Add rate limiting, connection limits, and timeout hardening

Activate HAProxy's built-in attack prevention to stop floods that cause
the container to become unresponsive:

- Stick table tracks per-IP: conn_cur, conn_rate, http_req_rate, http_err_rate
- Rate limit rules: deny at 50 req/s, tarpit at 20 req/s, connection
  rate limit at 60/10s, concurrent connection cap at 100, error rate
  tarpit at 20 errors/30s
- Harden timeouts: http-request 300s→30s, connect 120s→10s, client
  10m→5m, keep-alive 120s→30s
- HTTP/2 Rapid Reset protection (CVE-2023-44487): stream and glitch limits
- Stats frontend on localhost:8404 for monitoring
- HEALTHCHECK now validates both port 80 (HAProxy) and 8000 (API)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

templates/hap_header.tpl

@@ -27,6 +27,10 @@ global
     # SSL and Performance
     tune.ssl.default-dh-param 2048
 
+    # HTTP/2 protection against Rapid Reset (CVE-2023-44487) and stream abuse
+    tune.h2.fe.max-total-streams 2000
+    tune.h2.fe.glitches-threshold 50
+
     # Stats persistence for zero-downtime reloads
     stats-file /var/lib/haproxy/stats.dat
 #---------------------------------------------------------------------
@@ -42,12 +46,12 @@ defaults
     option forwardfor       #except 127.0.0.0/8
     option                  redispatch
     retries                 3
-    timeout http-request    300s
+    timeout http-request    30s
     timeout queue           2m
-    timeout connect         120s
-    timeout client          10m
+    timeout connect         10s
+    timeout client          5m
     timeout server          10m
-    timeout http-keep-alive 120s
+    timeout http-keep-alive 30s
     timeout check           10s
     timeout tarpit          10s  # Tarpit delay for low-level scanners (before silent-drop)
     maxconn                 3000