diff --git a/ansible/haproxy/haproxy.cfg.j2 b/ansible/haproxy/haproxy.cfg.j2
index 3607002..161175c 100644
--- a/ansible/haproxy/haproxy.cfg.j2
+++ b/ansible/haproxy/haproxy.cfg.j2
@@ -9,6 +9,7 @@ global
     log /dev/log local0
     log /dev/log local1 notice
     stats timeout 30s
+    maxconn 4096
     # Ubuntu systemd service handles user/group and daemonization
 
     # Default SSL material locations
@@ -30,17 +31,25 @@ defaults
     timeout connect 5s
     timeout client  50s
     timeout server  50s
+    # Slowloris protection: cap time to receive the full request/keep-alive idle
+    timeout http-request    10s
+    timeout http-keep-alive 10s
 
 # Stats page with Prometheus metrics
 listen stats
     bind *:{{ haproxy_stats_port }}
     mode http
+    # Restrict to the Ouranos LAN + localhost (Alloy scrapes via localhost).
+    # Belt-and-suspenders alongside host-level firewalling.
+    acl from_internal src 10.10.0.0/16 127.0.0.0/8
+    http-request deny unless from_internal
     stats enable
     stats uri /metrics
     stats refresh 15s
     stats show-legends
     stats show-node
-    
+    stats hide-version
+
     # Prometheus metrics endpoint
     http-request use-service prometheus-exporter if { path /metrics }
 
diff --git a/terraform/versions.tf b/terraform/versions.tf
index 37f72c4..6ebbcda 100644
--- a/terraform/versions.tf
+++ b/terraform/versions.tf
@@ -4,6 +4,7 @@ terraform {
   required_providers {
     incus = {
       source  = "lxc/incus"
+      version = "~> 1.0"
     }
   }
 }