diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 1125c7d74a673d49213e2bec7a456b2c34b3251d..c73499057ce321a8e5db9b3f4d7f9035da4d87c4 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -838,3 +838,55 @@ Here is an example configuration for setting-up the mail forwarder:
   smtp_relay_host: mail.example.com
 
   smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem
+
+
+Web Server
+----------
+
+The ``web_server`` role can be used for setting-up a web server on destination
+machine.
+
+The role is supposed very lightweight, providing a basis for deployment of web
+applications.
+
+The role implements the following:
+
+* Installs and configures nginx with a single, default vhost with a small static
+  index page.
+* Deploys the HTTPS TLS private key and certificate (for default vhost).
+* Configures firewall to allow incoming connections to the web server.
+
+
+Parameters
+~~~~~~~~~~
+
+**https_tls_key** (string, mandatory)
+  Path to file on Ansible host that contains the private key used for TLS for
+  HTTPS service. The file will be copied to directory ``/etc/ssl/private/``.
+
+**https_tls_certificate** (string, mandatory)
+  Path to file on Ansible host that contains the X.509 certificate used for TLS
+  for HTTPS service. The file will be copied to directory ``/etc/ssl/certs/``.
+
+**web_default_title** (string, mandatory)
+  Title for the default web page shown to users (if no other vhosts were matched).
+
+**web_default_message** (string, mandatory)
+  Message for the default web page shown to users (if no other vhosts were
+  matched).
+
+
+Examples
+~~~~~~~~
+
+Here is an example configuration for setting-up XMPP server using Prosody:
+
+.. code-block:: yaml
+
+  ---
+
+  https_tls_key: "{{ inventory_dir }}/tls/web.example.com_https.key"
+  https_tls_certificate: "{{ inventory_dir }}/tls/web.example.com_https.pem"
+
+  web_default_title: "Welcome to Example Inc."
+  web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."
diff --git a/roles/web_server/files/ferm_http.conf b/roles/web_server/files/ferm_http.conf
new file mode 100644
index 0000000000000000000000000000000000000000..ebc0604e0236269686b457cabd30fa30c6edfee9
--- /dev/null
+++ b/roles/web_server/files/ferm_http.conf
@@ -0,0 +1,8 @@
+table filter {
+    chain INPUT {
+        # HTTP
+        proto tcp dport 80 ACCEPT;
+        # HTTPS
+        proto tcp dport 443 ACCEPT;
+    }
+}
diff --git a/roles/web_server/handlers/main.yml b/roles/web_server/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..766f63df51e6307cdacb8696c57e38a176c11821
--- /dev/null
+++ b/roles/web_server/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: Restart nginx
+  service: name=nginx state=restarted
\ No newline at end of file
diff --git a/roles/web_server/tasks/main.yml b/roles/web_server/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7b383a6dbe195aa55163c5225230bcc73b36f420
--- /dev/null
+++ b/roles/web_server/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+
+- name: Install nginx
+  apt: name=nginx state=installed
+
+- name: Allow nginx user to traverse the directory with TLS private keys
+  user: name=www-data append=yes groups=ssl-cert
+  notify:
+    - Restart nginx
+
+- name: Deploy nginx TLS private key
+  copy: dest="/etc/ssl/private/{{ https_tls_key | basename }}" src="{{ https_tls_key }}"
+        mode=640 owner=root group=root
+  notify:
+    - Restart nginx
+
+- name: Deploy nginx TLS certificate
+  copy: dest="/etc/ssl/certs/{{ https_tls_certificate | basename }}" src="{{ https_tls_certificate }}"
+        mode=644 owner=root group=root
+  notify:
+    - Restart nginx
+
+- name: Deploy default vhost configuration
+  template: src="nginx-default.j2" dest="/etc/nginx/sites-available/default"
+             owner=root group=root mode=644
+  notify:
+    - Restart nginx
+
+- name: Deploy firewall configuration for web server
+  copy: src="ferm_http.conf" dest="/etc/ferm/conf.d/30-web.conf" owner=root group=root mode=640
+  notify:
+    - Restart ferm
+
+- name: Remove the default Debian html files
+  file: path="{{ item }}" state=absent
+  with_items:
+    - /var/www/html/index.nginx-debian.html
+    - /var/www/html/
+
+- name: Create directory for storing the default website page
+  file: path="/var/www/default/" state=directory
+        owner=root group=www-data mode=750
+
+- name: Deploy the default index.html
+  template: src="index.html.j2" dest=/var/www/default/index.html
+            owner=root group=www-data mode=640
+
+- name: Enable nginx service
+  service: name=nginx enabled=yes state=started
\ No newline at end of file
diff --git a/roles/web_server/templates/index.html.j2 b/roles/web_server/templates/index.html.j2
new file mode 100644
index 0000000000000000000000000000000000000000..a9a959175980366ca1ac68d441c626eff0ec1068
--- /dev/null
+++ b/roles/web_server/templates/index.html.j2
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>{{ web_default_title}}</title>
+<style>
+    body {
+        width: 35em;
+        margin: 0 auto;
+        font-family: Tahoma, Verdana, Arial, sans-serif;
+    }
+</style>
+</head>
+<body>
+<h1>{{ web_default_title}}</h1>
+<p>{{ web_default_message }}</p>
+</body>
+</html>
diff --git a/roles/web_server/templates/nginx-default.j2 b/roles/web_server/templates/nginx-default.j2
new file mode 100644
index 0000000000000000000000000000000000000000..3379e22dab9c7591d0eb61dc98c6fa82e37fa95d
--- /dev/null
+++ b/roles/web_server/templates/nginx-default.j2
@@ -0,0 +1,26 @@
+#
+# Default server (vhost) configuration.
+#
+server {
+    # HTTP (plaintext) configuration.
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    # HTTPS (TLS) configuration.
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    ssl_certificate_key /etc/ssl/private/{{ https_tls_key | basename }};
+    ssl_certificate /etc/ssl/certs/{{ https_tls_certificate | basename }};
+
+    # Set-up the serving of default page.
+    root /var/www/default/;
+    index index.html;
+
+    # Set server_name to something that won't be matched (for default server).
+    server_name _;
+
+    location / {
+        # Always point user to the same index page.
+        try_files $uri /index.html;
+    }
+}
diff --git a/testsite/group_vars/web.yml b/testsite/group_vars/web.yml
index 6961703f169b8520095159841dcc6c5d1b1ddd01..4570c87e4d4c4569d824c08c5be82f3e1e8455cd 100644
--- a/testsite/group_vars/web.yml
+++ b/testsite/group_vars/web.yml
@@ -17,3 +17,9 @@ local_mail_aliases:
 smtp_relay_host: mail.example.com
 
 smtp_relay_truststore: /etc/ssl/certs/example_ca_chain.pem
+
+https_tls_key: "{{ inventory_dir }}/tls/web.example.com_https.key"
+https_tls_certificate: "{{ inventory_dir }}/tls/web.example.com_https.pem"
+
+web_default_title: "Welcome to Example Inc."
+web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."
\ No newline at end of file
diff --git a/testsite/playbooks/web.yml b/testsite/playbooks/web.yml
index d303af3915523dc4e95562bd594623433c4d76d1..fb67dc715dd57bca1b97372688930d31c7248a95 100644
--- a/testsite/playbooks/web.yml
+++ b/testsite/playbooks/web.yml
@@ -7,3 +7,4 @@
     - common
     - ldap_client
     - mail_forwarder
+    - web_server
\ No newline at end of file