diff --git a/playbooks/roles/gerrit/templates/gerrit.vhost.j2 b/playbooks/roles/gerrit/templates/gerrit.vhost.j2
index 5d6a4936cf..d80e8e4ca4 100644
--- a/playbooks/roles/gerrit/templates/gerrit.vhost.j2
+++ b/playbooks/roles/gerrit/templates/gerrit.vhost.j2
@@ -61,6 +61,11 @@
   #RewriteCond %{REQUEST_URI} !^/maintenance.html$
   #RewriteRule ^/(.*) /maintenance.html [last,redirect=temporary]
 
+  # We can't disable this plugin, but don't want people using it
+  <Location "/plugins/gitiles">
+    Require all denied
+  </Location>
+
   ProxyPassMatch ^/robots.txt$ !
   ProxyPassMatch ^/server-status !
   # Comment out these two lines if the maintenance message above is in use
diff --git a/testinfra/test_gerrit.py b/testinfra/test_gerrit.py
index 6dbab51e59..0cac716c77 100644
--- a/testinfra/test_gerrit.py
+++ b/testinfra/test_gerrit.py
@@ -65,3 +65,9 @@ def test_openinfra_cla(host):
     assert '200 OK' in cmd.stdout
     assert 'Content-Type: text/html' in cmd.stdout
     assert 'OpenInfra Foundation Individual Contributor License Agreement' in cmd.stdout
+
+def test_gitiles_blocked(host):
+    cmd = host.run('curl --include --insecure '
+                   '--resolve review.opendev.org:443:127.0.0.1 '
+                   'https://review.opendev.org/plugins/gitiles/opendev/system-config/')
+    assert '403 Forbidden' in cmd.stdout