diff --git a/CHANGELOG.md b/CHANGELOG.md
index d9e6c849..5dd40682 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,8 @@ The **patch** part changes incrementally at each release.
 
 ### Added
 
+* haproxy: dedicated internal address/binding (without SSL)
+
 ### Changed
 
 ### Fixed
diff --git a/haproxy/defaults/main.yml b/haproxy/defaults/main.yml
index c69f48d3..3e3ec047 100644
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@@ -1,34 +1,36 @@
 ---
+
+haproxy_ssl_dir: "/etc/haproxy/ssl/"
+
 # backward compatibility with a previously used variable
+haproxy_stats_enable: False
 haproxy_stats_ssl: True
 haproxy_stats_host: "*"
 haproxy_stats_port: "8080"
 haproxy_stats_path: "/"
 haproxy_stats_bind_directive: "{{ haproxy_stats_host }}:{{ haproxy_stats_port }} {% if haproxy_stats_ssl %}ssl crt {{ haproxy_ssl_dir }}{% endif %}"
 
-haproxy_stats_internal_url: "{% if haproxy_stats_ssl %}https:{% else %}http:{% endif %}//{% if haproxy_stats_host == '*' or haproxy_stats_host == '0.0.0.0' %}127.0.0.1{% else %}{{ haproxy_stats_host }}{% endif %}:{{ haproxy_stats_port }}{{ haproxy_stats_path }}"
+haproxy_stats_internal_enable: True
+haproxy_stats_internal_host: "127.0.0.1"
+haproxy_stats_internal_port: "8081"
+
 haproxy_stats_external_url: "{% if haproxy_stats_ssl %}https:{% else %}http:{% endif %}//{{ ansible_fqdn }}:{{ haproxy_stats_port }}{{ haproxy_stats_path }}"
 
-haproxy_backports: "{{ haproxy_jessie_backports | default(false, true) }}"
-haproxy_update_config: True
-haproxy_force_config: True
-
-haproxy_socket: /run/haproxy/admin.sock
-haproxy_chroot: /var/lib/haproxy
-
 haproxy_stats_access_ips: []
 haproxy_stats_admin_ips: []
 haproxy_stats_users: []
 ## use crypt(8) password encryption 
 # haproxy_stats_users:
 #   - { login: "", password: "" }
+
+haproxy_backports: "{{ haproxy_jessie_backports | default(false, true) }}"
+haproxy_update_config: True
+haproxy_force_config: True
+
+haproxy_socket: /run/haproxy/admin.sock
+haproxy_chroot: /var/lib/haproxy
 haproxy_maintenance_ips: []
 haproxy_deny_ips: []
 
-haproxy_ssl_dir: "/etc/haproxy/ssl/"
-
-haproxy_stats_enable: False
-haproxy_stats_bind: "*:8080 ssl crt /etc/haproxy/ssl/"
-
 haproxy_backports_packages_stretch: haproxy libssl1.0.0
 haproxy_backports_packages_buster: haproxy
diff --git a/haproxy/templates/haproxy.default.cfg.j2 b/haproxy/templates/haproxy.default.cfg.j2
index 1e6f8be1..e33d111a 100644
--- a/haproxy/templates/haproxy.default.cfg.j2
+++ b/haproxy/templates/haproxy.default.cfg.j2
@@ -45,6 +45,9 @@ userlist stats_users
 listen stats
     mode http
     bind {{ haproxy_stats_bind_directive }}
+{% if haproxy_stats_internal_enable %}
+    bind {{ haproxy_stats_internal_host }}:{{ haproxy_stats_internal_port }}
+{% endif %}
 
     acl stats_access_ips src -f /etc/haproxy/stats_access_ips
     acl stats_admin_ips  src -f /etc/haproxy/stats_admin_ips
diff --git a/haproxy/templates/munin.conf.j2 b/haproxy/templates/munin.conf.j2
index 7a423600..24042f66 100644
--- a/haproxy/templates/munin.conf.j2
+++ b/haproxy/templates/munin.conf.j2
@@ -1,2 +1,4 @@
 [haproxy_*]
-env.url {{ haproxy_stats_internal_url }};csv;norefresh
+{% if haproxy_stats_internal_enable %}
+env.url http://{{ haproxy_stats_internal_host }}:{{ haproxy_stats_internal_port }}/;csv;norefresh
+{% endif %}