,conn_rate(1m)
  stick on rdp_cookie(mstshash)
  # Protection 2 - Each user is supposed to get a single active connection at a time, block the second one
  tcp-request content reject if { sc1_conn_cur ge 2 }
  # Protection 3 - if a user tried to get connected at least 10 times over the last minute, it could be a brute force
  tcp-request content reject if { sc1_conn_rate ge 10 }
  # RDS farm
  server ts202 10.11.11.202:3389 weight 10 check inter 2s rise 2 fall 3
  server ts203 10.11.11.203:3389 weight 10 check inter 2s rise 2 fall 3
  server ts204 10.11.11.204:3389 weight 10 check inter 2s rise 2 fall 3
  server ts205 10.11.11.205:3389 weight 10 check inter 2s rise 2 fall 3

listen stats
    bind 0.0.0.0:7777
    stats enable
    stats uri /stats
    stats auth admin:[email protected]
    stats realm Haproxy\ Statistics
    stats show-legends
    stats refresh 5s
    mode http
    timeout server 1h
    timeout connect 4s
haproxy.cfg
global
 daemon
 stats socket /var/run/haproxy.stat mode 600 level admin
 maxconn 40000
 ulimit-n 81000
 tune.maxrewrite 1024

defaults
 mode http
 timeout connect 4000
 timeout client 42000
 timeout server 43000

listen stats :7777
 stats enable
 stats uri /
 stats hide-version
 option httpclose

frontend F1
 bind *:3389
 maxconn 40000
 default_backend B1
 mode tcp
 option tcplog

backend B1
 mode tcp
 option tcpka
 balance leastconn
 tcp-request inspect-delay 5s
 tcp-request content accept if RDP_COOKIE
 persist rdp-cookie
 stick-table type string size 204800 expire 120m
 stick on rdp_cookie(mstshash)
 server ts1 10.10.10.11:3389 weight 1 check port 3389 inter 2000 rise 2 fall 3 on-marked-down shutdown-sessions
 server ts2 10.10.10.12:3389 weight 1 check port 3389 inter 2000 rise 2 fall 3 on-marked-down shutdown-sessions
 server ts3 10.10.10.13:3389 weight 1 check port 3389 inter 2000 rise 2 fall 3 on-marked-down shutdown-sessions
 server ts4 10.10.10.14:3389 weight 1 check port 3389 inter 2000 rise 2 fall 3 on-marked-down shutdown-sessions
 option redispatch
 option abortonclose