diff --git a/CHANGELOG.md b/CHANGELOG.md
index dc08a807..bd0dd90f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ The **patch** part changes incrementally at each release.
 
 ### Added
 
+* haproxy: enable stats frontend with access lists
 * lxc-php: Install php-sqlite by default
 * lxc-php: Don't disable putenv() by default in PHP settings
 * mysql: activate binary logs by specifying log_bin path
diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml
index a0f4f259..6096567a 100644
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@@ -7,3 +7,10 @@ haproxy_force_config: True
 
 haproxy_socket: /run/haproxy/admin.sock
 haproxy_chroot: /var/lib/haproxy
+
+haproxy_stats_access_ips: []
+haproxy_stats_admin_ips: []
+haproxy_maintenance_ips: []
+
+haproxy_stats_enable: False
+haproxy_stats_bind: "*:8080 ssl crt /etc/haproxy/ssl/"
diff --git a/haproxy/tasks/main.yml b/haproxy/tasks/main.yml
index 8e3094fb..f17d14bc 100644
--- a/haproxy/tasks/main.yml
+++ b/haproxy/tasks/main.yml
@@ -35,4 +35,40 @@
     - haproxy
     - config
 
+- name: HAProxy stats_access_ips are present
+  blockinfile:
+    dest: /etc/haproxy/stats_access_ips
+    create: yes
+    block: |
+      {% for ip in haproxy_stats_access_ips | default([]) %}
+      {{ ip }}
+      {% endfor %}
+  notify: reload haproxy
+  tags:
+    - haproxy
+    - config
+
+- name: HAProxy stats_admin_ips are present
+  blockinfile:
+    dest: /etc/haproxy/stats_admin_ips
+    create: yes
+    block: |
+      {% for ip in haproxy_stats_admin_ips | default([]) %}
+      {{ ip }}
+      {% endfor %}
+  notify: reload haproxy
+  tags:
+    - haproxy
+    - config
+
+- name: HAProxy maintenance_ips are present
+  blockinfile:
+    dest: /etc/haproxy/maintenance_ips
+    create: yes
+    block: |
+      {% for ip in haproxy_maintenance_ips | default([]) %}
+      {{ ip }}
+      {% endfor %}
+  notify: reload haproxy
+
 - include: munin.yml
diff --git a/haproxy/templates/haproxy.default.cfg.j2 b/haproxy/templates/haproxy.default.cfg.j2
index 583cb347..09e0e3ff 100644
--- a/haproxy/templates/haproxy.default.cfg.j2
+++ b/haproxy/templates/haproxy.default.cfg.j2
@@ -37,3 +37,23 @@ defaults
     errorfile 502 /etc/haproxy/errors/502.http
     errorfile 503 /etc/haproxy/errors/503.http
     errorfile 504 /etc/haproxy/errors/504.http
+
+{% if haproxy_stats_enable %}
+listen stats
+    mode http
+    bind {{ haproxy_stats_bind }}
+
+    stats enable
+    stats refresh 10s
+    stats uri /
+    stats show-legends
+    stats show-node
+
+    acl stats_access_ips src -f /etc/haproxy/stats_access_ips
+    http-request deny if !stats_access_ips
+
+    acl stats_admin_ips src -f /etc/haproxy/stats_admin_ips
+    stats admin if stats_admin_ips
+
+    http-request set-log-level silent
+{% endif %}