Fix HAProxy 3.0.11 compatibility issues

Major syntax and configuration updates for HAProxy 3.0.11:

Configuration Fixes:
- Remove conflicting stick-table declarations in frontend
- Move security tables to separate backend sections
- Fix ACL syntax errors (missing_browser_headers → separate ACLs)
- Remove unsupported add-var() syntax
- Simplify threat scoring to use flags instead of cumulative values

Security Table Architecture:
- security_blacklist: 24h persistent offender tracking
- wp_403_track: WordPress authentication failure monitoring
- Separated from main frontend table to avoid conflicts

Simplified Threat Detection:
- low_threat: Rate abuse, suspicious methods, missing headers
- medium_threat: SQL injection, directory traversal, WordPress brute force
- high_threat: Bot scanners, admin scans, shell attempts
- critical_threat: Blacklisted IPs, auto-blacklist candidates

Response System:
- Low threat: Warning headers only
- Medium threat: Tarpit delays
- High threat: Immediate deny (403)
- Critical threat: Blacklist and deny

Enhanced Compatibility:
- Removed HAProxy 2.6-specific syntax
- Updated to HAProxy 3.0.11 requirements
- Maintained security effectiveness with simpler logic
- Added security tables template integration

The system maintains comprehensive protection while being compatible
with HAProxy 3.0.11's stricter parsing and syntax requirements.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

templates/hap_security_tables.tpl

@@ -0,0 +1,6 @@
+# Security stick tables for multi-table tracking
+backend security_blacklist
+    stick-table type ip size 20k expire 24h store gpc0,gpc1
+
+backend wp_403_track
+    stick-table type ip size 50k expire 15m store http_err_rate(10s)