diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml
index 94c57028c..196da4983 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml
@@ -17,6 +17,12 @@
                 <label>NOTE: Define global parameters for the HAProxy service. They cannot be overriden.</label>
                 <type>info</type>
             </field>
+            <field>
+                <id>haproxy.general.tuning.chroot</id>
+                <label>Secure mode (chroot)</label>
+                <type>checkbox</type>
+                <help><![CDATA[Enable or disable HAProxy's chroot feature.<br/><div class="text-info"><b>NOTE:</b> Enabling chroot will deactivate logging to localhost, because the local syslogd is running in secure mode and does not accept network connections (and it's log socket is not accessible from the chroot directory). You'll need to log to a remote host when enabling the chroot feature.</div>]]></help>
+            </field>
             <field>
                 <id>haproxy.general.tuning.nbproc</id>
                 <label>HAProxy processes</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 74ae5cbbe..d5aad8fe6 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -10,6 +10,10 @@
                 <Required>Y</Required>
             </enabled>
             <tuning>
+                <chroot type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </chroot>
                 <maxConnections type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>500000</MaximumValue>
@@ -132,7 +136,7 @@
                         <daemon>daemon</daemon>
                         <ftp>ftp</ftp>
                         <kern>kern</kern>
-                        <local0>local0</local0>
+                        <local0>local0 [default]</local0>
                         <local1>local1</local1>
                         <local2>local2</local2>
                         <local3>local3</local3>
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
index b8c57f0f0..12cde91c0 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-HAPROXY_DIRS="/var/log/haproxy /var/run/haproxy /var/etc/haproxy/ssl /var/etc/haproxy/lua /var/etc/haproxy/errorfiles"
+HAPROXY_DIRS="/var/run/haproxy /var/etc/haproxy/ssl /var/etc/haproxy/lua /var/etc/haproxy/errorfiles"
 
 for directory in ${HAPROXY_DIRS}; do
     mkdir -p ${directory}
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
index 6e4c913d2..82cf9aac2 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS
@@ -1,2 +1,3 @@
 haproxy.conf:/usr/local/etc/haproxy.conf
+haproxy.inc:/usr/local/etc/inc/plugins.inc.d/haproxy.inc
 rc.conf.d:/etc/rc.conf.d/haproxy
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index ebb6657ec..51b6f4a12 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -443,7 +443,11 @@
 global
     uid                         80
     gid                         80
+{% if OPNsense.HAProxy.general.tuning.chroot == "1" %}
+    # NOTE: chroot prevents (most) local logging, you need to enable remote
+    #       logging when using it (because syslogd is running in secure mode).
     chroot                      /var/run/haproxy
+{% endif %}
     daemon
     stats                       socket /var/run/haproxy.socket level admin
     nbproc                      {{OPNsense.HAProxy.general.tuning.nbproc}}
@@ -465,12 +469,18 @@ global
 {% if OPNsense.HAProxy.general.tuning.luaMaxMem|default("") != "" %}
     tune.lua.maxmem             {{OPNsense.HAProxy.general.tuning.luaMaxMem}}
 {% endif %}
-{#  # logging configuration #}
-{%  set logging = [] %}
-{%  do logging.append(OPNsense.HAProxy.general.logging.host) %}
-{%  do logging.append('len ' ~ OPNsense.HAProxy.general.logging.length) if OPNsense.HAProxy.general.logging.length|default("") != "" %}
-{%  do logging.append(OPNsense.HAProxy.general.logging.facility) %}
-{%  do logging.append(OPNsense.HAProxy.general.logging.level) if OPNsense.HAProxy.general.logging.level|default("") != "" %}
+{# # logging configuration #}
+{% set logging = [] %}
+{% if OPNsense.HAProxy.general.logging.host != '127.0.0.1' %}
+{%   do logging.append(OPNsense.HAProxy.general.logging.host) %}
+{% else %}
+{#   # NOTE: syslogd is running is secure mode and thus does not accept network #}
+{#   #       connections. That's why we need to use the log socket instead. #}
+{%   do logging.append('/var/run/log') %}
+{% endif %}
+{% do logging.append('len ' ~ OPNsense.HAProxy.general.logging.length) if OPNsense.HAProxy.general.logging.length|default("") != "" %}
+{% do logging.append(OPNsense.HAProxy.general.logging.facility) %}
+{% do logging.append(OPNsense.HAProxy.general.logging.level) if OPNsense.HAProxy.general.logging.level|default("") != "" %}
     log {{logging|join(' ')}}
 {% if OPNsense.HAProxy.luas.lua is defined %}
     # lua scripts
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.inc b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.inc
new file mode 100644
index 000000000..fd9af8723
--- /dev/null
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.inc
@@ -0,0 +1,65 @@
+<?php
+
+/**
+ *    Copyright (C) 2016 Frank Wall
+ *    Copyright (C) 2014-2016 Franco Fichtner <franco@opnsense.org>
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/**
+ *  register legacy syslog facilities
+ * @return array
+ */
+function haproxy_syslog()
+{
+    $syslogconf = array();
+    $syslogconf['haproxy'] = array("facility" => array('haproxy'), "remote" => "haproxy");
+    return $syslogconf;
+}
+
+/**
+ *  register legacy service
+ * @return array
+ */
+function haproxy_services()
+{
+    global $config;
+    $services = array();
+
+    if (isset($config['OPNsense']['HAProxy']['general']['enabled']) && $config['OPNsense']['HAProxy']['general']['enabled'] == 1) {
+        $services[] = array(
+            'description' => gettext('HAProxy load balancer'),
+            'configd' => array(
+                'restart' => array('haproxy restart'),
+                'start' => array('haproxy start'),
+                'stop' => array('haproxy stop'),
+            ),
+            'name' => 'haproxy',
+        );
+    }
+
+    return $services;
+}