diff --git a/data/etc/apache2/sites-available/plinth-ssl.conf b/data/etc/apache2/sites-available/plinth-ssl.conf
index 4b6f23ed1..267289dac 100644
--- a/data/etc/apache2/sites-available/plinth-ssl.conf
+++ b/data/etc/apache2/sites-available/plinth-ssl.conf
@@ -1,46 +1,12 @@
-
-
- ## Enable SSL
- SSLEngine on
- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-
- ## Use HTTP Strict Transport Security to force client to use secure
- ## connections only
- Header always set Strict-Transport-Security "max-age=31536000"
-
- ## Shared options.
- DocumentRoot /usr/share/plinth
-
- ## Use this rule to hang plinth off of plinth.(servername)
- # ServerName plinth
- # ServerAlias plinth.*
- # ProxyPass / http://localhost:8000/
- # ProxyPassReverse / http://localhost:8000/
- #
- # Order Deny,Allow
- # Deny from All
- # Allow from 10.0.0.0/8
- # Allow from 172.16.0.0/12
- # Allow from 192.168.0.0/16
- #
-
- ## Use this rule to hang plinth off a subdir.
- ## Make sure to provide plinth with a default directory: /plinth
-
- ProxyPass http://localhost:8000/plinth
- RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
-
- Order Deny,Allow
- Deny from All
- Allow from 127.0.0.0/8 # IPv4 local addresses
- Allow from 169.254.0.0/16 # IPv4 link local addresses
- Allow from 10.0.0.0/8 # IPv4 class A private addresses
- Allow from 172.16.0.0/12 # IPv4 class B private addresses
- Allow from 192.168.0.0/16 # IPv4 class C private addresses
- Allow from ::1 # IPv6 local address
- Allow from fe80::/10 # IPv6 link local addresses
- Allow from fc00::/7 # IPv6 private addresses
-
-
-
+##
+## When enabled allows only SSL traffic onto Plinth
+##
+## Requires the following Apache modules to be enabled:
+## mod_rewrite
+## mod_ssl
+##
+
+ RewriteEngine on
+ ReWriteCond %{HTTPS} !=on
+ RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
+
diff --git a/data/etc/apache2/sites-available/plinth.conf b/data/etc/apache2/sites-available/plinth.conf
index d7af857e8..a8ce66c3d 100644
--- a/data/etc/apache2/sites-available/plinth.conf
+++ b/data/etc/apache2/sites-available/plinth.conf
@@ -1,16 +1,26 @@
-
+##
+## On all sites, provide Plinth on a default path: /plinth
+##
+## Requires the following Apache modules to be enabled:
+## mod_headers
+## mod_proxy
+## mod_proxy_http
+##
+
+ ProxyPass http://localhost:8000/plinth
+ ## Send the scheme from user's request to enable Plinth to redirect
+ ## URLs, set cookies, set absolute URLs (if any) properly.
+ RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
- ## Force SSL
- RewriteEngine on
- ReWriteCond %{SERVER_PORT} !^443$
- ReWriteCond %{REQUEST_URI} ^/plinth
- RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
-
- ## Shared options.
- DocumentRoot /dev/null
-
- ## Use this rule to hang plinth off of plinth.(servername)
- # ServerName plinth
- # ServerAlias plinth.*
-
-
+ ## Allow traffic only from private networks
+ Order Deny,Allow
+ Deny from All
+ Allow from 127.0.0.0/8 # IPv4 local addresses
+ Allow from 169.254.0.0/16 # IPv4 link local addresses
+ Allow from 10.0.0.0/8 # IPv4 class A private addresses
+ Allow from 172.16.0.0/12 # IPv4 class B private addresses
+ Allow from 192.168.0.0/16 # IPv4 class C private addresses
+ Allow from ::1 # IPv6 local address
+ Allow from fe80::/10 # IPv6 link local addresses
+ Allow from fc00::/7 # IPv6 private addresses
+
diff --git a/data/usr/lib/freedombox/setup.d/86_plinth b/data/usr/lib/freedombox/setup.d/86_plinth
index a1e40f659..154cf11c0 100755
--- a/data/usr/lib/freedombox/setup.d/86_plinth
+++ b/data/usr/lib/freedombox/setup.d/86_plinth
@@ -26,7 +26,6 @@ a2enmod proxy
a2enmod proxy_http
a2enmod rewrite
a2enmod ssl
-a2dissite default
a2ensite plinth.conf
a2ensite plinth-ssl.conf