diff --git a/README.md b/README.md
index a194b46..7990446 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,185 @@ networks:
     external: true
 ```
 
-ON first run you need to:
+On first run you need to:
 
 `docker network create phoenix-network`
+
+
+## HAProxy setup
+
+... in docker-compose.yml ...
+
+```
+  default-backend:
+    container_name: 'default-backend'
+    image: nginx:1.22.0-alpine
+    volumes:
+      - /docker-volumes/haproxy-config/core/nginx/html:/usr/share/nginx/html
+    restart: always
+    networks:
+      - phoenix-network
+
+  rsyslog:
+    container_name: 'rsyslog'
+    hostname: 'rsyslog'
+    image: alpine-rsyslog
+    build:
+      context: ./alpine-rsyslog
+    volumes:
+      - $PWD/haproxy-config/core/haproxy.conf:/etc/rsyslog.d/haproxy.conf
+      - $PWD/haproxy-config/log:/var/log
+      - $PWD/haproxy-config/spool:/var/spool
+      - $PWD/rsyslog/rsyslog.conf:/etc/rsyslog.conf
+    ports:
+      - '127.0.0.1:514:514'
+    networks:
+      - phoenix-network
+
+
+  haproxy:
+    container_name: 'haproxy'
+    hostname: 'haproxy'
+    image: haproxytech/haproxy-alpine:latest
+    ports:
+      - 443:443
+      - 80:80
+    depends_on:
+      - default-backend
+      - rsyslog
+    volumes:
+      - $PWD/haproxy-config/log:/var/log
+      - $PWD/haproxy-config/certs:/usr/local/etc/haproxy/certs:ro
+      - $PWD/haproxy-config/core:/usr/local/etc/haproxy/core:ro
+      - $PWD/haproxy-config/maps:/usr/local/etc/haproxy/maps:ro
+      - $PWD/haproxy-config/sites:/usr/local/etc/haproxy/sites:ro
+    command: "haproxy -f /usr/local/etc/haproxy/core/haproxy.cfg -f /usr/local/etc/haproxy/sites/"
+    networks:
+      - phoenix-network
+
+```
+
+in `haproxy-config/core/haproxy.conf`:
+
+```
+$UDPServerAddress 127.0.0.1
+$UDPServerRun 514
+local0.*    /var/log/haproxy.log
+& ~
+```
+
+in `haproxy-config/core/haproxy.cfg`:
+
+```
+global
+  tune.ssl.default-dh-param 2048
+  log rsyslog:514 local0
+  maxconn 4096
+
+defaults
+  option httplog
+  option forwardfor except 127.0.0.1
+  option forwardfor header X-Real-IP
+  option http-no-delay
+  log global
+  mode http
+
+  retries 10
+  option  redispatch
+  timeout connect 4000
+  timeout client  600000
+  timeout server  600000
+  timeout queue 10s
+
+frontend default_frontend
+  mode http
+
+  bind *:80
+  bind *:443 ssl crt /usr/local/etc/haproxy/certs alpn h2,http/1.1
+
+# redirect non-www
+
+  # http-request redirect prefix https://%[hdr(Host),regsub(^www\.,,i)] code 301 if { hdr_beg(host) -i www. }
+
+# Make a rule that the server cannot be directly accessed by IP address
+
+  acl   has_domain hdr(Host),map_str(/usr/local/etc/haproxy/maps/domains.map) -m found
+  http-request deny if !has_domain
+
+# ACME challenge rule?
+
+  acl letsencrypt-acl path_beg /.well-known/acme-challenge/
+  redirect code 301 scheme https if !{ ssl_fc && letsencrypt-acl }
+  compression algo gzip
+  compression type text/css text/html text/javascript application/javascript text/plain text/xml application/json image/svg+xml
+  acl is_content_type_html res.hdr(Content-Type) -i text/html
+  http-response set-header Content-Type text/html;\ charset=UTF-8 if is_content_type_html
+  http-response set-header Cache-Control no-cache,\ max-age=31536000
+  http-response set-header Expires %[date(3600),http_date]
+  http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+  http-response set-header X-XSS-Protection "1; mode=block"
+  http-response set-header X-Content-Type-Options "nosniff"
+  http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
+  use_backend %[base,lower,regsub(^www\.,,i),map_beg(/usr/local/etc/haproxy/maps/sites.map,default_backend)]
+
+
+listen stats
+  bind *:9999
+  mode http
+  log global
+  stats enable
+  stats realm Haproxy\ Statistics
+  stats uri /haproxy_stats
+  stats hide-version
+
+
+backend haproxy_stats_backend
+  http-request auth realm haproxy-stats unless { http_auth_group(basic-auth-list) is-haproxy-stats }
+  mode http
+  compression algo gzip
+  compression offload
+  server server_nginx localhost:9999
+
+
+userlist basic-auth-list
+  group is-guest
+  group is-haproxy-stats
+
+  user guest password $5$N7CpS0mo$FyJtlwQOwzAi5HnCISumyBKWyPu6DhBO7eGzUUyWoJ7 groups is-guest
+```
+
+... in `haproxy-config/sites/web-push.anomalistlabs.com.cfg` ...
+
+define an HAProxy backend and map it to the Docker host and port
+NOTE:  this also turned off CORS origin rule
+```
+backend web_push_backend
+  mode http
+  compression algo gzip
+  compression offload
+  http-response set-header Access-Control-Allow-Origin "*"
+  server server_nginx endorser-push-server:3000
+```
+
+... in `haproxy-config/maps/domains.map` ...
+
+add a domain that will be used as a base
+
+```
+timesafari.anomalistlabs.com
+```
+
+
+... in `haproxy-config/maps/sites.map` ...
+
+map the `/web-push` path to the `web_push_backend`
+NOTE: `timesafari-pwa.anomalistlabs.com` PWA sits on the root
+
+```
+timesafari-pwa.anomalistlabs.com/web-push/ web_push_backend
+```
+
+## The rest ..
+
+`docker-compose up -d` should just work :-)
+