diff --git a/Dockerfile b/Dockerfile
index 1a13d209d57212ab643ac8c1333307b55ad3e4da..afdc46f7d39e6cfe87a483aac8fb3ac92072b80c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,6 +2,8 @@ FROM haproxy:2.2-alpine
 
 EXPOSE 2375
 ENV ALLOW_RESTARTS=0 \
+    ALLOW_STOP=0 \
+    ALLOW_START=0 \
     AUTH=0 \
     BUILD=0 \
     COMMIT=0 \
diff --git a/README.md b/README.md
index e2a5cb9f586ee10816ff6d6efe12cd79eaec7276..a9de927f021f2c21903d5848386f57b5645f5f3f 100644
--- a/README.md
+++ b/README.md
@@ -125,6 +125,9 @@ extremely critical but can expose some information that your service does not ne
 -   `COMMIT`
 -   `CONFIGS`
 -   `CONTAINERS`
+-   `ALLOW_START` (containers/`id`/`start`)
+-   `ALLOW_STOP` (containers/`id`/`stop`)
+-   `ALLOW_RESTARTS` (containers/`id`/`stop`|`restart`|`kill`)
 -   `DISTRIBUTION`
 -   `EXEC`
 -   `GRPC`
diff --git a/haproxy.cfg b/haproxy.cfg
index 0fff4bb57372e46ee63bb5643d9495ffcc459553..bfa961f2de75d0152f4b365c668784b1e16f5b6d 100644
--- a/haproxy.cfg
+++ b/haproxy.cfg
@@ -47,6 +47,8 @@ frontend dockerfrontend
     bind :2375
     http-request deny unless METH_GET || { env(POST) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/start } { env(ALLOW_START) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/stop } { env(ALLOW_STOP) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } { env(AUTH) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } { env(BUILD) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } { env(COMMIT) -m bool }