diff --git a/Dockerfile b/Dockerfile
index 1a13d20..afdc46f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,6 +2,8 @@ FROM haproxy:2.2-alpine
 
 EXPOSE 2375
 ENV ALLOW_RESTARTS=0 \
+    ALLOW_STOP=0 \
+    ALLOW_START=0 \
     AUTH=0 \
     BUILD=0 \
     COMMIT=0 \
diff --git a/README.md b/README.md
index e2a5cb9..a9de927 100644
--- a/README.md
+++ b/README.md
@@ -125,6 +125,9 @@ extremely critical but can expose some information that your service does not ne
 -   `COMMIT`
 -   `CONFIGS`
 -   `CONTAINERS`
+-   `ALLOW_START` (containers/`id`/`start`)
+-   `ALLOW_STOP` (containers/`id`/`stop`)
+-   `ALLOW_RESTARTS` (containers/`id`/`stop`|`restart`|`kill`)
 -   `DISTRIBUTION`
 -   `EXEC`
 -   `GRPC`
diff --git a/haproxy.cfg b/haproxy.cfg
index 73ad6aa..34c7b00 100644
--- a/haproxy.cfg
+++ b/haproxy.cfg
@@ -44,9 +44,11 @@ backend docker-events
     timeout server 0
 
 frontend dockerfrontend
-    bind :2375
+    bind :::2375 v4v6
     http-request deny unless METH_GET || { env(POST) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?(/\w+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) } { env(ALLOW_RESTARTS) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?(/\w+)?/containers/[a-zA-Z0-9_.-]+/start } { env(ALLOW_START) -m bool }
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?(/\w+)?/containers/[a-zA-Z0-9_.-]+/stop } { env(ALLOW_STOP)
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?(/\w+)?/auth } { env(AUTH) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?(/\w+)?/build } { env(BUILD) -m bool }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?(/\w+)?/commit } { env(COMMIT) -m bool }