Let’s say I have a stick table defined like this:
backend st_one_second
stick-table type string size 1m expire 1s store http_req_cnt,http_req_rate(1s)
In the frontend section, I then set rate-limiting rule (based on the authenticated username (txn.auth_user)):
frontend
...
acl one_abuse var(txn.auth_user),table_http_req_rate(st_one_second) ge 1
http-request deny deny_status 429 if one_abuse
http-response track-sc1 var(txn.auth_user) table st_one_second if { status 200 }
use_backend main_backend
I want only one request per second and per user to be passed through to the backend.
It works for non-concurrent requests (sending 10 non-concurrent requests in 1 second will only pass the first request), but with concurrency I get more requests reach backend (if I send 10 concurrent requests, I get 10 requests at the backend).
I know about maxconn, but, if I understood correctly, it cannot be set on a per user/ip/… basis.
Is there a way to limit concurrent requests per user (per key in a stick table)?
Thanks for any help! 
Edit:
I have also tried limiting based on the following ACLs:
acl one_abuse_conn var(txn.auth_user),table_http_conn_rate(st_one_second) ge 1
acl one_abuse_cnt var(txn.auth_user),table_http_req_cnt(st_one_second) ge 1
but the result is the same…