diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies
index a43f9bf535..33460a7192 100644
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@@ -29,6 +29,9 @@ tcp_ports: [
     # the apache reverseproxy at https://admin.fedoraproject.org/haproxy/proxy1
     8080,
 
+    # This is for TOTP
+    8443,
+
     # For fedmsg websocket server over stunnel
     9939,
     # For fedmsg raw zeromq socket (outbound)
diff --git a/inventory/group_vars/proxies-stg b/inventory/group_vars/proxies-stg
index f5590beff4..6e1cda6e8f 100644
--- a/inventory/group_vars/proxies-stg
+++ b/inventory/group_vars/proxies-stg
@@ -29,6 +29,9 @@ tcp_ports: [
     # the apache reverseproxy at https://admin.fedoraproject.org/haproxy/proxy1
     8080,
 
+    # This is for TOTP
+    8443,
+
     # For fedmsg websocket server over stunnel
     9939,
     # For fedmsg raw zeromq socket (outbound)
diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index be68fa52f3..129ebd3448 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -383,6 +383,28 @@ backend ipa-backend
 {% endif %}
     option  httpchk GET /ipa/ui/
 
+# This is for TOTPCGI (legacy 2fa). It goes to the Openshift routers, which then passthrough TLS to the totpcgi pods
+frontend totp-frontend
+    mode tcp
+    bind 0.0.0.0:8443
+    default_backend totp-backend
+
+backend totp-backend
+    mode tcp
+    option tcplog
+    balance roundrobin
+    maxconn 16384
+    timeout queue 5000
+    timeout server 86400000
+    timeout connect 86400000
+    server  os-node01 os-node01:443 weight 1 maxconn 16384
+    server  os-node02 os-node02:443 weight 1 maxconn 16384
+    server  os-node03 os-node03:443 weight 1 maxconn 16384
+    server  os-node04 os-node04:443 weight 1 maxconn 16384
+{% if env == "production" %}
+    server  os-node05 os-node05:443 weight 1 maxconn 16384
+{% endif %}
+
 frontend krb5-frontend
     mode tcp
     bind 0.0.0.0:1088