diff --git a/haproxy.cfg b/haproxy.cfg
index 4dbb71c..d1d4a11 100644
--- a/haproxy.cfg
+++ b/haproxy.cfg
@@ -1,7 +1,7 @@
 global
         lua-load /etc/haproxy/cors/cors.lua
-	#log /dev/log	local0
-	#log /dev/log	local1 notice
+	log /dev/log	local0
+	log /dev/log	local1 notice
         log         127.0.0.1 local2
 	log-send-hostname
 	chroot /var/lib/haproxy
@@ -13,19 +13,19 @@ global
 	group haproxy
 	daemon
 
-	# Default SSL material locations
-	ca-base /etc/ssl/certs
-	crt-base /etc/ssl/private
+# Default SSL material locations
+        ca-base /etc/ssl/certs
+        crt-base /etc/ssl/private
 
-	# Default ciphers to use on SSL-enabled listening sockets.
-	# For more information, see ciphers(1SSL). This list is from:
-	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
-	# An alternative list with additional directives can be obtained from
-	#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
-	#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
-	#ssl-default-bind-options no-sslv3
-	tune.ssl.default-dh-param 2048
-	# intermediate configuration
+        # Default ciphers to use on SSL-enabled listening sockets.
+        # For more information, see ciphers(1SSL). This list is from:
+        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+        # An alternative list with additional directives can be obtained from
+        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
+        #ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+        #ssl-default-bind-options no-sslv3
+        tune.ssl.default-dh-param 2048
+        # intermediate configuration
     ssl-default-bind-curves X25519:prime256v1:secp384r1
     ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
     ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
@@ -35,12 +35,6 @@ global
     ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
     ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
 
-	#ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-    	#ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-
-    	#ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-    	#ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
-
 
 defaults
 	log	global
@@ -52,13 +46,16 @@ defaults
         timeout server  600s
 	timeout http-request 5s
         option http-buffer-request
-#	errorfile 400 /etc/haproxy/errors/400.http
-#	errorfile 403 /etc/haproxy/errors/403.http
-#	errorfile 408 /etc/haproxy/errors/408.http
-#	errorfile 500 /etc/haproxy/errors/500.http
-#	errorfile 502 /etc/haproxy/errors/502.http
-#	errorfile 503 /etc/haproxy/errors/503.http
-#	errorfile 504 /etc/haproxy/errors/504.http
+
+
+http-errors kitties
+	errorfile 400 /etc/haproxy/http-cat-errors/400.http
+	errorfile 403 /etc/haproxy/http-cat-errors/403.http
+	errorfile 408 /etc/haproxy/http-cat-errors/408.http
+	errorfile 500 /etc/haproxy/http-cat-errors/500.http
+	errorfile 502 /etc/haproxy/http-cat-errors/502.http
+	errorfile 503 /etc/haproxy/http-cat-errors/503.http
+	errorfile 504 /etc/haproxy/http-cat-errors/504.http
 
 userlist admin-ghost
   group is-admin
@@ -94,6 +91,18 @@ frontend https
   	http-request set-header X-Forwarded-For %[src]	
 	http-request track-sc0 src table per_ip_rates
         http-request silent-drop if { sc_http_req_rate(0) gt 100 }
+	
+	# config httpcats
+	errorfiles kitties
+	http-response return status 400 default-errorfiles if { status 400 }
+	http-response return status 401 default-errorfiles if { status 401 }
+	http-response return status 403 default-errorfiles if { status 403 }
+	http-response return status 404 default-errorfiles if { status 404 }
+	http-response return status 408 default-errorfiles if { status 408 }
+	http-response return status 500 default-errorfiles if { status 500 }
+	http-response return status 502 default-errorfiles if { status 502 }
+	http-response return status 503 default-errorfiles if { status 503 }
+	http-response return status 504 default-errorfiles if { status 504 }	
 
 	## config antiDDOS
  	# Suivi du taux de requêtes par IP
@@ -200,10 +209,6 @@ backend boudoir-backend
   
   # Deny /ghost/ hors IP white
   http-request deny if ghost_path !is_whitelisted_full
-  
-  # Auth basique pour /ghost/ (toujours demandée si pas IP white, mais safe)
-#  http-request auth realm "Ghost Admin" unless admin_auth if ghost_path
-   # Bloque /ghost/ hors votre IP (sécurisé, simple)
   server boudoir 192.168.1.57:2368 check
 
 
@@ -238,15 +243,30 @@ backend hass-backend
 
 backend cms 
 	#server cms 192.168.1.101:80
+	acl ghost_path path_beg /ghost/
+        acl is_whitelisted src 82.67.3.126/32
+        acl is_lan src 192.168.1.0/24  # Plage LAN (adaptez 192.168.1.0/24 si précis)
+        acl is_lan2 src 192.168.2.0/24  # Plage LAN (adaptez 192.168.1.0/24 si précis)
+        acl is_whitelisted_full src 82.67.3.126/32 192.168.1.0/24 192.168.2.0/24  # Combine
+        acl admin_auth http_auth_group(admin-ghost) is-admin
+
+        # Deny /ghost/ hors IP white
+        http-request deny if ghost_path !is_whitelisted_full
 	server cms 192.168.1.250:2369
 
 backend cms2 
 	#mode http
-    	server ghost_server 192.168.1.55:2368
-    	#http-request set-header X-Forwarded-Proto https
-    	#http-request set-header Host %[hdr(host)]
-    	#http-request set-header X-Real-IP %[src]
-    	#http-request set-header X-Forwarded-For %[src]
+  	acl ghost_path path_beg /ghost/
+  	acl is_whitelisted src 82.67.3.126/32
+  	acl is_lan src 192.168.1.0/24  # Plage LAN (adaptez 192.168.1.0/24 si précis)
+  	acl is_lan2 src 192.168.2.0/24  # Plage LAN (adaptez 192.168.1.0/24 si précis)
+  	acl is_whitelisted_full src 82.67.3.126/32 192.168.1.0/24 192.168.2.0/24  # Combine
+  	acl admin_auth http_auth_group(admin-ghost) is-admin
+
+  	# Deny /ghost/ hors IP white
+  	http-request deny if ghost_path !is_whitelisted_full  
+
+  	server ghost_server 192.168.1.55:2368
 
 backend mattermost
 	server mattermost 192.168.1.112:8065