diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index f73b42ca0ad3f84dc38b2f04c65a503c42fa2f70..54f8d45880fd7ae8fd1d78a9b041cf0e612d803a 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -18,6 +18,7 @@ haproxy_name: "dsoclab-haproxy"
 haproxy_version: "2.2"
 haproxy_img: "{{repo}}/haproxy:{{version}}{{suffix}}"
 HAPROXY_PROCESSES: "2"
+HAPROXY_STATS_PASS: "eiph2Eepaizicheelah3tei+bae3ohgh"
 
 temp_root: "/tmp/centosbuild"
 
diff --git a/roles/ca/tasks/main.yml b/roles/ca/tasks/main.yml
index b721654d3516717d249fe7a9bfc4ebfec88469b5..2fb66663ab49ee90faf2877b18dfd2e76b8394ca 100644
--- a/roles/ca/tasks/main.yml
+++ b/roles/ca/tasks/main.yml
@@ -43,6 +43,7 @@
     - "{{ groups['odfeescontainers'] }}"
     - "{{ groups['odfekibanacontainers'] }}"
     - "{{ groups['keycloakcontainers'] }}"
+    - "{{ groups['haproxy'] }}"
   environment:
     EASYRSA_BATCH: 1
     EASYRSA_PKI: roles/ca/files/CA
@@ -59,6 +60,7 @@
     - "{{ groups['odfeescontainers'] }}"
     - "{{ groups['odfekibanacontainers'] }}"
     - "{{ groups['keycloakcontainers'] }}"
+    - "{{ groups['haproxy'] }}"
   environment:
     EASYRSA_BATCH: 1
     EASYRSA_PKI: roles/ca/files/CA
@@ -130,6 +132,20 @@
   with_items:
     - "{{ groups['odfekibanacontainers'] }}"
 
+- name: Copy haproxy host cert to haproxy role
+  copy:
+    src: roles/ca/files/CA/issued/{{item}}.crt
+    dest: roles/haproxy/files/{{item}}.crt
+  with_items:
+    - "{{ groups['haproxy'] }}"
+
+- name: Copy haproxy host key to haproxy role
+  copy:
+    src: roles/ca/files/CA/private/{{item}}.key
+    dest: roles/haproxy/files/{{item}}.key
+  with_items:
+    - "{{ groups['haproxy'] }}"
+
 - name: Copy keycloak host certs to keycloak role
   copy:
     src: roles/ca/files/CA/issued/{{item}}.crt
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
index 910599ee3e4e6697b726d6c51e720b19644f3528..d8bcefb127b59568b20742ec123ca25130438ee6 100644
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@@ -8,6 +8,55 @@
   tags:
     - start
 
+- name: Create required directories
+  file:
+   path: "{{ item }}"
+   state: directory
+   mode: 0755
+   owner: root
+   group: root
+  with_items:
+  - /opt/haproxy
+  - /etc/ssl/haproxy
+  tags:
+    - start
+
+- name: Generate dhparam file for haproxy
+  shell: "openssl dhparam -out /usr/local/etc/haproxy/dhparam.pem 2048"
+  tags:
+    - start
+
+- name: Copy haproxy certificates
+  copy:
+    src:  "{{ item }}"
+    dest: "/opt/haproxy/{{ item }}"
+    mode: 0600
+  with_items:
+    - "{{ inventory_hostname }}.crt"
+    - "{{ inventory_hostname }}.key"
+  tags:
+    - start
+
+- name: Combine crt and key for haproxy
+  assemble:
+    src: /opt/haproxy
+    dest: /etc/ssl/haproxy/{{ inventory_hostname }}.crt
+    owner: root
+    mode: 0600
+  tags:
+    - start
+
+- name: Delete temporary files and directory
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /opt/haproxy/{{ inventory_hostname }}.crt
+    - /opt/haproxy/{{ inventory_hostname }}.key
+    - /opt/haproxy
+  tags:
+    - start
+
 - name: Start haproxy
   shell: "daemonize -c / -p /haproxy.pid /usr/local/sbin/haproxy -f /usr/local/etc/haproxy/haproxy.cfg"
   tags:
diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2
index c4df6537c22ed9fd429e415863cbc13b006ff2af..9583375fc1cb52b10f9957e53a54fd03ce321724 100644
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -2,6 +2,11 @@ global
   #quiet
   log stdout format raw local0
   nbproc {{ HAPROXY_PROCESSES }}
+  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+  ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+  ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+  ssl-dh-param-file /usr/local/etc/haproxy/dhparam.pem
 
 defaults
   mode http
@@ -17,22 +22,22 @@ listen stats
         stats hide-version
         stats uri     /
         stats realm   HAProxy Statistics
-        stats auth    haproxy:eiph2Eepaizicheelah3tei+bae3ohgh
+        stats auth    haproxy:{{ HAPROXY_STATS_PASS }}
 
 listen nifiserv
-	bind *:9443
-	mode tcp
+	bind *:9443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
+	mode http
 	maxconn 5000
 	fullconn 5000
 	balance source
 	option tcpka
 {% for nifihost in groups['nificontainers'] %}
-	server {{nifihost}} {{nifihost}}:9443 check
+	server {{nifihost}} {{nifihost}}:9443 ssl check verify none
 {% endfor %}
 
 listen odfeserv
         bind *:9200
-        mode tcp
+        mode http
         maxconn 5000
         fullconn 5000
         balance source
@@ -42,7 +47,7 @@ listen odfeserv
 {% endfor %}
 	
 listen keycloakserv
-        bind *:10443
+        bind *:10443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
         mode http
         maxconn 5000
         fullconn 5000