diff --git a/hooks/keystone_utils.py b/hooks/keystone_utils.py
index edd69e4e..54249d7c 100644
--- a/hooks/keystone_utils.py
+++ b/hooks/keystone_utils.py
@@ -207,6 +207,7 @@ else:
 
 
 HAPROXY_CONF = '/etc/haproxy/haproxy.cfg'
+APACHE_PORTS_CONF = '/etc/apache2/ports.conf'
 APACHE_CONF = '/etc/apache2/sites-available/openstack_https_frontend'
 APACHE_24_CONF = '/etc/apache2/sites-available/openstack_https_frontend.conf'
 MEMCACHED_CONF = '/etc/memcached.conf'
@@ -295,6 +296,10 @@ BASE_RESOURCE_MAP = OrderedDict([
                      context.SyslogContext()],
         'services': [],
     }),
+    (APACHE_PORTS_CONF, {
+        'contexts': [],
+        'services': ['apache2'],
+    }),
 ])
 
 valid_services = {
diff --git a/templates/ports.conf b/templates/ports.conf
new file mode 100644
index 00000000..103f3e05
--- /dev/null
+++ b/templates/ports.conf
@@ -0,0 +1,4 @@
+# File written by Juju: don't open default ports on SSL environments (see LP 1845665).
+<IfModule !ssl_module>
+    Listen 80
+</IfModule>