diff --git a/templates/haproxy_cfg b/templates/haproxy_cfg
index bb42b3c6c147fda37229097ec63bfab1a7b1fe81..0077d4287fe57e8a8934d1544a4133ced6249600 100644
--- a/templates/haproxy_cfg
+++ b/templates/haproxy_cfg
@@ -56,13 +56,13 @@ frontend http_in
   http-request deny if blockedip
 {% for host in groups['all'] %}
 {% for redirect in hostvars[host].proxy_redirect|default([]) %}
-  redirect prefix http://{{redirect.to}} if { hdr(host) -i -n {{redirect.from}} }
+  redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to}} code 301 if { hdr(host) -i -n {{redirect.from}} }
 {% endfor %}
 {% if proxy_redirect_aliase %}
 {% for drupal in hostvars[host].drupal_settings|default([]) %}
 {% for domain in drupal.domains|default([]) %}
 {% for alias in domain.aliases|default([]) %}
-  redirect prefix http://{{domain.domain}} if { hdr(host) -i -n {{alias}} }
+  redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if { hdr(host) -i -n {{alias}} }
 {% endfor %}
 {% endfor %}
 {% endfor %}
@@ -94,13 +94,13 @@ frontend https_in_{{ cert.ip }}
   http-request deny if blockedip
 {% for host in groups['all'] %}
 {% for redirect in hostvars[host].proxy_redirect|default([]) %}
-  redirect prefix http://{{redirect.to}} if { hdr(host) -i -n {{redirect.from}} }
+  redirect prefix {{ redirect.protocol|default('https') }}://{{redirect.to}} code 301 if { hdr(host) -i -n {{redirect.from}} }
 {% endfor %}
 {% if proxy_redirect_aliase %}
 {% for drupal in hostvars[host].drupal_settings|default([]) %}
 {% for domain in drupal.domains|default([]) %}
 {% for alias in domain.aliases|default([]) %}
-  redirect prefix https://{{domain.domain}} if { hdr(host) -i -n {{alias}} }
+  redirect prefix {{ domain.protocol|default('https') }}://{{domain.domain}} code 301 if { hdr(host) -i -n {{alias}} }
 {% endfor %}
 {% endfor %}
 {% endfor %}
@@ -116,7 +116,7 @@ frontend https_in_{{ cert.ip }}
 {% endif %}
 {% for host in groups['all'] %}
   acl ssl_domain_in_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.ssl.list
-  use_backend backend_{{host}} if ssl_domain_in_{{host}}
+  use_backend backend_{{host}}_https if ssl_domain_in_{{host}}
   acl redirect_{{host}} hdr(host) -i -n -f /etc/haproxy/{{host}}.list
   use_backend backend_redirect if redirect_{{host}}
 {% if hostvars[host].proxy_crm_domains is defined %}
@@ -133,6 +133,14 @@ backend backend_{{host}}
 {% else %}
   server server_{{host}} {{hostvars[host]['static_ipv4']|default(hostvars[host]['ansible_default_ipv4']['address'])}}:80 maxconn 100
 {% endif %}
+
+backend backend_{{host}}_https
+{% if host == inventory_hostname %}
+  http-response deny
+{% else %}
+  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
+  server server_{{host}} {{hostvars[host]['static_ipv4']|default(hostvars[host]['ansible_default_ipv4']['address'])}}:80 maxconn 100
+{% endif %}
 {% endfor %}
 {% if varnish_host|default(false) %}