diff --git a/doc/source/user/architecture.rst b/doc/source/user/architecture.rst
index 615282ac0..cb08bf6f9 100644
--- a/doc/source/user/architecture.rst
+++ b/doc/source/user/architecture.rst
@@ -33,6 +33,10 @@ nginx_
     Uses HTTP port 8080 by default (can be changed via the ``file_url_port``
     parameter).
 
+    When TLS is enabled, Nginx serves as a TLS proxy for Ironic and Inspector.
+    It listens on ports 6385 and 5050 and passes requests to the services
+    via unix sockets.
+
 dnsmasq_
     Dnsmasq is used as a DHCP and TFTP server (but not for DNS by default)
     when booting nodes over the network. It can also be used to provide DHCP
@@ -183,6 +187,10 @@ Runtime locations
     TLS certificates that are used to communicate to the ramdisk on the nodes
     when cleaning or deploying.
 
+``/run/ironic``
+    When TLS is enabled, this directory contains unix sockets of Ironic and
+    Inspector, which Nginx uses to pass requests.
+
 .. _ironic: https://docs.openstack.org/ironic/latest/
 .. _bare metal API: https://docs.openstack.org/api-ref/baremetal/
 .. _ironic-inspector: https://docs.openstack.org/ironic-inspector/latest/
diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
index bfe7fa9fa..da2aaa27d 100644
--- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
@@ -225,6 +225,14 @@
     - "{{ ironic_agent_deploy_logs_local_path | default('') }}"
   when: item | length > 0
 
+- name: "Ensure /run/ironic exists"
+  file:
+    name: "/run/ironic"
+    state: directory
+    owner: "ironic"
+    group: "{{ nginx_user }}"
+    mode: 0750
+
 - name: "Create ironic DB Schema"
   command: ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
   environment: "{{ bifrost_venv_env }}"
@@ -486,7 +494,7 @@
 - block:
     - name: "Allow nginx, ironic, inspector and IPA ports on SELinux"
       seport:
-        ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,6388,5050,9999,15050"
+        ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,5050,9999"
         proto: tcp
         setype: http_port_t
         state: present
diff --git a/playbooks/roles/bifrost-ironic-install/templates/ironic-inspector.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/ironic-inspector.conf.j2
index ead65522f..7b0cfb15e 100644
--- a/playbooks/roles/bifrost-ironic-install/templates/ironic-inspector.conf.j2
+++ b/playbooks/roles/bifrost-ironic-install/templates/ironic-inspector.conf.j2
@@ -20,7 +20,10 @@ transport_url = fake://
 {% if enable_tls | bool %}
 # TLS is handled by nginx is proxy mode
 listen_address = 127.0.0.1
-listen_port = 15050
+listen_unix_socket = /run/ironic/ironic-inspector.socket
+# Nginx should be able to write to the socket, access will be further limited
+# by the containing directory.
+listen_unix_socket_mode = 0660
 {% endif %}
 
 [database]
diff --git a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
index 335d9e5f1..b11192408 100644
--- a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
+++ b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2
@@ -54,8 +54,11 @@ grub_config_path = EFI/{{ efi_distro }}/grub.cfg
 [api]
 # TLS is handled by nginx is proxy mode
 host_ip = 127.0.0.1
-port = 6388
 public_endpoint = {{ api_protocol }}://{{ internal_ip }}:6385
+unix_socket = /run/ironic/ironic.socket
+# Nginx should be able to write to the socket, access will be further limited
+# by the containing directory.
+unix_socket_mode = 0660
 
 {% if expose_json_rpc | bool %}
 [ssl]
diff --git a/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-ironic.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-ironic.conf.j2
index 704a5ffe9..5ff38aebc 100644
--- a/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-ironic.conf.j2
+++ b/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-ironic.conf.j2
@@ -6,7 +6,7 @@ server {
         ssl_certificate_key {{ ironic_private_key_path }};
 
         location / {
-                proxy_pass http://127.0.0.1:6388;
+                proxy_pass http://unix:/run/ironic/ironic.socket:;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_set_header X-Forwarded-Proto $scheme;
@@ -24,7 +24,7 @@ server {
         ssl_certificate_key {{ ironic_inspector_private_key_path }};
 
         location / {
-                proxy_pass http://127.0.0.1:15050;
+                proxy_pass http://unix:/run/ironic/ironic-inspector.socket:;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_set_header X-Forwarded-Proto $scheme;
diff --git a/releasenotes/notes/unix-socket-bac1a9e01b1cf7e6.yaml b/releasenotes/notes/unix-socket-bac1a9e01b1cf7e6.yaml
new file mode 100644
index 000000000..f13a08d3d
--- /dev/null
+++ b/releasenotes/notes/unix-socket-bac1a9e01b1cf7e6.yaml
@@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    When TLS is enabled, Ironic and Inspector now serve their API via unix
+    sockets in the ``/run/ironic`` directory instead of private TCP ports on
+    localhost. The public API is served by Nginx.