diff --git a/defaults/main.yml b/defaults/main.yml
index b28694a7..99f6026c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -172,17 +172,26 @@ keystone_service_adminurl: "{{ keystone_service_adminurl_v3 }}"
 ## Set this value to override the "public_endpoint" keystone.conf variable
 #keystone_public_endpoint: "{{ keystone_service_publicuri }}"
 
+# This is the web server that will handle all requests and will act as a
+# reverse proxy to uWSGI. If internal TLS/SSL certificates are configured,
+# they are implemented in this web server's configuration. Using a web server
+# for endpoints is far better for scale and allows the use of additional
+# modules to improve performance or security, leaving uWSGI to only have
+# to be used for running the service.
+#
+# Note:
+# The default is nginx, but apache will be used if Keystone is configured
+# as a Federated Service provider.
+# TODO (odyssey4me): Convert the SP implementation to use nginx instead
+# so that we do not have to be concerned with multiple web servers.
+#
+keystone_web_server: "{{ (keystone_sp != {}) | ternary('apache', 'nginx') }}"
+
 ## Apache setup
-keystone_apache_enabled: true
-keystone_mod_wsgi_enabled: true
 keystone_apache_log_level: info
 keystone_apache_custom_log_format: combined
 keystone_apache_servertokens: "Prod"
 keystone_apache_serversignature: "Off"
-keystone_wsgi_threads: 1
-## Cap the maximun number of processes when a user value is unspecified.
-keystone_wsgi_processes_max: 16
-keystone_wsgi_processes: "{{ [[ansible_processor_vcpus|default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}"
 
 ## Apache MPM tunables
 keystone_httpd_mpm_backend: event
@@ -204,6 +213,10 @@ keystone_nginx_extra_conf:
   - keepalive_timeout   70;
 
 ## uWSGI setup
+keystone_wsgi_threads: 1
+## Cap the maximun number of processes when a user value is unspecified.
+keystone_wsgi_processes_max: 16
+keystone_wsgi_processes: "{{ [[ansible_processor_vcpus|default(1), 1] | max * 2, keystone_wsgi_processes_max] | min }}"
 keystone_wsgi_public_program_name: keystone-wsgi-public
 keystone_wsgi_admin_program_name: keystone-wsgi-admin
 keystone_wsgi_program_names:
diff --git a/handlers/main.yml b/handlers/main.yml
index 64752414..489bd008 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -15,7 +15,7 @@
 
 - name: Restart web server
   service:
-    name: "{{ (keystone_apache_enabled | bool) | ternary(keystone_system_service_name, 'nginx') }}"
+    name: "{{ (keystone_web_server == 'apache') | ternary(keystone_system_service_name, 'nginx') }}"
     enabled: yes
     state: restarted
     daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
@@ -47,8 +47,6 @@
   retries: 5
   delay: 2
   with_items: "{{ keystone_wsgi_program_names }}"
-  when:
-    - not keystone_mod_wsgi_enabled | bool
   listen: "Restart uWSGI"
 
 # Note (odyssey4me):
@@ -80,8 +78,6 @@
   retries: 5
   delay: 2
   with_items: "{{ keystone_wsgi_program_names }}"
-  when:
-    - not keystone_mod_wsgi_enabled | bool
   listen: "Restart uWSGI"
 
 - name: Wait for uWSGI socket to be ready
@@ -92,8 +88,6 @@
   with_items:
     - "{{ keystone_uwsgi_ports['keystone-wsgi-admin']['socket'] }}"
     - "{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}"
-  when:
-    - not keystone_mod_wsgi_enabled | bool
   register: _wait_check
   until: _wait_check | success
   retries: 5
diff --git a/releasenotes/notes/keystone-nginx-default-e9d91affd646f379.yaml b/releasenotes/notes/keystone-nginx-default-e9d91affd646f379.yaml
new file mode 100644
index 00000000..d12ce1c5
--- /dev/null
+++ b/releasenotes/notes/keystone-nginx-default-e9d91affd646f379.yaml
@@ -0,0 +1,10 @@
+---
+upgrade:
+  - Keystone now uses uWSGI exclusively (instead of Apache with mod_wsgi)
+    and has the web server acting as a reverse proxy. The default web
+    server is now set to Nginx instead of Apache, but Apache will
+    automatically used if federation is configured.
+deprecations:
+  - The variables ``keystone_apache_enabled`` and ``keystone_mod_wsgi_enabled``
+    have been removed and replaced with a single variable ``keystone_web_server``
+    to optionally set the web server used for keystone.
diff --git a/tasks/keystone_apache.yml b/tasks/keystone_apache.yml
index ba7ff6ac..3cb493a2 100644
--- a/tasks/keystone_apache.yml
+++ b/tasks/keystone_apache.yml
@@ -49,7 +49,7 @@
     - name: "shib2"
       state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
     - name: "proxy_http"
-      state: "{{ (keystone_mod_wsgi_enabled | bool) | ternary('absent', 'present') }}"
+      state: "present"
   when:
     - ansible_pkg_mgr == 'apt'
   notify:
@@ -61,7 +61,7 @@
   lineinfile:
     dest: '/etc/httpd/conf.modules.d/00-proxy.conf'
     line: 'LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so'
-    state: "{{ (keystone_mod_wsgi_enabled | bool) | ternary('absent', 'present') }}"
+    state: "present"
   when:
    - ansible_pkg_mgr == 'yum'
   notify:
diff --git a/tasks/keystone_install.yml b/tasks/keystone_install.yml
index fd1c81fa..1bf1e080 100644
--- a/tasks/keystone_install.yml
+++ b/tasks/keystone_install.yml
@@ -49,6 +49,22 @@
     - ansible_pkg_mgr == 'yum'
     - keystone_sp != {}
 
+# If the web server being removed was never installed, this task will fail when trying
+# to stop/disable it. The task is therefore set to never fail.
+- name: Ensure other web server is not running/enabled
+  service:
+    name: "{{ (keystone_web_server == 'nginx') | ternary(keystone_system_service_name, 'nginx') }}"
+    enabled: no
+    state: stopped
+    daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
+  failed_when: false
+
+- name: Remove other web server distro packages and mod_wsgi
+  package:
+    name: "{{ ((keystone_web_server == 'nginx') | ternary(keystone_apache_distro_packages, keystone_nginx_distro_packages)) + keystone_mod_wsgi_distro_packages }}"
+    state: absent
+    autoremove: "{{ (ansible_pkg_mgr == 'apt') | ternary('yes', omit) }}"
+
 - name: Install distro packages
   package:
     name: "{{ keystone_package_list }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index 015fa9fa..07687336 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -21,15 +21,6 @@
   tags:
     - always
 
-- name: Fail if incompatible configuration detected
-  fail:
-    msg: "keystone_apache_enabled must be True when keystone_mod_wsgi_enabled."
-  when:
-    - not keystone_apache_enabled | bool
-    - keystone_mod_wsgi_enabled | bool
-  tags:
-    - always
-
 - name: Gather variables for each operating system
   include_vars: "{{ item }}"
   with_first_found:
@@ -110,13 +101,11 @@
   tags:
     - keystone-config
 
-- include: "keystone_{{ (keystone_apache_enabled | bool) | ternary('apache', 'nginx') }}.yml"
+- include: "keystone_{{ keystone_web_server }}.yml"
   tags:
     - keystone-config
 
 - include: keystone_uwsgi.yml
-  static: no
-  when: not keystone_mod_wsgi_enabled | bool
   tags:
     - keystone-config
 
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index 9bd29c9a..53383480 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -2,14 +2,6 @@
 
 Listen {{ keystone_service_port }}
 <VirtualHost *:{{ keystone_service_port }}>
-{% if keystone_mod_wsgi_enabled | bool -%}
-    WSGIDaemonProcess     keystone-service user={{ keystone_system_user_name }} group={{ keystone_system_group_name }} processes={{ keystone_wsgi_processes }} threads={{ keystone_wsgi_threads }} display-name=%{GROUP} python-path={{ keystone_bin | dirname }}/lib/python2.7/site-packages
-
-    WSGIProcessGroup      keystone-service
-    WSGIScriptAlias       / /var/www/cgi-bin/keystone/main
-    WSGIApplicationGroup  %{GLOBAL}
-    WSGIPassAuthorization On
-    WSGIScriptReloading   Off
 
     <IfVersion >= 2.4>
       ErrorLogFormat "%{cu}t %M"
@@ -66,21 +58,13 @@ Listen {{ keystone_service_port }}
         Order allow,deny
         allow from all
     </Directory>
-{% else %}
+
     ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
-{% endif %}
+
 </VirtualHost>
 
 Listen {{ keystone_admin_port }}
 <VirtualHost *:{{ keystone_admin_port }}>
-{% if keystone_mod_wsgi_enabled | bool -%}
-    WSGIDaemonProcess     keystone-admin user={{ keystone_system_user_name }} group={{ keystone_system_group_name }} processes={{ keystone_wsgi_processes }} threads={{ keystone_wsgi_threads }} display-name=%{GROUP} python-path={{ keystone_bin | dirname }}/lib/python2.7/site-packages
-
-    WSGIProcessGroup      keystone-admin
-    WSGIScriptAlias       / /var/www/cgi-bin/keystone/admin
-    WSGIApplicationGroup  %{GLOBAL}
-    WSGIPassAuthorization On
-    WSGIScriptReloading   Off
 
     <IfVersion >= 2.4>
       ErrorLogFormat "%{cu}t %M"
@@ -111,11 +95,10 @@ Listen {{ keystone_admin_port }}
         Order allow,deny
         allow from all
     </Directory>
-{% else -%}
+
     ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-admin']["socket"] }}/
-{% endif %}
+
 </VirtualHost>
-{% if not keystone_mod_wsgi_enabled | bool -%}
+
 ProxyPass /identity uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
 ProxyPass /identity_admin uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-admin']['socket'] }}/
-{% endif %}
diff --git a/tox.ini b/tox.ini
index 00444f2b..2012a714 100644
--- a/tox.ini
+++ b/tox.ini
@@ -120,7 +120,7 @@ deps =
     {[testenv:ansible]deps}
 setenv =
     {[testenv]setenv}
-    ANSIBLE_PARAMETERS=-vvv -e keystone_mod_wsgi_enabled=False
+    ANSIBLE_PARAMETERS=-vvv -e keystone_web_server=apache
 commands =
     bash -c "{toxinidir}/tests/tests-repo-clone.sh"
     bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
@@ -131,7 +131,6 @@ deps =
     {[testenv:ansible]deps}
 setenv =
     {[testenv]setenv}
-    ANSIBLE_PARAMETERS=-vvv -e keystone_apache_enabled=False -e keystone_mod_wsgi_enabled=False
 commands =
     bash -c "{toxinidir}/tests/tests-repo-clone.sh"
     bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
diff --git a/vars/main.yml b/vars/main.yml
index baf467b0..801cf84d 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -20,7 +20,7 @@
 #
 keystone_package_list: |-
   {% set packages = keystone_distro_packages %}
-  {% if keystone_apache_enabled | bool %}
+  {% if keystone_web_server == 'apache' %}
   {%   set _ = packages.extend(keystone_apache_distro_packages) %}
   {%   if keystone_idp != {} %}
   {%     set _ = packages.extend(keystone_idp_distro_packages) %}
@@ -31,11 +31,6 @@ keystone_package_list: |-
   {% else %}
   {%   set _ = packages.extend(keystone_nginx_distro_packages) %}
   {% endif %}
-  {% if keystone_mod_wsgi_enabled | bool %}
-  {%   set _ = packages.extend(keystone_mod_wsgi_distro_packages) %}
-  {% else %}
-  {%   set _ = packages.extend(keystone_mod_proxy_uwsgi_distro_packages) %}
-  {% endif %}
   {% if keystone_developer_mode | bool %}
   {%   set _ = packages.extend(keystone_developer_mode_distro_packages) %}
   {% endif %}
diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml
index 8251e4df..b656e778 100644
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@@ -33,13 +33,15 @@ keystone_apache_distro_packages:
   - httpd
   - httpd-tools
   - mod_ssl
+  - mod_proxy_uwsgi
 
+# TODO(odyssey4me):
+# We can remove this in R because we only need this to
+# handle upgrades from O->P in order to remove the
+# package when switching to the new configuration.
 keystone_mod_wsgi_distro_packages:
   - mod_wsgi
 
-keystone_mod_proxy_uwsgi_distro_packages:
-  - mod_proxy_uwsgi
-
 keystone_nginx_distro_packages:
   - nginx
 
diff --git a/vars/ubuntu-16.04.yml b/vars/ubuntu-16.04.yml
index 8361832e..73edc33d 100644
--- a/vars/ubuntu-16.04.yml
+++ b/vars/ubuntu-16.04.yml
@@ -32,13 +32,15 @@ keystone_distro_packages:
 keystone_apache_distro_packages:
   - apache2
   - apache2-utils
+  - libapache2-mod-proxy-uwsgi
 
+# TODO(odyssey4me):
+# We can remove this in R because we only need this to
+# handle upgrades from O->P in order to remove the
+# package when switching to the new configuration.
 keystone_mod_wsgi_distro_packages:
   - libapache2-mod-wsgi
 
-keystone_mod_proxy_uwsgi_distro_packages:
-  - libapache2-mod-proxy-uwsgi
-
 keystone_nginx_distro_packages:
   - nginx-full