diff --git a/core/haproxy/haproxy.cfg b/core/haproxy/haproxy.cfg
index 2218351..65ed703 100644
--- a/core/haproxy/haproxy.cfg
+++ b/core/haproxy/haproxy.cfg
@@ -8,9 +8,9 @@ global
   group       haproxy
   ulimit-n    9000
   ssl-default-bind-options no-sslv3 no-tls-tickets
-  ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+AESGCM:DH+AES256:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS 
+  ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+AESGCM:DH+AES256:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
   ssl-default-server-options no-sslv3 no-tls-tickets
-  ssl-default-server-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+AESGCM:DH+AES256:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS 
+  ssl-default-server-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+AESGCM:DH+AES256:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
   stats socket 127.0.0.1:14567
   stats socket /var/lib/haproxy/haproxy.stats mode 660 level admin user haproxy group haproxy expose-fd listeners
   server-state-file /var/lib/haproxy/state
@@ -46,9 +46,12 @@ resolvers docker
     hold obsolete   10s
 
 frontend  fe_web
-    bind *:443 ssl crt /usr/local/etc/haproxy/haproxy.pem no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent 
+    bind *:443 ssl crt /usr/local/etc/haproxy/haproxy.pem no-sslv3 no-tlsv10 no-tlsv11 alpn h2,http/1.1 transparent
     bind *:80
-    http-request set-header X-Forwarded-Proto https
+
+    http-request redirect scheme https code 301 if !{ ssl_fc }
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+
     use_backend stat if { path -i /haproxy }
     use_backend %[req.hdr(host),lower,map(/usr/local/etc/haproxy/backends.map)]
 
diff --git a/stepup/docker-compose.yml b/stepup/docker-compose.yml
index ad4539b..b044fb4 100644
--- a/stepup/docker-compose.yml
+++ b/stepup/docker-compose.yml
@@ -2,12 +2,14 @@
 services:
 
   haproxy:
-    image: ghcr.io/openconext/openconext-basecontainers/haproxy26:latest
+    image: ghcr.io/openconext/openconext-basecontainers/haproxy28:latest
     ports:
       - 80:80
       - 443:443
     volumes:
       - ../core/haproxy/haproxy.pem:/usr/local/etc/haproxy/haproxy.pem
+      - ../core/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
+      - ../core/haproxy/backends.map:/usr/local/etc/haproxy/backends.map:ro
     networks:
       openconextdev:
         aliases:
diff --git a/stepup/haproxy/Readme.txt b/stepup/haproxy/Readme.txt
index f3d012f..63dac01 100644
--- a/stepup/haproxy/Readme.txt
+++ b/stepup/haproxy/Readme.txt
@@ -1,2 +1,4 @@
-The haproxy,.crt file here is a copy of the ../../core/haproxy/haproxy.crt.  It is mounted in the containers to be added
-to the CA trust store.  It cannot be a symlink, because that would break the file in the container.
+The haproxy.crt file here is a copy of the ../../core/haproxy/haproxy.crt. It is mounted in the containers to be added
+to the CA trust store. It cannot be a symlink, because that would break the file in the container.
+
+The HAProxy configuration (haproxy.cfg) is shared with core and mounted from ../../core/haproxy/haproxy.cfg.