diff --git a/docker-compose.yml b/docker-compose.yml
index 69d4706..57f053a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -27,7 +27,8 @@ services:
       - HAPROXY_CONTINENT=OC
       - HCAPTCHA_SITEKEY=20000000-ffff-ffff-ffff-000000000002
       - HCAPTCHA_SECRET=0x0000000000000000000000000000000000000000
-      # - VERIFY_BACKEND_SSL=1
+      - VERIFY_BACKEND_SSL_VERIFYNONE=1
+      - VERIFY_BACKEND_SSL=1
       #- RECAPTCHA_SECRET=6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe
       #- RECAPTCHA_SITEKEY=6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
       - CAPTCHA_COOKIE_SECRET=changeme
diff --git a/haproxy/Dockerfile b/haproxy/Dockerfile
index ba04825..414905a 100644
--- a/haproxy/Dockerfile
+++ b/haproxy/Dockerfile
@@ -5,7 +5,7 @@
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
 
-FROM debian:buster-slim
+FROM debian:bookworm-slim
 
 # roughly, https://salsa.debian.org/haproxy-team/haproxy/-/blob/732b97ae286906dea19ab5744cf9cf97c364ac1d/debian/haproxy.postinst#L5-6
 RUN set -eux; \
@@ -25,11 +25,11 @@ ENV DATAPLANEAPI_URL https://github.com/haproxytech/dataplaneapi/releases/downlo
 RUN set -eux; \
 	\
 	savedAptMark="$(apt-mark showmanual)"; \
-	apt-get update && apt-get install -y --no-install-recommends \
+	apt update -yq && apt-get install -y --no-install-recommends \
 		ca-certificates \
 		gcc \
 		libc6-dev \
-		liblua5.3-dev \
+		liblua5.4-dev \
 		libpcre2-dev \
 		libssl-dev \
 		make \
@@ -37,7 +37,9 @@ RUN set -eux; \
 		zlib1g-dev \
 		luarocks \
 	; \
+	update-ca-certificates; \
 	rm -rf /var/lib/apt/lists/*; \
+	chmod 777 /etc/ssl/certs/ca-certificates.crt; \
 #	\
 #	wget -O dataplaneapi_Linux_x86_64.tar.gz "$DATAPLANEAPI_URL"; \
 #	tar -zxvf dataplaneapi_Linux_x86_64.tar.gz; \
@@ -53,7 +55,7 @@ RUN set -eux; \
 	makeOpts=' \
 		TARGET=linux-glibc \
 		USE_GETADDRINFO=1 \
-		USE_LUA=1 LUA_INC=/usr/include/lua5.3 \
+		USE_LUA=1 LUA_INC=/usr/include/lua5.4 \
 		USE_OPENSSL=1 \
 		USE_PCRE2=1 USE_PCRE2_JIT=1 \
 		USE_ZLIB=1 \
@@ -82,7 +84,7 @@ RUN set -eux; \
 		| sort -u \
 		| xargs -r apt-mark manual \
 	; \
-	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	# apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	\
 # smoke test
 	haproxy -v
@@ -92,13 +94,19 @@ RUN set -eux; \
 # "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed"
 # "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process"
 STOPSIGNAL SIGUSR1
-
+RUN update-ca-certificates
+RUN chmod 777 /etc/ssl/certs/ca-certificates.crt
 ADD haproxy/dataplaneapi.yml /etc/haproxy/dataplaneapi.yml
 ADD haproxy/docker-entrypoint.sh /usr/local/bin/
 RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
-RUN apt update && apt install -y git lua5.3 liblua5.3-dev argon2 libargon2-dev luarocks
+RUN lua -v
+RUN apt update && apt install -y git lua5.4 liblua5.4-dev argon2 libargon2-dev luarocks
 RUN git config --global url."https://".insteadOf git://
 RUN luarocks install argon2
+RUN luarocks install --lua-version 5.4 argon2
+RUN luarocks install --lua-version 5.4 argon2 ARGON2_DIR=/usr ARGON2_LIBDIR=/usr/lib/x86_64-linux-gnu
+
+
 ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
 
 # no USER for backwards compatibility (to try to avoid breaking existing users)
diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg
index edab3b5..47a0d11 100644
--- a/haproxy/haproxy.cfg
+++ b/haproxy/haproxy.cfg
@@ -169,6 +169,7 @@ backend haproxy-to-varnish-cache
 
 backend servers
 	balance roundrobin
+	default-server ssl verify required ca-file ca-certificates.crt sni req.hdr(Host)
 	use-server %[lua.get_server_names] if TRUE
 
 backend bot_check_post_throttle
diff --git a/haproxy/map/hosts.map b/haproxy/map/hosts.map
index bd2fd3f..e69de29 100644
--- a/haproxy/map/hosts.map
+++ b/haproxy/map/hosts.map
@@ -1,2 +0,0 @@
-localhost 127.0.0.1:1082|XX
-localhost 127.0.0.1:1083|XX
diff --git a/src/lua/scripts/register-servers.lua b/src/lua/scripts/register-servers.lua
index b1ecc1e..266ef0f 100644
--- a/src/lua/scripts/register-servers.lua
+++ b/src/lua/scripts/register-servers.lua
@@ -19,6 +19,7 @@ function setup_servers()
 	local handle = io.open("/etc/haproxy/map/hosts.map", "r")
 	local line = handle:read("*line")
 	local verify_backend_ssl = os.getenv("VERIFY_BACKEND_SSL")
+	local verify_none = os.getenv("VERIFY_BACKEND_SSL_VERIFYNONE")
 	local counter = 1
 	-- NOTE: using tcp socket to interact with runtime API because lua can't add servers
 	local tcp = core.tcp();
@@ -40,9 +41,15 @@ function setup_servers()
 		local server_name = "servers/websrv" .. counter
 		--NOTE: if you have a proper CA setup,
 		if verify_backend_ssl ~= nil then
-			tcp:send(string.format(
-				"add server %s %s check ssl verify required ca-file ca-certificates.crt sni req.hdr(Host);",
-				server_name, backend_host))
+			if verify_none ~= nil then -- for development use only
+				tcp:send(string.format(
+					"add server %s %s check ssl verify none ca-file ca-certificates.crt sni req.hdr(Host);",
+					server_name, backend_host))
+			else
+				tcp:send(string.format(
+					"add server %s %s check ssl verify required ca-file ca-certificates.crt sni req.hdr(Host);",
+					server_name, backend_host))
+			end
 		else
 			tcp:send(string.format("add server %s %s;", server_name, backend_host))
 		end
diff --git a/src/lua/scripts/templates.lua b/src/lua/scripts/templates.lua
index 9e2c8d5..79487a9 100644
--- a/src/lua/scripts/templates.lua
+++ b/src/lua/scripts/templates.lua
@@ -49,7 +49,7 @@ _M.body = string.format([[
 			%%s
 		</noscript>
 		<div class="powstatus"></div>
-		<canvas id="canvas" width="250" height="40"></canvas>
+		<!-- <canvas id="canvas" width="250" height="40"></canvas> -->
 		<footer>
 			<p>Node: <code>%%s</code></p>
 			<p>%%s</p>