diff --git a/config.yml b/config.yml
index 9dcb733..15be3c7 100644
--- a/config.yml
+++ b/config.yml
@@ -16,9 +16,9 @@ domain:
     # renewed.
     #contact_email: REQUIRED if service.http.https_addr is set
 
-  # The domain name which will be used to serve the web interface of Domani. If
-  # service.http.https_addr is enabled then an HTTPS certificate for this domain
-  # will be retrieved automatically.
+  # The domain name which will be used to serve the web interface of Domani over
+  # HTTP(S). If service.http.https_addr is enabled then an HTTPS certificate for
+  # this domain will be retrieved automatically.
   #
   # This can be set to null to disable the web interface entirely.
   #interface_domain: "localhost"
@@ -81,7 +81,7 @@ service:
 
   # Passphrase which must be given by users who are configuring new domains via
   # the web interface.
-  #passphrase: REQUIRED
+  #passphrase: REQUIRED (if HTTP is enabled)
 
   # DNS records which users must add to their domain's DNS so that
   # Domani can serve the domains. All records given must route to this Domani
@@ -103,7 +103,7 @@ service:
   #http:
 
     # The address to listen for HTTP requests on. This must use port 80 if
-    # https_addr is set.
+    # https_addr is set. Set this to null to disable HTTP support.
     #http_addr: "[::]:3080"
 
     # The address to listen for HTTPS requests on. Defaults to not having HTTP
diff --git a/src/main.rs b/src/main.rs
index 6103203..bfa8da6 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -81,10 +81,19 @@ async fn main() {
         return;
     };
 
+    let http_enabled = config.service.http.http_addr.is_some();
     let https_enabled = config.service.http.https_addr.is_some();
     let gemini_enabled = config.service.gemini.gemini_addr.is_some();
     let external_domains_enabled = !config.domain.external_domains.is_empty();
 
+    if https_enabled && !http_enabled {
+        panic!("http is disabled, but is required by https");
+    }
+
+    if external_domains_enabled && !http_enabled {
+        panic!("http is disabled, but is required by external_domains");
+    }
+
     let origin_store = domani::origin::git::Proxy::new();
 
     let domain_checker = domani::domain::checker::DNSChecker::new(
@@ -168,12 +177,14 @@ async fn main() {
         config.domain.clone(),
     );
 
-    let _ = domani::service::http::Service::new(
-        &mut task_stack,
-        domain_manager.clone(),
-        domani::domain::manager::HttpsCertResolver::from(domain_manager.clone()),
-        config.service.clone(),
-    );
+    if http_enabled {
+        let _ = domani::service::http::Service::new(
+            &mut task_stack,
+            domain_manager.clone(),
+            domani::domain::manager::HttpsCertResolver::from(domain_manager.clone()),
+            config.service.clone(),
+        );
+    }
 
     if gemini_enabled {
         let _ = domani::service::gemini::Service::new(
diff --git a/src/service/http.rs b/src/service/http.rs
index f8260fc..b4d81ba 100644
--- a/src/service/http.rs
+++ b/src/service/http.rs
@@ -93,7 +93,9 @@ impl Service {
             config,
         });
 
-        task_stack.push_spawn(|canceller| tasks::listen_http(service.clone(), canceller));
+        task_stack.push_spawn(|canceller| {
+            tasks::listen_http(service.clone(), canceller, service.http_listen_addr())
+        });
 
         if service.https_enabled() {
             task_stack.push_spawn(|canceller| tasks::listen_https(service.clone(), canceller));
@@ -102,6 +104,13 @@ impl Service {
         service
     }
 
+    fn http_listen_addr(&self) -> net::SocketAddr {
+        self.config
+            .http
+            .http_addr
+            .expect("http_addr is required for the http service")
+    }
+
     fn https_enabled(&self) -> bool {
         self.config.http.https_addr.is_some()
     }
diff --git a/src/service/http/config.rs b/src/service/http/config.rs
index 165ae31..6613f0d 100644
--- a/src/service/http/config.rs
+++ b/src/service/http/config.rs
@@ -1,8 +1,8 @@
 use serde::{Deserialize, Serialize};
 use std::net;
 
-fn default_http_addr() -> net::SocketAddr {
-    "[::]:3080".parse().unwrap()
+fn default_http_addr() -> Option<net::SocketAddr> {
+    Some("[::]:3080".parse().unwrap())
 }
 
 #[derive(Deserialize, Serialize, Clone)]
@@ -38,7 +38,7 @@ impl AsRef<hyper::Method> for ConfigFormMethod {
 #[derive(Deserialize, Serialize, Clone)]
 pub struct Config {
     #[serde(default = "default_http_addr")]
-    pub http_addr: net::SocketAddr,
+    pub http_addr: Option<net::SocketAddr>,
     pub https_addr: Option<net::SocketAddr>,
 
     #[serde(default)]
diff --git a/src/service/http/tasks.rs b/src/service/http/tasks.rs
index dfb9d45..7a2b6d2 100644
--- a/src/service/http/tasks.rs
+++ b/src/service/http/tasks.rs
@@ -73,9 +73,9 @@ async fn serve_conn<Conn>(
 pub async fn listen_http(
     service: sync::Arc<service::http::Service>,
     canceller: CancellationToken,
+    addr: net::SocketAddr,
 ) -> unexpected::Result<()> {
     let mut wg = awaitgroup::WaitGroup::new();
-    let addr = service.config.http.http_addr;
     let listener = tokio::net::TcpListener::bind(addr)
         .await
         .map_unexpected_while(|| format!("creating TCP listener on {addr}"))?;