diff --git a/group_vars/all/security.yml b/group_vars/all/security.yml
index bac2bbb098..bb7cec7651 100644
--- a/group_vars/all/security.yml
+++ b/group_vars/all/security.yml
@@ -2,7 +2,7 @@
 
 ferm_input_list:
   - type: dport_accept
-    dport: [http, https]
+    dport: [http]
     filename: nginx_accept
   - type: dport_accept
     dport: [ssh]
diff --git a/roles/ferm/defaults/main.yml b/roles/ferm/defaults/main.yml
index 17f623b5d0..fe3a3ac40f 100644
--- a/roles/ferm/defaults/main.yml
+++ b/roles/ferm/defaults/main.yml
@@ -11,3 +11,5 @@ ferm_default_policy_forward: DROP
 ferm_input_list: []
 ferm_input_group_list: []
 ferm_input_host_list: []
+
+sites_using_ssl: "[{% for name, site in wordpress_sites.items() | list if site.ssl.enabled %}'{{ name }}',{% endfor %}]"
diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml
index ce779972d1..174ea5ab05 100644
--- a/roles/ferm/tasks/main.yml
+++ b/roles/ferm/tasks/main.yml
@@ -24,6 +24,16 @@
     - /etc/ferm/ferm.d
     - /etc/ferm/filter-input.d
 
+- name: allow inbound HTTPS
+  set_fact:
+    ferm_input_list: "{{ ferm_input_list + [ ferm_dport_nginx_https] }}"
+  when: sites_using_ssl | count
+  vars:
+    ferm_dport_nginx_https:
+      type: dport_accept
+      dport: [https]
+      filename: nginx_accept_https
+
 - name: ensure firewall is configured
   template:
     src: "{{ item }}.j2"