diff --git a/src/service/http.rs b/src/service/http.rs
index 607f8b2..a96f9e8 100644
--- a/src/service/http.rs
+++ b/src/service/http.rs
@@ -504,6 +504,32 @@ impl Service {
             }
         }
 
+        // If HTTPS is enabled then only .well-known endpoints are allowed over HTTP (because they
+        // require it). Otherwise we redirect all HTTP requests to HTTPS.
+        if self.config.http.https_addr.is_some() && !req_is_https {
+            let https_addr = self.config.http.https_addr.unwrap();
+
+            let mut uri_parts = http::uri::Parts::default();
+            uri_parts.scheme = Some(http::uri::Scheme::HTTPS);
+            uri_parts.authority = Some(
+                http::uri::Authority::from_maybe_shared(format!(
+                    "{}:{}",
+                    &domain,
+                    https_addr.port()
+                ))
+                .unwrap(),
+            );
+            uri_parts.path_and_query = req.uri().path_and_query().cloned();
+
+            let uri: http::uri::Uri = uri_parts.try_into().unwrap();
+
+            return Response::builder()
+                .status(http::status::StatusCode::PERMANENT_REDIRECT)
+                .header("Location", uri.to_string())
+                .body(Body::empty())
+                .unwrap();
+        }
+
         if let Some(config) = self.proxied_domains.get(&domain) {
             if let Some(ref http_url) = config.http_url {
                 return service::http::proxy::serve_http_request(