diff --git a/group_vars/lb.yml b/group_vars/lb.yml
index 64de479..38861eb 100644
--- a/group_vars/lb.yml
+++ b/group_vars/lb.yml
@@ -9,7 +9,12 @@ haproxy:
           - 192.168.20.21
           - 192.168.20.22
           - 192.168.20.23
-    tcp: [] # TODO, for ssh-forward
+    tcp:
+      - src: "30022"
+        dst:
+          - 192.168.20.21:30022
+          - 192.168.20.22:30022
+          - 192.168.20.23:30022
 
 letsencrypt:
   domains:
diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index 9d98315..23bc579 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -4,15 +4,14 @@ global
     log 127.0.0.1 local0
     stats timeout 30s
 
+    tune.ssl.default-dh-param 2048
+
 defaults
     timeout connect 5s
     timeout client 30s
     timeout server 30s
     log global
 
-    option forwardfor
-    option http-server-close
-
     default-server init-addr last,none resolvers dns
 
 resolvers dns
@@ -36,28 +35,30 @@ frontend http_management
     acl prefixed-with-metrics path_beg -i /metrics
     use_backend haproxy_metrics if prefixed-with-metrics
 
-frontend http_in
-    bind *:80
-    mode http
-
-    http-request redirect scheme https code 302
-
+# http frontend
 frontend https_in
+    bind *:80
     # backend is assumed to be http, perform ssl termination here
-    bind *:443 ssl crt /etc/letsencrypt/live/{{ letsencrypt.domains[0] }}/{{ letsencrypt.domains[0] }}.pem
-    # mode tcp
+    bind *:443 ssl crt /etc/letsencrypt/live/{{ letsencrypt.domains[0] }}/{{ letsencrypt.domains[0] }}.pem alpn h2,http/1.1
+
+    mode http
+    option forwardfor
+
+    # force https
+    http-request redirect scheme https unless { ssl_fc }
 
     # request is ssl
     # tcp-request inspect-delay 5s
     # tcp-request content accept if { req.ssl_hello_type 1  }
 
-{% for route in https_routing %}
-    # use_backend https_{{ route.src[0]|replace('.','_') }} if { req.ssl_sni -i {% for src in route.src %}{{ src }} {% endfor %}}
-    use_backend https_{{ route.src[0]|replace('.','_') }} if { hdr_end(host) -i {% for src in route.src %}{{ src }} {% endfor %}}
+{% for http_route in https_routing %}
+    #use_backend https_{{ http_route.src[0]|replace('.','_') }} if { req.ssl_sni -i {% for src in http_route.src %}{{ src }} {% endfor %}}
+    use_backend https_{{ http_route.src[0]|replace('.','_') }} if { hdr_end(host) -i {% for src in http_route.src %}{{ src }} {% endfor %}}
 {% endfor %}
 
 ## BACKENDS ##
 
+# stat backend
 backend haproxy_stats
     mode http
     stats uri /stats
@@ -65,16 +66,32 @@ backend haproxy_stats
     stats refresh 10s
     stats auth admin:admin
 
+# metric backend
 backend haproxy_metrics
     mode http
     http-request use-service prometheus-exporter
 
-{% for route in https_routing %}
-backend https_{{ route.src[0]|replace('.','_') }}
-    # mode tcp
+{% for http_route in https_routing %}
+# backend for {{ http_route.src[0] }}
+backend https_{{ http_route.src[0]|replace('.','_') }}
+    mode http
     balance roundrobin
-{% for dst in route.dst %}
-    # server {{ dst }} {{ dst }}{% if ':' not in dst %}:443{% endif %} check
-    server {{ dst }} {{ dst }}{% if ':' not in dst %}:80{% endif %} check
+{% for dst in http_route.dst %}
+    server {{ dst }} {{ dst }}{% if ':' not in dst %}:443{% endif %} check ssl verify none alpn h2
+    #server {{ dst }} {{ dst }}{% if ':' not in dst %}:80{% endif %} check
+{% endfor %}
+{% endfor %}
+
+## TCP ##
+{% for tcp_route in tcp_routing %}
+frontend tcp_{{ tcp_route.src }}
+    bind *:{{ tcp_route.src }}
+    mode tcp
+    use_backend tcp_{{ tcp_route.src }}
+
+backend tcp_{{ tcp_route.src }}
+    mode tcp
+{% for dst in tcp_route.dst %}
+    server {{ dst }} {{ dst }} check
 {% endfor %}
 {% endfor %}