diff --git a/manifests/init.pp b/manifests/init.pp
index 00ea9a6..6ebaa12 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -48,6 +48,9 @@ class zuul (
   $swift_default_container = '',
   $swift_default_logserver_prefix = '',
   $swift_default_expiry = 7200,
+  $proxy_ssl_cert_file_contents = '',
+  $proxy_ssl_key_file_contents = '',
+  $proxy_ssl_chain_file_contents = '',
 ) {
   include apache
   include pip
@@ -320,10 +323,58 @@ class zuul (
     source => 'puppet:///modules/zuul/zuul-merger.init',
   }
 
+  if $proxy_ssl_cert_file_contents == '' {
+    $ssl = false
+  } else {
+    $ssl = true
+    file { '/etc/ssl/certs':
+      ensure => directory,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0755',
+    }
+    file { '/etc/ssl/private':
+      ensure => directory,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0700',
+    }
+    file { "/etc/ssl/certs/${vhost_name}.pem":
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => $proxy_ssl_cert_file_contents,
+      require => File['/etc/ssl/certs'],
+      before  => Apache::Vhost[$vhost_name],
+    }
+    file { "/etc/ssl/private/${vhost_name}.key":
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0600',
+      content => $proxy_ssl_key_file_contents,
+      require => File['/etc/ssl/private'],
+      before  => Apache::Vhost[$vhost_name],
+    }
+    if $proxy_ssl_chain_file_contents != '' {
+      file { "/etc/ssl/certs/${vhost_name}_intermediate.pem":
+        ensure  => present,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0644',
+        content => $proxy_ssl_cert_file_contents,
+        require => File['/etc/ssl/certs'],
+        before  => Apache::Vhost[$vhost_name],
+      }
+    }
+  }
+
   apache::vhost { $vhost_name:
-    port     => 443,
+    port     => 443, # Is required despite not being used.
     docroot  => 'MEANINGLESS ARGUMENT',
     priority => '50',
+    ssl      => $ssl,
     template => 'zuul/zuul.vhost.erb',
   }
   if ! defined(A2mod['rewrite']) {
diff --git a/templates/zuul.vhost.erb b/templates/zuul.vhost.erb
index fc36b4a..b011487 100644
--- a/templates/zuul.vhost.erb
+++ b/templates/zuul.vhost.erb
@@ -1,6 +1,6 @@
 <VirtualHost *:80>
-  ServerName <%= scope.lookupvar("::zuul::vhost_name") %>
-  ServerAdmin <%= scope.lookupvar("::zuul::serveradmin") %>
+  ServerName <%= @vhost_name %>
+  ServerAdmin <%= @serveradmin %>
   DocumentRoot /var/lib/zuul/www
 
   <Directory /var/lib/zuul/www>
@@ -12,11 +12,11 @@
     Satisfy Any
   </Directory>
 
-  ErrorLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("::zuul::vhost_name") %>-error.log
+  ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-error.log
 
   LogLevel warn
 
-  CustomLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("::zuul::vhost_name") %>-access.log combined
+  CustomLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-access.log combined
 
   RewriteEngine on
   RewriteRule ^/status.json$ http://127.0.0.1:8001/status.json [P]
@@ -47,5 +47,66 @@
       CacheRoot /var/cache/apache2/mod_cache_disk
     </IfModule>
   </IfModule>
-
 </VirtualHost>
+
+<% if @proxy_ssl_cert_file_contents != '' %>
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+  ServerName <%= @vhost_name %>
+  ServerAdmin <%= @serveradmin %>
+  DocumentRoot /var/lib/zuul/www
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key
+<% if @proxy_ssl_chain_file_contents != '' %>
+  SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem
+<% end %>
+
+  <Directory /var/lib/zuul/www>
+    Allow from all
+    Satisfy Any
+  </Directory>
+  <Directory /usr/lib/git-core>
+    Allow from all
+    Satisfy Any
+  </Directory>
+
+  ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-error.log
+
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-access.log combined
+
+  RewriteEngine on
+  RewriteRule ^/status.json$ http://127.0.0.1:8001/status.json [P]
+
+  AddOutputFilterByType DEFLATE application/json
+
+  SetEnv GIT_PROJECT_ROOT /var/lib/zuul/git/
+  SetEnv GIT_HTTP_EXPORT_ALL
+
+  AliasMatch ^/p/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /var/lib/zuul/git/$1
+  AliasMatch ^/p/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/lib/zuul/git/$1
+  ScriptAlias /p/ /usr/lib/git-core/git-http-backend/
+
+  <IfModule mod_cache.c>
+    CacheDefaultExpire 5
+    <IfModule mod_mem_cache.c>
+      CacheEnable mem /status.json
+      # 12MByte total cache size.
+      MCacheSize 12288
+      MCacheMaxObjectCount 10
+      MCacheMinObjectSize 1
+      # 8MByte max size per cache entry
+      MCacheMaxObjectSize 8388608
+      MCacheMaxStreamingBuffer 8388608
+    </IfModule>
+    <IfModule mod_cache_disk.c>
+      CacheEnable disk /status.json
+      CacheRoot /var/cache/apache2/mod_cache_disk
+    </IfModule>
+  </IfModule>
+</VirtualHost>
+</IfModule>
+<% end %>