diff --git a/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2 b/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
index 0da0a511c8..c795ce267d 100644
--- a/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
+++ b/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
@@ -16,6 +16,9 @@ frontend {{ service_name }}_front
     mode {{ service_mode }}
     {% endif %}
     {% if service_mode == 'http' %}
+    {% if external|bool %}
+    http-request deny if { path -i -m beg /server-status }
+    {% endif %}
     {# Delete any pre-populated XFP header #}
     http-request del-header X-Forwarded-Proto
         {% for http_option in frontend_http_extra %}
diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2
index 953d070b54..0c6cc0eb25 100644
--- a/ansible/roles/horizon/templates/horizon.conf.j2
+++ b/ansible/roles/horizon/templates/horizon.conf.j2
@@ -30,6 +30,10 @@ TraceEnable off
         Require all granted
     </Location>
 
+    <Location "/server-status">
+        Require local
+    </Location>
+
     Alias /static {{ python_path }}/static
     <Location "/static">
         SetHandler None
diff --git a/releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml b/releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml
new file mode 100644
index 0000000000..ebf0f8f782
--- /dev/null
+++ b/releasenotes/notes/http-services-deny-server-status-39d0259664053e59.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Restrict the access to the http Openstack services exposed /server-status
+    by default through the HAProxy on the public endpoint. Fixes issue for
+    Ubuntu/Debian installations. RockyLinux/CentOS not affected.
+    `LP#1996913 <https://bugs.launchpad.net/kolla-ansible/+bug/1996913>`__