diff --git a/Gemfile.lock b/Gemfile.lock
index 1cc280a3d..a2814bee7 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -26,6 +26,7 @@ GEM
 
 PLATFORMS
   arm64-darwin-21
+  x86_64-linux
 
 DEPENDENCIES
   rubocop
diff --git a/docs/docs/administer/upgrade.md b/docs/docs/administer/upgrade.md
index bfe587519..66e0d306f 100644
--- a/docs/docs/administer/upgrade.md
+++ b/docs/docs/administer/upgrade.md
@@ -22,6 +22,33 @@ issue](https://github.com/firezone/firezone/issues/new/choose).
 
 ## Upgrading from < 0.5.0 to >= 0.5.0
 
+0.5.0 introduces a few breaking changes and configuration updates that will need
+to be addressed. Read more below.
+
+### Bundled Nginx non_ssl_port (HTTP) requests removed
+
+0.5.0 and above removes the `force_ssl` and `non_ssl_port` settings for
+Nginx. SSL is required for Firezone to function; if you're using (or would like
+to use) your own reverse proxy, we recommend disabling the bundle Nginx service
+by setting `default['firezone']['nginx']['enabled'] = false` and pointing your
+reverse proxy directly to the Phoenix app on port 13000 (by default).
+
+Read more about setting up a custom reverse proxy
+[here](../deploy/reverse-proxies).
+
+### ACME protocol support
+
+0.5.0 introduces ACME protocol support for automatically renewing SSL
+certificates with the bundled Nginx service. To enable,
+
+- Make sure `default['firezone']['external_url']` contains a valid FQDN that
+  resolves to your server's public IP address.
+
+- Ensure port `80/tcp` is reachable
+
+- Enable ACME protocol support with
+  `default['firezone']['ssl']['acme']['enabled'] = true` in your config file.
+
 ### Overlapping egress rule destinations
 
 Firezone 0.5.0 removes the ability to add rules with overlapping destinations.
diff --git a/docs/docs/reference/configuration-file.md b/docs/docs/reference/configuration-file.md
index 700b2fc3c..63ebef1b8 100644
--- a/docs/docs/reference/configuration-file.md
+++ b/docs/docs/reference/configuration-file.md
@@ -34,7 +34,6 @@ Shown below is a complete listing of the configuration options available in
 | `default['firezone']['authentication']['disable_vpn_on_oidc_error']`          | Disable a user's VPN if an error is detected trying to refresh their OIDC token.                             | `false`                                                                |
 | `default['firezone']['authentication']['oidc']`                               | OpenID Connect config, in the format of `{"provider" => [config...]}` - See [OpenIDConnect documentation](https://hexdocs.pm/openid_connect/readme.html) for config examples.  | `{}` |
 | `default['firezone']['nginx']['enabled']`                                     | Enable or disable the bundled nginx server.                                                                  | `true`                                                                 |
-| `default['firezone']['nginx']['non_ssl_port']`                                | HTTP listen port.                                                                                            | `80`                                                                   |
 | `default['firezone']['nginx']['ssl_port']`                                    | HTTPS listen port.                                                                                           | `443`                                                                  |
 | `default['firezone']['nginx']['directory']`                                   | Directory to store Firezone-related nginx virtual host configuration.                                        | `"#{node['firezone']['var_directory']}/nginx/etc"`                     |
 | `default['firezone']['nginx']['log_directory']`                               | Directory to store Firezone-related nginx log files.                                                         | `"#{node['firezone']['log_directory']}/nginx"`                         |
diff --git a/omnibus/cookbooks/firezone/attributes/default.rb b/omnibus/cookbooks/firezone/attributes/default.rb
index 516a42f48..ed36fe624 100644
--- a/omnibus/cookbooks/firezone/attributes/default.rb
+++ b/omnibus/cookbooks/firezone/attributes/default.rb
@@ -164,7 +164,6 @@ default['firezone']['phoenix']['private_clients'] = []
 # These attributes control Firezone-specific portions of the Nginx
 # configuration and the virtual host for the Firezone Phoenix app.
 default['firezone']['nginx']['enabled'] = true
-default['firezone']['nginx']['non_ssl_port'] = 80
 default['firezone']['nginx']['ssl_port'] = 443
 default['firezone']['nginx']['directory'] = "#{node['firezone']['var_directory']}/nginx/etc"
 default['firezone']['nginx']['log_directory'] = "#{node['firezone']['log_directory']}/nginx"
@@ -419,7 +418,6 @@ default['firezone']['ssl']['email_address'] = nil
 # 1. default['firezone']['external_url'] includes a valid FQDN
 # 2. Port 80/tcp is accessible; this is used for domain validation.
 # 3. default['firezone']['ssl']['email_address'] is set properly. This will be used for renewal notices.
-# 4. default['firezone']['nginx']['non_ssl_port'] is set to 80
 default['firezone']['ssl']['acme']['enabled'] = false
 
 # Set the ACME server directory for ACME protocol SSL certificate issuance
diff --git a/omnibus/cookbooks/firezone/recipes/nginx.rb b/omnibus/cookbooks/firezone/recipes/nginx.rb
index 8f4d534b7..0f938fb68 100644
--- a/omnibus/cookbooks/firezone/recipes/nginx.rb
+++ b/omnibus/cookbooks/firezone/recipes/nginx.rb
@@ -63,7 +63,6 @@ template 'redirect.conf' do
   variables(
     server_name: URI.parse(node['firezone']['external_url']).host,
     acme_www_root: "#{node['firezone']['var_directory']}/nginx/acme_root",
-    non_ssl_port: node['firezone']['nginx']['non_ssl_port'],
     rate_limiting_zone_name: node['firezone']['nginx']['rate_limiting_zone_name'],
     ipv6: node['firezone']['nginx']['ipv6']
   )
diff --git a/omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb b/omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb
index 50798f207..211782672 100644
--- a/omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb
+++ b/omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb
@@ -45,7 +45,7 @@ server {
   }
 
   if ($redirect_to_canonical = H) {
-    return 301 http<%= @ssl['enabled'] ? 's' : '' %>://<%= @fqdn %>$request_uri;
+    return 301 https://<%= @fqdn %>$request_uri;
   }
 <% end -%>
 
diff --git a/omnibus/cookbooks/firezone/templates/redirect.conf.erb b/omnibus/cookbooks/firezone/templates/redirect.conf.erb
index 7a4cfa998..94934a609 100644
--- a/omnibus/cookbooks/firezone/templates/redirect.conf.erb
+++ b/omnibus/cookbooks/firezone/templates/redirect.conf.erb
@@ -1,7 +1,7 @@
 server {
-  listen <%= @non_ssl_port %> default_server;
+  listen 80 default_server;
   <% if @ipv6 -%>
-  listen [::]:<%= @non_ssl_port %> default_server;
+  listen [::]:80 default_server;
   <% end -%>
   server_name <%= @server_name %>;
 
@@ -9,13 +9,4 @@ server {
   location /.well-known/acme-challenge/ {
     alias <%= @acme_www_root %>/.well-known/acme-challenge/;
   }
-
-  location / {
-    <% if @enable_rate_limiting -%>
-      limit_req zone=<%= @rate_limiting_zone_name %>;
-    <% end -%>
-    if ($http_x_forwarded_proto != 'https') {
-      return 301 https://$server_name$request_uri;
-    }
-  }
 }