diff --git a/Haproxy-Configuration.md b/Haproxy-Configuration.md
new file mode 100644
index 0000000..8f92012
--- /dev/null
+++ b/Haproxy-Configuration.md
@@ -0,0 +1,182 @@
+# Setting up haproxy
+
+We need a few configuration files for haproxy. All these files go in the haproxy directory `/srv/docker/clrghouz/haproxy`). Make adjustments as appropriate.
+
+This is `10-default.cfg`
+```cfg
+global
+    log stdout format raw local0
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+    user haproxy
+    group haproxy
+
+defaults
+    mode tcp
+    timeout connect 5s
+    timeout client 10m
+    timeout server 10m
+
+#    email-alert mailers mailers
+#    email-alert from me@example.com
+#    email-alert to me@example.com
+
+    option tcplog
+    log global
+
+#mailers mailers
+#    mailer smtp [YOUR MAIL SERVER]:25
+
+#resolvers dns
+#    nameserver dns1 [YOUR DNS SERVER]:53
+
+frontend stats
+    bind :::8080
+    mode http
+    stats uri /
+    stats enable
+    stats refresh 10s
+```
+
+This is `20-clrghouz.cfg`
+```cfg
+# EMSI
+frontend fe-clrg-emsi
+    bind :::60179 v4v6
+    default_backend be-clrg-emsi
+    maxconn 4
+
+    # Track the backend state - and reject any attempts if its down
+    acl be-emsi-dead nbsrv(be-clrg-emsi) lt 1
+    tcp-request connection reject if be-emsi-dead
+
+    # stick table definition for storing rates
+    stick-table type ipv6 size 500k expire 30m store conn_cur,conn_rate(60s)
+
+    ## Allow clean known IPs to bypass the filter
+    tcp-request connection accept if { src -f /usr/local/etc/haproxy/config/whitelist.lst }
+    # Only allow 1 connections per IP opened
+    tcp-request connection reject if { src_conn_cur ge 1 }
+    # Only allow 1 connections per 60s
+    tcp-request connection reject if { src_conn_rate ge 3 }
+    tcp-request connection track-sc1 src
+
+backend be-clrg-emsi
+    balance roundrobin
+    server clrghouz clrghouz-web-1:60179 send-proxy-v2
+
+# BINKP
+frontend fe-clrg-binkp
+    bind :::24554 v4v6
+    default_backend be-clrg-binkp
+    maxconn 10
+
+    stick-table type ipv6 size 500k expire 30m store conn_cur,conn_rate(60s)
+
+    ## Allow clean known IPs to bypass the filter
+    tcp-request connection accept if { src -f /usr/local/etc/haproxy/config/whitelist.lst }
+    # Only allow 1 connections per IP opened
+    tcp-request connection reject if { src_conn_cur ge 1 }
+    # Only allow 1 connections per 60s
+    tcp-request connection reject if { src_conn_rate ge 3 }
+    tcp-request connection track-sc1 src
+
+# BINKPS
+frontend fe-clrg-binkps
+    bind :::24553 v4v6 tfo ssl crt /usr/local/etc/haproxy/config/binkps.pem
+    default_backend be-clrg-binkp
+    maxconn 10
+
+backend be-clrg-binkp
+    balance roundrobin
+    server clrghouz clrghouz-web-1:24554 send-proxy-v2
+```
+
+This is `20-https.cfg`
+```cfg
+frontend fe-http
+    mode http
+    bind :::80
+    bind :::443 ssl crt-list /usr/local/etc/haproxy/config/crt-list.conf
+    http-request add-header X-Forwarded-Proto https
+    http-request redirect scheme https unless { ssl_fc }
+    use_backend be-http-clrghouz if { ssl_fc_sni -i clrghouz.bbs.dege.au }
+#    default_backend be-http-docker
+
+backend be-http-clrghouz
+    mode http
+    balance leastconn
+    server clrghouz clrghouz-web-1:80
+
+#backend be-http-docker
+#    mode http
+#    balance leastconn
+#    server docker [YOUR WEBSERVER]:80
+```
+
+This is `binkps.pem`:
+```ssl
+-----BEGIN CERTIFICATE-----
+MIIEKjCCAxKgAwIBAgIJALsoV61BAIR7MA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
+BAYTAkFVMQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTENMAsGA1UE
+ChMEQUNNRTEMMAoGA1UECxMDV2ViMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTgw
+NjE5MjAxNTE5WhcNMjgwNjE2MjAxNTE5WjBgMQswCQYDVQQGEwJBVTEMMAoGA1UE
+CBMDVklDMRIwEAYDVQQHEwlNZWxib3VybmUxDTALBgNVBAoTBEFDTUUxDDAKBgNV
+BAsTA1dlYjESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAv0hEQONbM1iz6nwTWwFuByY0sBK8hXlgyOTJftnQr+ffhKXn
+f30WovFmy1FBTUDa42T5Fsa6aihw+QAuLFtnMogZRIqp8Ow9ovGLv7Wo6KRoQ6Db
+JJ0FofUBiMVQy79/alUlgEYwuPlgjWwl7+pPZobXjaytAfK7WcGxMKiy6cBpFHMD
+LOGNsnjSyFDZtRSMyOd07SZDhS1J5IV25v76URsyYQU+kriqZK8AkC2emz/hkcVF
+10nlli2R6JsidiwN4JAPG1zKA3p0Ki0R6uG//1dQ9MuCIiCZkJklmg3ZmhjpBCY0
+n+nB+F3XSDsyYR7MWZvfRHyx3w/WVpGdVymmrwIDAQABo4HmMIHjMBEGCWCGSAGG
++EIBAQQEAwIGQDAdBgNVHQ4EFgQUV31E9ULcEQkSmlgq1uQ0WiyR/DswgZIGA1Ud
+IwSBijCBh4AUV31E9ULcEQkSmlgq1uQ0WiyR/DuhZKRiMGAxCzAJBgNVBAYTAkFV
+MQwwCgYDVQQIEwNWSUMxEjAQBgNVBAcTCU1lbGJvdXJuZTENMAsGA1UEChMEQUNN
+RTEMMAoGA1UECxMDV2ViMRIwEAYDVQQDEwlsb2NhbGhvc3SCCQC7KFetQQCEezAa
+BgNVHREEEzARhwR/AAABgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAAZL
+WWeY7sbVX6noNjiQWe9jzBKG994f5/Q5dpqT6ZHpLsSU2AQ85QfUXma3rAPwSj0+
+C4V7IRlrwlFXXqe8LxWxEJo0DlHOqDZTxQpHvmwATRxTBHDOS4kMjbj5oAwq0yXz
+dNxxOI5Pv9j6VIMMIgW6dFnh/GRG5w5lndtWisCU8ydG/PkeMkvi3OTQDTq64qgp
+lt0OTDkTyoWmpq46k3NDR2n6ar7DwEmamMWPkR9rNLjOde2AlKMuNZ4wUMVAYasr
+xDMmMCe/matHd6Ry2kvBkBRFkFaJyR2+D2vpYSbT8fSFOKv6w+5qJI8pOQ1Yn+Di
+3+EttBcVhrZfxoL8jYw=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC/SERA41szWLPq
+fBNbAW4HJjSwEryFeWDI5Ml+2dCv59+Eped/fRai8WbLUUFNQNrjZPkWxrpqKHD5
+AC4sW2cyiBlEiqnw7D2i8Yu/tajopGhDoNsknQWh9QGIxVDLv39qVSWARjC4+WCN
+bCXv6k9mhteNrK0B8rtZwbEwqLLpwGkUcwMs4Y2yeNLIUNm1FIzI53TtJkOFLUnk
+hXbm/vpRGzJhBT6SuKpkrwCQLZ6bP+GRxUXXSeWWLZHomyJ2LA3gkA8bXMoDenQq
+LRHq4b//V1D0y4IiIJmQmSWaDdmaGOkEJjSf6cH4XddIOzJhHsxZm99EfLHfD9ZW
+kZ1XKaavAgMBAAECggEAaJje4dCxZVGDCJ0ShHgyr2wf8Yw9VIt79j7NRDVdXWNh
+IYsLHPbM8wsoV9O17sWhLClh4CeJdlVo+XA0z4Kn2sT7dDSTGzBDwB9veMSgeZ61
+eQ2z58CJfPeaAC1NsiykQwQOfqdjKzMKrirOT/QDuR/RLSKYdHFEK5+0AdSuCQ2A
+PV68FX6BnKfR/LDt6auN43ISdrnXRFna5Helyel2l3Jv/ooz9FeeTbXUa9cQcrXM
+tMvd8GMr4oLnhKROcec0bTOy/3ZymbEvjjQvgxukivLLOUbQiwp2lfQWcFna4cOL
+apGeameOHQceF4iIibnbDo073jS3m02WBH0ScRsj2QKBgQDxRWZWSGuJkFQOoW/b
+uuwu26RAFdXLsxr2G9XMIZR+rpmhq5EoM4CL/YI5syChgYgxAj8UfwYg93wuGkN8
+5VPhuytH5MIDsXq9Ci2b+WQrF5sxDK3MA3FieFZByVX80JNXtVUudzqQ6wJ1OEsY
+wB+h2Uu9zssNZVugPh3wb5BsLQKBgQDK9aN97C3JtLW+xOoEYW1iCputwoDWIIqk
+i6fi0mTQiQ+YbliaXWS/F7tJrUHvFFgJLZcpDKaEaN5WFjFHU+1zUDtotEiJ7bTQ
+fuoyWY/8VpWn6RKwukL+mfIm2n7ZT6FC8YBU6lRPEmuGwrvuUstmIcKaAJ2bPvRt
+vhRRY3u7ywKBgDIjPOADTq2Ym48qxyb/UiNuq1RR9UrOXnT0VdqEw+oLeIubLqAP
+C9CLjutUqRxG4bllgRxORUTGiTy/YnTq5yKKlbTr+dFwqVPtcIrwKXu2/R4VR2yU
+7pQK88naAA94fJYGbbwpNLd2ztzzJM/w5OHqWQ4JkjKndIH5Rpl3ZajFAoGABWqa
+y2CDNE/bTdUJfcZv2d74mqGHOK+zo4KKn3YH9LzDqsi/GpeFecgTWnsCOHQtiUkr
+MJBC3WPDEz8SX5nwy1QH0dqF2RB789h/PYrAWfahldKVihveb9cB7GGGYxxJ7HRv
+fVSnnVibgAQwacLR5M7f16ZOjncWpNsexbFG+xMCgYEAj1V64k9Lz554EDCNZMQS
+mzgqYg6ck+GYL/W6hdE/N3zc+KJKF4ztM/c987BbFgpJQp+uYF43jRmOcv1Oab43
+mpuvZ2rDSPqrqM+fdHIx2oLPNBdBc9abTX7sQtK4WSTp16gs+MqfMWRklxWsMwWE
+fO6SmAU27aAzfOccuvx3glQ=
+-----END PRIVATE KEY-----
+```
+
+This is `crt-list.cfg`
+```cfg
+/usr/local/etc/haproxy/ssl/cert.pem *.[YOUR DOMAIN]
+```
+
+This is `whitelist.cfg`
+```cfg
+#[IP6_PREFIX]::/MASK
+```
\ No newline at end of file