diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index bd49c1cbec982db95b7d6e20d3a1c2267e04b832..3c2eb2c371cc29eac2a57017213c92e492c80cb3 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -1,6 +1,11 @@
 ---
 dhparam_bits: 2048
 
+# Ports that NGINX should bind to. Only change if you are setting
+# up transparent proxies or other network-level trickery on frontends.
+nginx_http_port: 80
+nginx_https_port: 443
+
 # How much memory to use for key caching in the proxy_cache.
 nginx_cache_keys_mem: "64m"
 
diff --git a/roles/nginx/templates/config/sites-available/default b/roles/nginx/templates/config/sites-available/default
index 0fe9aa8d5a7a2b96ed4392fc097836ee64331cd8..a53bb7f743ed3f2bca2ddf77d2fecc6e8f6362ba 100644
--- a/roles/nginx/templates/config/sites-available/default
+++ b/roles/nginx/templates/config/sites-available/default
@@ -9,7 +9,7 @@ map $http_host $top_level_domain_redirect {
 }
 
 server {
-        listen [::]:80 default_server ipv6only=off;
+        listen [::]:{{ nginx_http_port }} default_server ipv6only=off;
         server_name _;
 
 {# Only enable this if the 'acme' service is defined,
@@ -33,7 +33,7 @@ server {
 }
 
 server {
-        listen [::]:443 http2 default_server ipv6only=off;
+        listen [::]:{{ nginx_https_port }} http2 default_server ipv6only=off;
         server_name _;
         ssl on;
 
diff --git a/roles/nginx/templates/nginx-vhost.j2 b/roles/nginx/templates/nginx-vhost.j2
index 9ed9014a1858d472735eaee86993a3c06455a8d9..74c1245153f3b523da4369a590b5d204067dd483 100644
--- a/roles/nginx/templates/nginx-vhost.j2
+++ b/roles/nginx/templates/nginx-vhost.j2
@@ -23,7 +23,7 @@
 
 {% macro config_vhost(endpoint, shard=None) %}
 server {
-        listen [::]:443 http2;
+        listen [::]:{{ nginx_https_port }} http2;
 {% if endpoint.domains %}
         server_name {{ endpoint.domains | join(' ') }};
 {% else %}