HAProxy to get IP from header and use that to rate limit

I want to rate limit users connecting to wp-login.php with method POST.

The website is behind Cloudflare so, to get the source IP, I need to hdr(CF-Connecting-IP).

I want to create a stick table that increments connections and denies the request if more than 3 in less than 20 seconds.

# create a stick table that monitors for 20 seconds
stick-table type ip size 1m expire 20s store http_req_rate(20s)

# tracks requests using cloudflare connecting ip
http-request track-sc0 hdr(CF-Connecting-IP)

# conditions on where to listen
acl monitored_url path_beg -i /wp-login.php
acl is_post method POST

# increment counter if conditions are met
http-request sc-inc-gpc0(0) if monitored_url is_post

# deny if user has tried to login more than 3 times in last 20 seconds
http-request deny if { sc_get_gpc0(0) gt 3 }

Compiles, but doesn’t deny anyone. Can’t find the error.
Any idea? Thanks!

The solution was pretty simple, I just had to dig deeper into the manual.

acl is_wp_login path_end -i /wp-login.php /xmlrpc.php /xmrlpc.php
acl is_post method POST
stick-table type ip size 100k expire 1m  store http_req_rate(1m)
http-request track-sc0 hdr(CF-Connecting-IP) if is_wp_login is_post
http-request deny if is_wp_login is_post { sc_http_req_rate(0) gt 5 }

If you want, there’s some extra details here: