diff --git a/manifests/site.pp b/manifests/site.pp
index 0b1a275a7a..1752da6aed 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -646,7 +646,7 @@ node /^mirror\..*\.openstack\.org$/ {
   $group = "mirror"
 
   class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80],
+    iptables_public_tcp_ports => [22, 80, 8080],
     sysadmins                 => hiera('sysadmins', []),
     afs                       => true,
     afs_cache_size            => 50000000,  # 50GB
diff --git a/modules/openstack_project/manifests/mirror.pp b/modules/openstack_project/manifests/mirror.pp
index 867ef6df5c..3aaf653e53 100644
--- a/modules/openstack_project/manifests/mirror.pp
+++ b/modules/openstack_project/manifests/mirror.pp
@@ -240,6 +240,12 @@ class openstack_project::mirror (
     }
   }
 
+  if ! defined(Httpd::Mod['proxy_http']) {
+    httpd::mod { 'proxy_http':
+      ensure => present,
+    }
+  }
+
   ::httpd::vhost { $vhost_name:
     port     => 80,
     priority => '50',
diff --git a/modules/openstack_project/templates/mirror.vhost.erb b/modules/openstack_project/templates/mirror.vhost.erb
index ccbd83870a..625ffca9ed 100644
--- a/modules/openstack_project/templates/mirror.vhost.erb
+++ b/modules/openstack_project/templates/mirror.vhost.erb
@@ -3,6 +3,11 @@
 # ************************************
 
 NameVirtualHost <%= @vhost_name %>:<%= @port %>
+
+# Dedicated port for proxy caching, as not to affect afs mirrors.
+Listen 8080
+NameVirtualHost <%= @vhost_name %>:8080
+
 <VirtualHost <%= @vhost_name %>:<%= @port %>>
     ServerName <%= @srvname %>
     <% if @serveraliases.is_a? Array -%>
@@ -81,6 +86,23 @@ NameVirtualHost <%= @vhost_name %>:<%= @port %>
     LogLevel warn
     CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
     ServerSignature Off
+</VirtualHost>
+
+<VirtualHost <%= @vhost_name %>:8080>
+    ServerName <%= @srvname %>:8080
+
+    # Disable directory listing by default.
+    <Directory />
+      Order Deny,Allow
+      Deny from all
+      Options None
+      AllowOverride None
+    </Directory>
+
+    ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_proxy_error.log
+    LogLevel warn
+    CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_proxy_access.log combined
+    ServerSignature Off
 
     # Caching reverse proxy for things that don't make sense in AFS
     #
@@ -88,6 +110,8 @@ NameVirtualHost <%= @vhost_name %>:<%= @port %>
     CacheRoot "/opt/apache_cache"
     CacheDirLevels 5
     CacheDirLength 3
+    # SSL support
+    SSLProxyEngine on
     # Prevent thundering herds.
     CacheLock on
     CacheLockPath "/tmp/mod_cache-lock"