Rate-limiting for concurent requests

Let’s say I have a stick table defined like this:

backend st_one_second
  stick-table type string size 1m expire 1s store http_req_cnt,http_req_rate(1s)

In the frontend section, I then set rate-limiting rule (based on the authenticated username (txn.auth_user)):

  acl one_abuse var(txn.auth_user),table_http_req_rate(st_one_second) ge 1
  http-request deny deny_status 429 if one_abuse
  http-response track-sc1 var(txn.auth_user) table st_one_second if { status 200 }
  use_backend main_backend

I want only one request per second and per user to be passed through to the backend.
It works for non-concurrent requests (sending 10 non-concurrent requests in 1 second will only pass the first request), but with concurrency I get more requests reach backend (if I send 10 concurrent requests, I get 10 requests at the backend).

I know about maxconn, but, if I understood correctly, it cannot be set on a per user/ip/… basis.
Is there a way to limit concurrent requests per user (per key in a stick table)?

Thanks for any help! :slight_smile:

I have also tried limiting based on the following ACLs:

  acl one_abuse_conn var(txn.auth_user),table_http_conn_rate(st_one_second) ge 1
  acl one_abuse_cnt var(txn.auth_user),table_http_req_cnt(st_one_second) ge 1

but the result is the same…