diff --git a/group_vars/lb.yml b/group_vars/lb.yml
index 38861eb..e9c9b11 100644
--- a/group_vars/lb.yml
+++ b/group_vars/lb.yml
@@ -6,9 +6,21 @@ haproxy:
           - code.badjware.dev
           - drone.badjware.dev
         dst:
+          - 192.168.20.20
           - 192.168.20.21
           - 192.168.20.22
           - 192.168.20.23
+      # - src:
+      #     - kubernetes-dashboard.badjnet.home
+      #     - traefik.badjnet.home
+      #     - longhorn.badjnet.home
+      #     - grafana.badjnet.home
+      #     - prometheus.badjnet.home
+      #   dst:
+      #     - 192.168.20.20
+      #     - 192.168.20.21
+      #     - 192.168.20.22
+      #     - 192.168.20.23
     tcp:
       - src: "30022"
         dst:
diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index 23bc579..e197002 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -8,8 +8,8 @@ global
 
 defaults
     timeout connect 5s
-    timeout client 30s
-    timeout server 30s
+    timeout client 120s
+    timeout server 120s
     log global
 
     default-server init-addr last,none resolvers dns
@@ -47,6 +47,9 @@ frontend https_in
     # force https
     http-request redirect scheme https unless { ssl_fc }
 
+    # set HSTS
+    http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains;"
+
     # request is ssl
     # tcp-request inspect-delay 5s
     # tcp-request content accept if { req.ssl_hello_type 1  }