diff --git a/Dockerfile b/Dockerfile
index 0a6d35e95813fabad4ba19b437764d1619fbbffa..8d7a62b22b7837ecbbbe4688ae0c419be9c96d99 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,8 @@
 FROM haproxy:1.9-alpine
 
 EXPOSE 2375
-ENV AUTH=0 \
+ENV ALLOW_RESTARTS=0 \
+    AUTH=0 \
     BUILD=0 \
     COMMIT=0 \
     CONFIGS=0 \
diff --git a/haproxy.cfg b/haproxy.cfg
index 3a5c67758b049c61e35b2d442dc28b8116aa2303..fa85fb47b71d60960b0b8519981e98cff4a21166 100644
--- a/haproxy.cfg
+++ b/haproxy.cfg
@@ -42,6 +42,7 @@ backend dockerbackend
 frontend dockerfrontend
     bind :2375
     http-request deny unless METH_GET || { env(POST) -m bool }
+    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[^/]+/((stop)|(restart)|(kill)) } ! { env(ALLOW_RESTARTS) -m bool }
     http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } ! { env(AUTH) -m bool }
     http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } ! { env(BUILD) -m bool }
     http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } ! { env(COMMIT) -m bool }