Router: Block private services at the HAProxy level.

HAProxy is used to inspect the SNI and route to the correct backend
without needing the SSL certificates and keys. Because it opens a new
TCP connection, the source IP at the other side is always the router's
internal IP so we can't filter there based on the source IP.