global
   ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
   ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM
   tune.ssl.default-dh-param 2048

frontend http-in
      mode http
      option httplog
      option forwardfor
      option http-server-close
      option httpclose
      bind $YOUR_IP:80
      redirect scheme https code 301 if !{ ssl_fc }

frontend https-in
    option httplog
    option forwardfor
    option http-server-close
    option httpclose
    http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
    http-response add-header X-Frame-Options DENY
    bind $YOUR_IP:443 ssl crt /etc/haproxy/haproxy.pem curves X25519:secp521r1:secp384r1:prime256v1 ciphers EECDH+AESGCM:EDH+AESGCM no-sslv3 no-tlsv10 no-tlsv11