diff --git a/states/haproxy/defaults.yaml b/states/haproxy/defaults.yaml
index 9f70fea..0d35cab 100644
--- a/states/haproxy/defaults.yaml
+++ b/states/haproxy/defaults.yaml
@@ -14,6 +14,7 @@ haproxy:
       lib: false
   maps:
     - access
+    - domains
     - redirects
     - vhosts
   config:
@@ -80,5 +81,6 @@ haproxy:
     ddos:
       timeperiod: 10s
       maxrequests: 200
+    domains: {}
     vhosts: {}
     services: {}
diff --git a/states/haproxy/templates/haproxy.cfg.j2 b/states/haproxy/templates/haproxy.cfg.j2
index ec92b70..06b7b0b 100644
--- a/states/haproxy/templates/haproxy.cfg.j2
+++ b/states/haproxy/templates/haproxy.cfg.j2
@@ -121,6 +121,7 @@ frontend https
   mode http
   option httplog
   acl internal src -f {{ haproxy.config.dir }}/maps/access
+  acl domains req.hdr(Host),map_dom({{ haproxy.config.dir }}/maps/domains) -m found
   acl robots_txt path /robots.txt
   acl path_host path /host
   acl path_date path /date
@@ -141,6 +142,7 @@ frontend https
   http-request set-header X-Proto https if { ssl_fc }
   log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
   http-request redirect location %[req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects)] code 301 if { req.hdr(host),map_dom({{ haproxy.config.dir }}/maps/redirects) -m found }
+  http-request deny deny_status 404 unless domains
   use_backend %[req.hdr(Host),lower,map({{ haproxy.config.dir }}/maps/vhosts,nginx)]
   default_backend nginx
 
@@ -188,7 +190,7 @@ listen {{ name }}
   mode tcp
   option tcplog
 {%- if values.type == "postgres" %}
-  option pgsql-check user postgres
+  option pgsql-check user repmgr
   option tcpka
 {%- endif %}
   default-server inter 3s fall 3