diff --git a/roles/wsgi_website/templates/nginx_site.j2 b/roles/wsgi_website/templates/nginx_site.j2
index 1457d2cd8562ff92ccd5241ae13c1df6e910a260..48d99e5e05db269d5554a50abd7116c2c79e6170 100644
--- a/roles/wsgi_website/templates/nginx_site.j2
+++ b/roles/wsgi_website/templates/nginx_site.j2
@@ -1,11 +1,24 @@
+{% if enforce_https -%}
+server {
+    # HTTP (plaintext) configuration.
+    listen 80;
+    server_name {{ fqdn }};
+
+    # Redirect plaintext connections to HTTPS
+    return 301 https://$host$request_uri;
+}
+
+{% endif -%}
 server {
     # Base settings.
     root {{ home }}/htdocs/;
     server_name {{ fqdn }};
+{% if not enforce_https %}
 
     # HTTP (plaintext) configuration.
     listen 80;
 
+{% endif %}
     # HTTPS (TLS) configuration.
     listen 443 ssl;
     listen [::]:443 ssl;