diff --git a/elements/haproxy/README.md b/elements/haproxy/README.md
new file mode 100644
index 000000000..e7fcd3905
--- /dev/null
+++ b/elements/haproxy/README.md
@@ -0,0 +1,31 @@
+Element to install haproxy. This element proxies services listed in
+haproxy.services and additionally enables ports in firewall.
+
+Configuration
+-------------
+
+haproxy:
+  nodes:
+  - name: notcompute
+    ip: 192.0.2.5
+  - name: notcomputeSlave0
+    ip: 192.0.2.6
+  services:
+  - name: dashboard_cluster
+    proxy_port: 444
+    port: 443
+  - name: glance_api_cluster
+    proxy_port: 9293
+    port:9292
+
+You can override set of nodes for a service by setting its own set of
+haproxy.nodes inside a service definition:
+
+  services:
+  - name: dashboard_cluster
+    proxy_port: 444
+    port: 443
+    haproxy:
+      nodes:
+      - name: foo0
+        ip: 10.0.0.1
diff --git a/elements/haproxy/install.d/76-haproxy b/elements/haproxy/install.d/76-haproxy
new file mode 100755
index 000000000..e0261e322
--- /dev/null
+++ b/elements/haproxy/install.d/76-haproxy
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -eux
+
+install-packages haproxy
+
+if [ "$DIB_INIT_SYSTEM" == "systemd" ] ; then
+  systemctl enable haproxy.service
+fi
+
+# haproxy service has to be explicitly enabled in /etc/default/haproxy on ubuntu/debian systems
+[ -f /etc/default/haproxy ] && sed -i -e 's/ENABLED=0/ENABLED=1/' /etc/default/haproxy
diff --git a/elements/haproxy/os-config-applier/etc/haproxy/haproxy.cfg b/elements/haproxy/os-config-applier/etc/haproxy/haproxy.cfg
new file mode 100644
index 000000000..3075de753
--- /dev/null
+++ b/elements/haproxy/os-config-applier/etc/haproxy/haproxy.cfg
@@ -0,0 +1,31 @@
+global
+  chroot  /var/lib/haproxy
+  daemon
+  group  haproxy
+  maxconn  4000
+  pidfile  /var/run/haproxy.pid
+  user  haproxy
+
+defaults
+  log  global
+  maxconn  8000
+  retries  3
+  timeout  http-request 10s
+  timeout  queue 1m
+  timeout  connect 10s
+  timeout  client 1m
+  timeout  server 1m
+  timeout  check 10s
+
+{{#haproxy.services}}
+listen {{name}}
+  bind *:{{proxy_port}}
+  mode tcp
+  balance source
+  option tcpka
+  option tcplog
+  {{#haproxy.nodes}}
+  server {{name}} {{ip}}:{{port}} check inter 2000 rise 2 fall 5
+  {{/haproxy.nodes}}
+
+{{/haproxy.services}}
diff --git a/elements/haproxy/os-refresh-config/post-configure.d/20-haproxy b/elements/haproxy/os-refresh-config/post-configure.d/20-haproxy
new file mode 100755
index 000000000..9bff41f3f
--- /dev/null
+++ b/elements/haproxy/os-refresh-config/post-configure.d/20-haproxy
@@ -0,0 +1,4 @@
+#!/bin/bash
+set -eux
+
+service haproxy restart
diff --git a/elements/haproxy/os-refresh-config/pre-configure.d/98-haproxy-iptables b/elements/haproxy/os-refresh-config/pre-configure.d/98-haproxy-iptables
new file mode 100755
index 000000000..fef40738b
--- /dev/null
+++ b/elements/haproxy/os-refresh-config/pre-configure.d/98-haproxy-iptables
@@ -0,0 +1,40 @@
+#!/bin/bash
+set -eu
+
+DISTRO=`lsb_release -si` || true
+
+if [[ "RedHatEnterpriseServer CentOS Fedora" =~ "$DISTRO" ]]; then
+
+    # Check if the iptables service is active
+    if systemctl is-active iptables.service ; then
+        IPT_FILE=/etc/sysconfig/iptables
+        if [ -f $IPT_FILE ]; then
+            iptables-restore < $IPT_FILE
+        fi
+
+        CONF=`os-apply-config --key haproxy.services --type raw | sed "s/u'/'/g"|sed "s/'/\"/g"`
+        [ -z "$CONF" ] && exit 0
+
+        # parses metadata hash and returns lines in "port-proxy_port" format:
+        LINES=`echo "$CONF" | python -c 'import json,sys;obj=json.load(sys.stdin);print "\n".join(["%d-%d" % (x["port"], x["proxy_port"]) for x in obj])'`
+        [ -z "$LINES" ] && exit 0
+
+        for LINE in $LINES; do
+            PORT=${LINE%-*}
+            PROXY_PORT=${LINE#*-}
+            # keystone is the only exception where ports are twisted - real
+            # service listens on non-standard port if haproxy is used so
+            # PORT instead of PROXY_PORT should be enabled
+            if [ $PROXY_PORT = "5000" -o $PROXY_PORT = "35357" ];then
+                FW_PORT=$PORT
+            else
+                FW_PORT=$PROXY_PORT
+            fi
+            RULE="INPUT -p tcp --dport $FW_PORT -j ACCEPT"
+            iptables -C $RULE 2>/dev/null || iptables -I $RULE
+        done
+
+        iptables-save > $IPT_FILE
+    fi
+
+fi
diff --git a/elements/keystone/os-config-applier/etc/keystone/keystone.conf b/elements/keystone/os-config-applier/etc/keystone/keystone.conf
index 2a72d4259..09112d62d 100644
--- a/elements/keystone/os-config-applier/etc/keystone/keystone.conf
+++ b/elements/keystone/os-config-applier/etc/keystone/keystone.conf
@@ -11,6 +11,15 @@ verbose={{keystone.verbose}}
 debug={{keystone.debug}}
 {{/keystone.debug}}
 
+{{#haproxy}}
+# if haproxy is used, run real keystone on no-default port,
+# haproxy will listen on the default port.
+# For other openstack services haproxy can listen on different ports and
+# endpoints in keystone will just point to this no-default ports
+public_port = 5010
+admin_port = 35367
+{{/haproxy}}
+
 [sql]
 connection = {{keystone.db}}