diff --git a/Dockerfile b/Dockerfile
index 0a6d35e..8d7a62b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,8 @@
 FROM haproxy:1.9-alpine
 
 EXPOSE 2375
-ENV AUTH=0 \
+ENV ALLOW_RESTARTS=0 \
+    AUTH=0 \
     BUILD=0 \
     COMMIT=0 \
     CONFIGS=0 \
diff --git a/haproxy.cfg b/haproxy.cfg
index 3a5c677..fa85fb4 100644
--- a/haproxy.cfg
+++ b/haproxy.cfg
@@ -42,6 +42,7 @@ backend dockerbackend
 frontend dockerfrontend
     bind :2375
     http-request deny unless METH_GET || { env(POST) -m bool }
+    http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/[^/]+/((stop)|(restart)|(kill)) } ! { env(ALLOW_RESTARTS) -m bool }
     http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/auth } ! { env(AUTH) -m bool }
     http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/build } ! { env(BUILD) -m bool }
     http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/commit } ! { env(COMMIT) -m bool }