Sample haproxy.cfg for whitelist

Rancher 1.x
1

I’ve tried this:

frontend web
    bind *:443
    mode tcp
    acl whitelist src 173.169.95.246/32
    tcp-request connection reject unless whitelist

but I’m getting this error message:

3/31/2017 1:02:32 AMtime="2017-03-31T05:02:32Z" level=info msg=" -- reloading haproxy config with the new config changes\n * Reloading haproxy haproxy\n[WARNING] 089/050232 (717) : config : 'option forwardfor' ignored for frontend 'web' as it requires HTTP mode.\n[WARNING] 089/050232 (717) : config : 'option forwardfor' ignored for proxy 'default' as it requires HTTP mode.\n[WARNING] 089/050232 (717) : config : 'option forwardfor' ignored for frontend '80' as it requires HTTP mode.\n[WARNING] 089/050232 (717) : config : 'option forwardfor' ignored for frontend '443' as it requires HTTP mode.\n[WARNING] 089/050232 (717) : parsing [/etc/haproxy/haproxy.cfg:57] : HTTP log/header format not usable with backend '80_' (needs 'mode http').\n[WARNING] 089/050232 (717) : config : 'option forwardfor' ignored for backend '80_' as it requires HTTP mode.\n[WARNING] 089/050232 (717) : parsing [/etc/haproxy/haproxy.cfg:67] : HTTP log/header format not usable with backend '443_' (needs 'mode http').\n[WARNING] 089/050232 (717) : config : 'option forwardfor' ignored for backend '443_' as it requires HTTP mode.\n[WARNING] 089/050232 (719) : config : 'option forwardfor' ignored for frontend 'web' as it requires HTTP mode.\n[WARNING] 089/050232 (719) : config : 'option forwardfor' ignored for proxy 'default' as it requires HTTP mode.\n[WARNING] 089/050232 (719) : config : 'option forwardfor' ignored for frontend '80' as it requires HTTP mode.\n[WARNING] 089/050232 (719) : config : 'option forwardfor' ignored for frontend '443' as it requires HTTP mode.\n[WARNING] 089/050232 (719) : parsing [/etc/haproxy/haproxy.cfg:57] : HTTP log/header format not usable with backend '80_' (needs 'mode http').\n[WARNING] 089/050232 (719) : config : 'option forwardfor' ignored for backend '80_' as it requires HTTP mode.\n[WARNING] 089/050232 (719) : parsing [/etc/haproxy/haproxy.cfg:67] : HTTP log/header format not usable with backend '443_' (needs 'mode http').\n[WARNING] 089/050232 (719) : config : 'option forwardfor' ignored for backend '443_' as it requires HTTP mode.\n ...done.\n"

I must use TCP rather than HTTP termination. Wondering if there are any people out there who have set this up properly.