diff --git a/inventory/group_vars/mirrorlist2 b/inventory/group_vars/mirrorlist2
index 0884e9ed94..8b5854536d 100644
--- a/inventory/group_vars/mirrorlist2
+++ b/inventory/group_vars/mirrorlist2
@@ -5,7 +5,19 @@ num_cpus: 4
 # for systems that do not match the above - specify the same parameter in
 # the host_vars/$hostname file
 
-custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 80 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 80 -j ACCEPT' ]
+custom_rules: [ '-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 80 -j ACCEPT', 
+                '-A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 80 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 67.219.144.68/32 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 5.175.150.50/32 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 152.19.134.142/32 --dport 443 -j ACCEPT',
+                '-A INPUT -p tcp -m tcp -s 140.211.169.196/32 --dport 443 -j ACCEPT', ]
+
+custom6_rules: [ '-A INPUT -p tcp -m tcp -s 2610:28:3090:3001:dead:beef:cafe:fed3 --dport 443 -j ACCEPT',
+                 '-A INPUT -p tcp -m tcp -s 2604:1580:fe00:0:5054:ff:feae:702c --dport 443 -j ACCEPT',
+                 '-A INPUT -p tcp -m tcp -s 2a00:d1a0:1::131 --dport 443 -j ACCEPT', ]
+
 collectd_apache: true
 fas_client_groups: sysadmin-noc,fi-apprentice
 nrpe_procs_warn: 500
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
index 2982caa44c..6c41747b7f 100644
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@@ -10,7 +10,7 @@
   - haproxy
 
 - name: install haproxy/cfg in prod
-  copy: src={{ item.file }}
+  template: src={{ item.file }}
         dest={{ item.dest }}
         owner=root group=root mode=0600
   with_items:
@@ -22,7 +22,7 @@
   - haproxy
 
 - name: install haproxy.cfg in stg
-  copy: src={{ item.file }}
+  template: src={{ item.file }}
         dest={{ item.dest }}
         owner=root group=root mode=0600
   with_items:
diff --git a/roles/haproxy/files/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
similarity index 76%
rename from roles/haproxy/files/haproxy.cfg
rename to roles/haproxy/templates/haproxy.cfg
index 7a4b6cd147..c3d415990a 100644
--- a/roles/haproxy/files/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -42,11 +42,43 @@ listen  fp-wiki 0.0.0.0:10001
 listen  mirror-lists 0.0.0.0:10002
     balance hdr(appserver)
     timeout connect 30s
-    server  mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3
-    server  mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3
-    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3
-    server  mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3
+{% if datacenter == 'dedicatedsolutions' %}
+    server  mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions.fedoraproject.org:443 check inter 5s rise 2 fall 3
+    server  mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup
+{% elif datacenter == 'host1plus' %}
+    server  mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-host1plus mirrorlist-host1plus.fedoraproject.org:443 check inter 5s rise 2 fall 3
+    server  mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup
+{% elif datacenter == 'ibiblio' %}
+    server  mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-ibiblio mirrorlist-ibiblio.fedoraproject.org:443 check inter 5s rise 2 fall 3
+    server  mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup
+{% elif datacenter == 'osuosl' %}
+    server  mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-osuosl mirrorlist-osuosl.fedoraproject.org:443 check inter 5s rise 2 fall 3
+    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3 backup
+{% elif datacenter == 'phx2' %}
+    server  mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3 backup
+    server  mirrorlist-phx2 mirrorlist-phx2.fedoraproject.org:443 check inter 5s rise 2 fall 3
+{% else %}
     server  mirrorlist-dedicatedsolutions mirrorlist-dedicatedsolutions:80 check inter 5s rise 2 fall 3
+    server  mirrorlist-host1plus mirrorlist-host1plus:80 check inter 5s rise 2 fall 3
+    server  mirrorlist-ibiblio mirrorlist-ibiblio:80 check inter 5s rise 2 fall 3
+    server  mirrorlist-osuosl mirrorlist-osuosl:80 check inter 5s rise 2 fall 3
+    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 5s rise 2 fall 3
+{% endif %}
     option  httpchk GET /mirrorlist
     option  allbackups
 
diff --git a/roles/haproxy/files/haproxy.cfg.stg b/roles/haproxy/templates/haproxy.cfg.stg
similarity index 98%
rename from roles/haproxy/files/haproxy.cfg.stg
rename to roles/haproxy/templates/haproxy.cfg.stg
index 6acc0fd3e7..9a5887da53 100644
--- a/roles/haproxy/files/haproxy.cfg.stg
+++ b/roles/haproxy/templates/haproxy.cfg.stg
@@ -41,7 +41,7 @@ listen  fp-wiki 0.0.0.0:10001
 listen  mirror-lists 0.0.0.0:10002
     balance hdr(appserver)
     timeout connect 30s
-    server  mirrorlist-phx2 mirrorlist-phx2:80 check inter 10s rise 2 fall 3
+    server  mirrorlist-phx2 mirrorlist-phx2.stg.fedoraproject.org:80 check inter 10s rise 2 fall 3
     option  httpchk GET /mirrorlist
 
 listen  pkgdb 0.0.0.0:10003
diff --git a/roles/hosts/files/proxy01.phx2.fedoraproject.org-hosts b/roles/hosts/files/proxy01.phx2.fedoraproject.org-hosts
new file mode 100644
index 0000000000..02cf5fa67f
--- /dev/null
+++ b/roles/hosts/files/proxy01.phx2.fedoraproject.org-hosts
@@ -0,0 +1,4 @@
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+10.5.126.23 infrastructure.fedoraproject.org
+10.5.126.50 mirrorlist-phx2.fedoraproject.org
diff --git a/roles/hosts/files/proxy10.phx2.fedoraproject.org-hosts b/roles/hosts/files/proxy10.phx2.fedoraproject.org-hosts
new file mode 100644
index 0000000000..02cf5fa67f
--- /dev/null
+++ b/roles/hosts/files/proxy10.phx2.fedoraproject.org-hosts
@@ -0,0 +1,4 @@
+127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+10.5.126.23 infrastructure.fedoraproject.org
+10.5.126.50 mirrorlist-phx2.fedoraproject.org