HAproxy + HTTP auth + IP SRC

Use HTTP Auth when source IP is not from an allowed source:

userlist TestUsers
    user guest insecure-password secret

backend test-node
    acl network_allowed src 10.0.0.1 192.30.252.0/22
    acl AuthOK http_auth(TempUsers)
    http-request auth realm Test if !network_allowed !AuthOK
    server test test.server.tld:80 maxconn 50 check

To only allow specific range, for example only GitHub:

 acl network_allowed src 192.30.252.0/22 185.199.108.0/22
 http-request deny if !network_allowed

HAproxy + mysql

First setup mysql by creating a HAproxy to do the checks:

USE mysql;
INSERT INTO user (Host,User) values('%', 'haproxy');
FLUSH PRIVILEGES;

In case you are here because you ran out of connections you can do:

mysql> FLUSH HOSTS;

Then you can use something like:

backend rds-mysql
    mode tcp
    balance leastconn
    option tcpka
    option mysql-check user haproxy
    server rds mysql.eu-central-1.rds.amazonaws.com:3306 check

https://www.haproxy.com/doc/aloha/7.0/haproxy/healthchecks.html#checking-a-mysql-service