SSH
HAproxy can sit in front of an SSH server and using the TCP feature, Knocknoc can work together to allow access to a bastion host easily.
You may want to rebind your SSH server to different port in sshd_config, and then configure HAproxy to listen on port 22, and only proxy connections to the new port once the ACL condition from Knocknoc is met.
Or you may want to have an external HAproxy server with knocknoc-agent, proxy to internal SSH bastions in another DMZ.