Review of template for HA Proxy security enforcement and DDOS attacks protection

Please review below template and suggest any improvement that could be done in order to protect haproxy host and websites in the backend… Please if possible copy and paste the text as it should be included.

log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See:
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

log global
mode http
option httplog
option dontlognull
timeout connect 3s
timeout client 5s
timeout server 5s
timeout http-request 5s
timeout http-request 10s # Preventing Slowloris like attacks
option http-buffer-request
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend haprx01
mode http
http-request deny if HTTP_1.0
http-request deny if { req.hdr(user-agent) -i -m sub curl phantomjs slimerjs }
http-request deny unless { req.hdr(user-agent) -m found }
http-request deny if { src -f /etc/haproxy/blacklist.acl }
balance roundrobin
default_backend websites

backend websites
stick-table type ip size 1m expire 10s store http_req_rate(10s)
tcp-request inspect-delay 10s
tcp-request content track-sc0 src
http-request deny if { sc_http_req_rate(0) gt 10 }
server web01_v2 check
server web02_v2 check

#the main goal of this ACL is to deny access to backend if the request is not from HAproxy
#ubuntu - HAProxy restrict single backend by ip range - Stack Overflow
acl white_list src
tcp-request content accept if white_list
tcp-request content reject