diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2
index 66db401..5932b85 100644
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -41,8 +41,8 @@ frontend http
 	tcp-request inspect-delay 3s
 	acl letsencrypt path_beg /.well-known/acme-challenge
 	redirect scheme https code 301 if !letsencrypt
-{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) %}
-{% for hostname in hostvars[server]['web_hostname'] %}
+{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
+{% for hostname in hostvars[server]['web_hostname'] | sort %}
 	## {{ hostname }} configuration
 	acl host_{{ hostname }} hdr(host) -i {{ hostname }}
 	use_backend http_{{ server }} if letsencrypt host_{{ hostname }}
@@ -56,8 +56,8 @@ frontend https
 	bind *:443 name frontend-https
 	tcp-request inspect-delay 3s
 	tcp-request content accept if { req.ssl_hello_type 1 }
-{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) %}
-{% for hostname in hostvars[server]['web_hostname'] %}
+{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
+{% for hostname in hostvars[server]['web_hostname'] | sort %}
 	## {{ hostname }} configuration
 	acl host_{{ hostname }} req.ssl_sni -i {{ hostname }}
 	use_backend https_{{ server }} if host_{{ hostname }}
@@ -65,7 +65,7 @@ frontend https
 {% endfor %}
 {% endfor %}
 
-{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) %}
+{% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
 ## {{ server }} configuration
 backend http_{{ server }}
 	mode http