1 files changed, 56 insertions, 22 deletions

diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/reverse-proxy.rst
index 970e084e..9cb49a7f 100644
--- a/docs/configuration/loadbalancing/reverse-proxy.rst
+++ b/docs/configuration/loadbalancing/reverse-proxy.rst
@@ -45,6 +45,11 @@ Service
 
   Set SSL certificate <name> for service <name>
 
+.. cfgcmd:: set load-balancing reverse-proxy service <name>
+  http-response-headers <header-name> value <header-value>
+
+  Set custom HTTP headers to be included in all responses
+
 
 Rules
 ^^^^^
@@ -113,11 +118,6 @@ Backend
 
   Configure backend `<name>` mode TCP or HTTP
 
-.. cfgcmd:: set load-balancing reverse-proxy backend <name> parameters
-   http-check
-
-  Enable layer 7 HTTP health check
-
 .. cfgcmd:: set load-balancing reverse-proxy backend <name> server
    <name> address <x.x.x.x>
 
@@ -155,9 +155,40 @@ Backend
   Configure requests to the backend server to use SSL encryption without
   validating server certificate
 
+.. cfgcmd:: set load-balancing reverse-proxy backend <name>
+  http-response-headers <header-name> value <header-value>
+
+  Set custom HTTP headers to be included in all responses using the backend
+
+
+Global
+-------
+
+Global parameters
+
+.. cfgcmd:: set load-balancing reverse-proxy global-parameters max-connections
+   <num>
+
+  Limit maximum number of connections
+
+.. cfgcmd:: set load-balancing reverse-proxy global-parameters ssl-bind-ciphers
+   <ciphers>
+
+  Limit allowed cipher algorithms used during SSL/TLS handshake
+
+.. cfgcmd:: set load-balancing reverse-proxy global-parameters tls-version-min
+   <version>
+
+  Specify the minimum required TLS version 1.2 or 1.3
+
+
+Health checks
+=============
+
+
+HTTP checks
+-----------
 
-HTTP health check
-^^^^^^^^^^^^^^^^^
 For web application providing information about their state HTTP health
 checks can be used to determine their availability.
 
@@ -180,31 +211,32 @@ checks can be used to determine their availability.
    expect <condition>
 
   Sets the expected result condition for considering a server healthy.
+
   Some possible examples are:
    * ``status 200`` Expecting a 200 response code
    * ``status 200-399`` Expecting a non-failure response code
    * ``string success`` Expecting the string `success` in the response body
 
 
-Global
--------
+TCP checks
+----------
 
-Global parameters
+Health checks can also be configured for TCP mode backends. You can configure
+protocol aware checks for a range of Layer 7 protocols:
 
-.. cfgcmd:: set load-balancing reverse-proxy global-parameters max-connections
-   <num>
-
-  Limit maximum number of connections
+.. cfgcmd:: set load-balancing reverse-proxy backend <name> health-check <protocol>
 
-.. cfgcmd:: set load-balancing reverse-proxy global-parameters ssl-bind-ciphers
-   <ciphers>
+  Available health check protocols:
+   * ``ldap`` LDAP protocol check.
+   * ``redis`` Redis protocol check.
+   * ``mysql`` MySQL protocol check.
+   * ``pgsql`` PostgreSQL protocol check.
+   * ``smtp`` SMTP protocol check.
 
-  Limit allowed cipher algorithms used during SSL/TLS handshake
-
-.. cfgcmd:: set load-balancing reverse-proxy global-parameters tls-version-min
-   <version>
-
-  Specify the minimum required TLS version 1.2 or 1.3
+.. note:: If you specify a server to be checked but do not configure a
+   protocol, a basic TCP health check will be attempted. A server shall be
+   deemed online if it responses to a connection attempt with a valid
+   ``SYN/ACK`` packet.
 
 
 Redirect HTTP to HTTPS
@@ -291,6 +323,7 @@ HTTPS.
 
 The ``https`` service listens on port 443 with backend ``bk-default`` to
 handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination.
+HSTS header is set with a 1-year expiry, to tell browsers to always use SSL for site.
 
 Rule 10 matches requests with the exact URL path ``/.well-known/xxx``
 and redirects to location ``/certs/``.
@@ -313,6 +346,7 @@ connection limit of 4000 and a minimum TLS version of 1.3.
     set load-balancing reverse-proxy service https mode 'http'
     set load-balancing reverse-proxy service https port '443'
     set load-balancing reverse-proxy service https ssl certificate 'cert'
+    set load-balancing reverse-proxy service https http-response-headers Strict-Transport-Security value 'max-age=31536000'
 
     set load-balancing reverse-proxy service https rule 10 url-path exact '/.well-known/xxx'
     set load-balancing reverse-proxy service https rule 10 set redirect-location '/certs/'