diff --git a/Dockerfile b/Dockerfile
index ced5636..fa52e88 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,6 +12,7 @@ RUN true && \
 	apt install cloudflare-warp -y && \
 	apt clean -y && \
 	chmod +x /entrypoint.sh
+COPY haproxy.cfg /etc/haproxy/haproxy.cfg
 
 EXPOSE 40000/tcp
 ENTRYPOINT [ "/entrypoint.sh" ]
diff --git a/entrypoint.sh b/entrypoint.sh
index ab810ad..5755a8d 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -8,8 +8,9 @@ while ! warp-cli register; do
 	>&2 echo "Awaiting warp-svc become online..."
 done
 warp-cli set-mode proxy
-warp-cli set-proxyport 40001
+warp-cli set-proxy-port 40001
 warp-cli connect
+haproxy -f /etc/haproxy/haproxy.cfg
 ) &
 
 exec warp-svc
diff --git a/haproxy.cfg b/haproxy.cfg
new file mode 100644
index 0000000..da6ec70
--- /dev/null
+++ b/haproxy.cfg
@@ -0,0 +1,40 @@
+global
+	stats timeout 30s
+	daemon
+
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+
+	# Default ciphers to use on SSL-enabled listening sockets.
+	# For more information, see ciphers(1SSL). This list is from:
+	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+	# An alternative list with additional directives can be obtained from
+	#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
+	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+	ssl-default-bind-options no-sslv3
+
+defaults
+	log	global
+	#option	httplog
+	option	dontlognull
+	timeout connect 5000
+	timeout client  0
+	timeout server  0
+	timeout tunnel  0
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
+
+frontend warp
+	mode tcp
+	bind :40000
+	use_backend warp
+
+backend warp
+	server warp 127.0.0.1:40001
+