Review of template for HA Proxy security enforcement and DDOS attacks protection

Please review below template and suggest any improvement that could be done in order to protect haproxy host and websites in the backend… Please if possible copy and paste the text as it should be included.


global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 3s
timeout client 5s
timeout server 5s
timeout http-request 5s
timeout http-request 10s # Preventing Slowloris like attacks
option http-buffer-request
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend haprx01
bind 192.168.1.6:80
bind 192.168.1.6:443
mode http
http-request deny if HTTP_1.0
http-request deny if { req.hdr(user-agent) -i -m sub curl phantomjs slimerjs }
http-request deny unless { req.hdr(user-agent) -m found }
http-request deny if { src -f /etc/haproxy/blacklist.acl }
balance roundrobin
default_backend websites

backend websites
stick-table type ip size 1m expire 10s store http_req_rate(10s)
tcp-request inspect-delay 10s
tcp-request content track-sc0 src
http-request deny if { sc_http_req_rate(0) gt 10 }
server web01_v2 192.168.1.4:443 check
server web02_v2 192.168.1.5:443 check

#the main goal of this ACL is to deny access to backend if the request is not from HAproxy 192.168.1.0/24
#ubuntu - HAProxy restrict single backend by ip range - Stack Overflow
acl white_list src 192.168.1.0/24
tcp-request content accept if white_list
tcp-request content reject