diff --git a/defaults/main.yml b/defaults/main.yml
index ddb2f85222e2d073f31aa7ce7a970f1d0a7b43cc..180921e91b8a03f204636266a7ba39c7e558417e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,2 +1,3 @@
 default_proxy: ''
 proxy_default_backend: ''
+proxy_blacklist_ips: []
diff --git a/tasks/configure.yml b/tasks/configure.yml
index cb46641b5bb7c17fb51c1b1fe2a7b727ce3ce95f..774c2b714ab49ca067e53dc19e7c154ce13dcc75 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -67,3 +67,12 @@
         hour='*'
         minute='*/1'
         job='/etc/haproxy/update/update.sh >/dev/null 2>&1'
+
+- name: "Proxy | Update blacklist"
+  template: src=blacklist
+            dest=/etc/haproxy/blacklist
+            owner=root
+            group=root
+            mode=644
+  when: scope == 'all'
+  notify: 'Proxy | Restart HAProxy'
diff --git a/templates/blacklist b/templates/blacklist
new file mode 100644
index 0000000000000000000000000000000000000000..ef4547ec71ccb381225c39a021c5efd32e9f7caa
--- /dev/null
+++ b/templates/blacklist
@@ -0,0 +1,3 @@
+{% for line in hostvars[item]['proxy_blacklist_ips'] %}
+{{line}}
+{% endfor %}
diff --git a/templates/haproxy_cfg b/templates/haproxy_cfg
index 2e045f75a1811696886d6777343b3550ba111e85..2bad328f85cde37a6d89eb318d4cf92fb5df5e92 100644
--- a/templates/haproxy_cfg
+++ b/templates/haproxy_cfg
@@ -43,6 +43,8 @@ listen stats 127.0.0.1:7000
 
 frontend http-in
   bind *:80
+  acl blockedip src  -i -f /etc/haproxy/blacklist
+  http-request deny if blockedip
 {% for host in groups['all'] %}
 {% if hostvars[host]['proxy_redirect'] %}
 {% for redirect in hostvars[host]['proxy_redirect'] %}
@@ -67,6 +69,8 @@ frontend http-in
 
 frontend https-in
   bind :443 ssl crt /etc/haproxy/certs/s-verein.de.pem no-sslv3
+  acl blockedip src  -i -f /etc/haproxy/blacklist
+  http-request deny if blockedip
 {% for host in groups['all'] %}
 {% if hostvars[host]['proxy_redirect'] %}
 {% for redirect in hostvars[host]['proxy_redirect'] %}