fix: HAProxy batch commands and improve routing/subdomain handling

- Fix haproxy_cmd_batch to send each command on separate connection
  (HAProxy Runtime API only processes first command on single connection)
- HTTP frontend now routes to backends instead of redirecting to HTTPS
- Add subdomain detection to avoid duplicate wildcard entries
- Add reload verification with retry logic
- Optimize SSL: TLS 1.3 ciphersuites, extended session lifetime
- Add CPU steal monitoring script

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

haproxy_mcp/tools/domains.py

@@ -159,9 +159,13 @@ def register_domain_tools(mcp):
 
                 # Find available pool (using cached entries)
                 used_pools: set[str] = set()
-                for _, backend in entries:
+                registered_domains: set[str] = set()
+                for entry_domain, backend in entries:
                     if backend.startswith("pool_"):
                         used_pools.add(backend)
+                    # Collect non-wildcard domains for subdomain check
+                    if not entry_domain.startswith("."):
+                        registered_domains.add(entry_domain)
 
                 pool = None
                 for i in range(1, POOL_COUNT + 1):
@@ -172,10 +176,24 @@ def register_domain_tools(mcp):
                 if not pool:
                     return f"Error: All {POOL_COUNT} pool backends are in use"
 
+                # Check if this is a subdomain of an existing domain
+                # e.g., vault.anvil.it.com is subdomain if anvil.it.com exists
+                is_subdomain = False
+                parent_domain = None
+                parts = domain.split(".")
+                for i in range(1, len(parts)):
+                    candidate = ".".join(parts[i:])
+                    if candidate in registered_domains:
+                        is_subdomain = True
+                        parent_domain = candidate
+                        break
+
                 try:
                     # Save to disk first (atomic write for persistence)
                     entries.append((domain, pool))
-                    entries.append((f".{domain}", pool))
+                    # Only add wildcard for root domains, not subdomains
+                    if not is_subdomain:
+                        entries.append((f".{domain}", pool))
                     try:
                         save_map_file(entries)
                     except IOError as e:
@@ -184,7 +202,8 @@ def register_domain_tools(mcp):
                     # Then update HAProxy map via Runtime API
                     try:
                         haproxy_cmd(f"add map {MAP_FILE_CONTAINER} {domain} {pool}")
-                        haproxy_cmd(f"add map {MAP_FILE_CONTAINER} .{domain} {pool}")
+                        if not is_subdomain:
+                            haproxy_cmd(f"add map {MAP_FILE_CONTAINER} .{domain} {pool}")
                     except HaproxyError as e:
                         # Rollback: remove the domain we just added from entries and re-save
                         rollback_entries = [(d, b) for d, b in entries if d != domain and d != f".{domain}"]
@@ -209,8 +228,12 @@ def register_domain_tools(mcp):
                             return f"Domain {domain} added to {pool} but server config failed: {e}"
 
                         result = f"Domain {domain} added to {pool} with server {ip}:{http_port}"
+                        if is_subdomain:
+                            result += f" (subdomain of {parent_domain}, no wildcard)"
                     else:
                         result = f"Domain {domain} added to {pool} (no servers configured)"
+                        if is_subdomain:
+                            result += f" (subdomain of {parent_domain}, no wildcard)"
 
                     # Check certificate coverage
                     cert_covered, cert_info = check_certificate_coverage(domain)