From 54ffaf1f50ef8bcded156b55f631e336851fb3c4 Mon Sep 17 00:00:00 2001
From: richardsonnick <Nicholas Richardson>
Date: Tue, 30 Sep 2025 00:55:35 +0000
Subject: [PATCH 1/2] Add support for configurable SSL curves in HAProxy
 configuration

---
 images/router/haproxy/conf/haproxy-config.template | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
index cccce291f..813ecea7d 100644
--- a/images/router/haproxy/conf/haproxy-config.template
+++ b/images/router/haproxy/conf/haproxy-config.template
@@ -131,6 +131,15 @@ global
     {{- end }}
   {{- end }}
 
+  # The user can provide a set of default supported groups using the ROUTER_CURVES variable.
+  # By default when a ROUTER_CURVES is not defined X25519, P-256, and P-521 are used.
+  {{- if (env "ROUTER_CURVES") }}
+  ssl-default-bind-curves {{ env "ROUTER_CURVES" }}
+  {{- else }}
+  # Default to modern secure curves if not set
+  ssl-default-bind-curves X25519:P-256:P-384:P-521
+  {{- end }}
+
 defaults
   {{- with $value := env "ROUTER_MAX_CONNECTIONS" "50000" }}
     {{- if isInteger $value }}

From f033f21f7651b6f99ff4c920c75123bc49421240 Mon Sep 17 00:00:00 2001
From: richardsonnick <Nicholas Richardson>
Date: Thu, 2 Oct 2025 18:02:59 +0000
Subject: [PATCH 2/2] Update HAProxy configuration to use built-in default TLS
 curves when ROUTER_CURVES is not defined

---
 images/router/haproxy/conf/haproxy-config.template | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
index 813ecea7d..02eeb1c93 100644
--- a/images/router/haproxy/conf/haproxy-config.template
+++ b/images/router/haproxy/conf/haproxy-config.template
@@ -132,12 +132,10 @@ global
   {{- end }}
 
   # The user can provide a set of default supported groups using the ROUTER_CURVES variable.
-  # By default when a ROUTER_CURVES is not defined X25519, P-256, and P-521 are used.
+  # By default when a ROUTER_CURVES is not defined HAProxy 
+  # will use its built-in default supported groups for TLS key exchange.
   {{- if (env "ROUTER_CURVES") }}
   ssl-default-bind-curves {{ env "ROUTER_CURVES" }}
-  {{- else }}
-  # Default to modern secure curves if not set
-  ssl-default-bind-curves X25519:P-256:P-384:P-521
   {{- end }}
 
 defaults