diff --git a/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2 b/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
index 6e5b71bf72..ea4e3321ff 100644
--- a/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
+++ b/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
@@ -16,6 +16,9 @@ frontend {{ service_name }}_front
mode {{ service_mode }}
{% endif %}
{% if service_mode == 'http' %}
+ {% if external|bool %}
+ http-request deny if { path -i -m beg /server-status }
+ {% endif %}
{# Delete any pre-populated XFP header #}
http-request del-header X-Forwarded-Proto
{% for http_option in frontend_http_extra %}
diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2
index b54591e563..d21aea26e3 100644
--- a/ansible/roles/horizon/templates/horizon.conf.j2
+++ b/ansible/roles/horizon/templates/horizon.conf.j2
@@ -34,6 +34,10 @@ TraceEnable off
Require all granted
+
+ Require local
+
+
{% if kolla_base_distro in ['debian', 'ubuntu'] and horizon_install_type == 'binary' %}
Alias /static /var/lib/openstack-dashboard/static
{% else %}
diff --git a/releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml b/releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml
new file mode 100644
index 0000000000..ebf0f8f782
--- /dev/null
+++ b/releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml
@@ -0,0 +1,7 @@
+---
+security:
+ - |
+ Restrict the access to the http Openstack services exposed /server-status
+ by default through the HAProxy on the public endpoint. Fixes issue for
+ Ubuntu/Debian installations. RockyLinux/CentOS not affected.
+ `LP#1996913 `__