Black Fedora No worries! This config seems to be working well for me. I lowered the inspect-delay to 3s. Thanks for your help and advice.

Oh wow! Thanks Black Fedora for this config guide. I have spent all day playing around with it. I'm in tcp mode so I used tcp-request content deny instead of http-request deny and found out I needed to add tcp-request inspect-delay 5s to make it work. Does that sounds about right?

Nice! How do you do this to block CIDR ranges from a different header? E.g get the IP from the X-Forwarded-For header and compare against a blacklist?