diff --git a/haproxy/compose.yaml b/haproxy/compose.yaml
index e8192e6..5e661bc 100644
--- a/haproxy/compose.yaml
+++ b/haproxy/compose.yaml
@@ -5,11 +5,11 @@ services:
     restart: always
     ports:
       # - 80:80 # 80 is for caddy
-      - 443:443
+      - 10.0.64.22:443:443
       # - 8404:8404
     volumes:
       # - /docker/data/haproxy/etc:/usr/local/etc/haproxy:ro
-      - /docker/data/haproxy/etc/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
+      - ./config/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
     networks:
       - default
 networks:
diff --git a/haproxy/config/haproxy.cfg b/haproxy/config/haproxy.cfg
new file mode 100644
index 0000000..cd44fbb
--- /dev/null
+++ b/haproxy/config/haproxy.cfg
@@ -0,0 +1,32 @@
+global
+    log /dev/log local0
+    maxconn 10000
+    daemon
+
+defaults
+    log global
+    mode tcp
+    option tcplog
+    timeout connect 5s
+    timeout client  60s
+    timeout server  60s
+
+frontend https_in
+    bind 0.0.0.0:443
+    mode tcp
+
+    # Inspect TLS ClientHello
+    tcp-request inspect-delay 5s
+    tcp-request content accept if { req_ssl_hello_type 1 }
+
+    # Routing by SNI
+    use_backend reality_backend if { req.ssl_sni -i www.wikipedia.org }
+    default_backend caddy_backend
+
+backend caddy_backend
+    mode tcp
+    server caddy caddy:443
+
+backend reality_backend
+    mode tcp
+    server xray 10.0.64.6:443