From 8997b3d9ed3262e911ef353f984794665c4c6955 Mon Sep 17 00:00:00 2001
From: richardsonnick <nic.rr@icloud.com>
Date: Fri, 27 Mar 2026 19:02:11 +0000
Subject: [PATCH] Add support for configurable SSL curves in HAProxy
 configuration

Introduces the ROUTER_CURVES environment variable which maps directly to
HAProxy's ssl-default-bind-curves directive, allowing operators to configure
the TLS key exchange groups used by the router. When ROUTER_CURVES is not
set, no directive is emitted and HAProxy uses its built-in defaults.
---
 images/router/haproxy/conf/haproxy-config.template | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template
index b101b5ca0..4d418fc37 100644
--- a/images/router/haproxy/conf/haproxy-config.template
+++ b/images/router/haproxy/conf/haproxy-config.template
@@ -131,6 +131,12 @@ global
     {{- end }}
   {{- end }}
 
+  # By default when a ROUTER_CURVES is not defined HAProxy
+  # will use its built-in default supported groups for TLS key exchange.
+  {{- with (env "ROUTER_CURVES") }}
+  ssl-default-bind-curves {{ . }}
+  {{- end }}
+
 defaults
   {{- with $value := env "ROUTER_MAX_CONNECTIONS" "50000" }}
     {{- if isInteger $value }}