diff --git a/.gitignore b/.gitignore
index 79fba10..f99018a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,6 +19,7 @@ data/
 *.db
 *.db-wal
 *.db-shm
+conf/cdn-ips.lst
 
 # Python
 __pycache__/
diff --git a/conf/haproxy.cfg b/conf/haproxy.cfg
index 69b4af1..386de6c 100644
--- a/conf/haproxy.cfg
+++ b/conf/haproxy.cfg
@@ -1,6 +1,4 @@
 global
-    # Enable experimental features (HTTP/3 backend)
-    expose-experimental-directives
     log stdout format raw local0
     maxconn 100000
 
@@ -62,10 +60,14 @@ frontend http_front
 
     # Set real client IP (CF-Connecting-IP if via Cloudflare, otherwise direct client IP)
     http-request set-var(txn.real_ip) req.hdr(CF-Connecting-IP) if { req.hdr(CF-Connecting-IP) -m found }
+    http-request set-var(txn.real_ip) req.hdr(X-Forwarded-For),word(1,\,) if !{ var(txn.real_ip) -m found } { req.hdr(X-Forwarded-For) -m found }
     http-request set-var(txn.real_ip) src unless { var(txn.real_ip) -m found }
     http-request set-header X-Real-IP %[var(txn.real_ip)]
     log-format "%[var(txn.real_ip)]:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq \"%r\""
 
+    # Per-IP concurrent connection limit (slowloris protection)
+    # Note: http_front and https_front have separate stick-tables, so the same
+    # IP is counted independently in each frontend (HTTP vs HTTPS).
     # Per-IP concurrent connection limit (slowloris protection)
     # Note: http_front and https_front have separate stick-tables, so the same
     # IP is counted independently in each frontend (HTTP vs HTTPS).
@@ -97,6 +99,7 @@ frontend https_front
 
     # Set real client IP (CF-Connecting-IP if via Cloudflare, otherwise direct client IP)
     http-request set-var(txn.real_ip) req.hdr(CF-Connecting-IP) if { req.hdr(CF-Connecting-IP) -m found }
+    http-request set-var(txn.real_ip) req.hdr(X-Forwarded-For),word(1,\,) if !{ var(txn.real_ip) -m found } { req.hdr(X-Forwarded-For) -m found }
     http-request set-var(txn.real_ip) src unless { var(txn.real_ip) -m found }
     http-request set-header X-Real-IP %[var(txn.real_ip)]
     log-format "%[var(txn.real_ip)]:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq \"%r\""
@@ -112,7 +115,7 @@ frontend https_front
     # -- End shared security config --
 
     # MCP authentication (Bearer Token or Tailscale)
-    acl is_mcp hdr(host) -i mcp.inouter.com
+    acl is_mcp hdr(host) -i haproxy.inouter.com
     acl valid_token req.hdr(Authorization) -m str "Bearer dcb7963ab3ef705f6b780818f78942a100efa3b55e3d2f99c4560b65da64c426"
     acl is_tailscale src 100.64.0.0/10
     http-request deny deny_status 401 if is_mcp !valid_token !is_tailscale
diff --git a/conf/wildcards.map b/conf/wildcards.map
index 30c3680..f9996d5 100644
--- a/conf/wildcards.map
+++ b/conf/wildcards.map
@@ -4,7 +4,5 @@
 
 .actions.it.com pool_3
 .anvil.it.com pool_9
-.bench.inouter.com pool_5
-.mcp.inouter.com pool_2
 .nas.inouter.com pool_1
-.ssh.inouter.com pool_11
+.nocodb.inouter.com pool_5