HAProxy community

HAProxy DDoS protection suggestions

Hi guys, I am looking for some suggestions/tips on HAProxy config which is used as a load balancer in front of our php web app, running behind Apache. So its HAProxy -> Apache serving PHP web app.
Recently we have been targeted with DDoS attacks requesting usually one speciifc path, like /forgetPassword.php etc. from a lot of foreign IPs and this kills the apache web server running our app. I have been trying several configs and the one that seemed to work best was something like this

  # Allow clean known IPs to bypass the filter
  timeout http-request 5s #Slowloris protection
  tcp-request connection track-sc1 src table Abuse
  tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
  # Dont allow more than 10 concurrent tcp connections OR 10 connections in 3 seconds
  tcp-request connection reject if { src_conn_rate(Abuse) ge 10 }
  tcp-request connection reject if { src_conn_cur(Abuse) ge 10 }

  # ABUSE SECTION works with http mode dependent on src ip
  tcp-request content reject if { src_get_gpc0(Abuse) gt 0 }

# Abuse table
backend Abuse
stick-table type ip size 1m expire 30m store conn_rate(3s),conn_cur,gpc0,http_req_rate(10s),http_err_rate(20s)

But when testing from foreign IP addresses not in whitelist, the app does not load as expected and shows a lot of broken images etc. I guess thats because of the filters and limits I have set, but as the page is also used by foreigners, maybe you guys could suggest the best rate limits or maybe a completely different config? Also I am quite new to HAProxy so sorry for such questions. Maybe there is something I could also do on Apache side as well?

Thanks a lot for your time and help.