diff --git a/playbooks/host_vars/review-dev01.openstack.org.yaml b/playbooks/host_vars/review-dev01.openstack.org.yaml
index 0ee38440ed..6059aa27fd 100644
--- a/playbooks/host_vars/review-dev01.openstack.org.yaml
+++ b/playbooks/host_vars/review-dev01.openstack.org.yaml
@@ -1 +1,4 @@
 gerrit_storyboard_url: https://storyboard-dev.openstack.org
+gerrit_vhost_name: review-dev.openstack.org
+gerrit_ssl_cert_file: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+gerrit_ssl_key_file: '/etc/ssl/private/ssl-cert-snakeoil.key'
diff --git a/playbooks/host_vars/review01.opendev.org.yaml b/playbooks/host_vars/review01.opendev.org.yaml
index 5475f8386c..8c781e4863 100644
--- a/playbooks/host_vars/review01.opendev.org.yaml
+++ b/playbooks/host_vars/review01.opendev.org.yaml
@@ -71,3 +71,4 @@ gerrit_replication:
     threads: '4'
     mirror: true
 gerrit_storyboard_url: https://storyboard.openstack.org
+gerrit_vhost_name: review.opendev.org
diff --git a/playbooks/roles/gerrit/files/robots.txt b/playbooks/roles/gerrit/files/static/robots.txt
similarity index 100%
rename from playbooks/roles/gerrit/files/robots.txt
rename to playbooks/roles/gerrit/files/static/robots.txt
diff --git a/playbooks/roles/gerrit/handlers/main.yaml b/playbooks/roles/gerrit/handlers/main.yaml
new file mode 100644
index 0000000000..189721bb4f
--- /dev/null
+++ b/playbooks/roles/gerrit/handlers/main.yaml
@@ -0,0 +1,4 @@
+- name: gerrit Reload apache2
+  service:
+    name: apache2
+    state: reloaded
diff --git a/playbooks/roles/gerrit/tasks/main.yaml b/playbooks/roles/gerrit/tasks/main.yaml
index 5c567d96f2..fc036c4d98 100644
--- a/playbooks/roles/gerrit/tasks/main.yaml
+++ b/playbooks/roles/gerrit/tasks/main.yaml
@@ -229,6 +229,33 @@
     - static
     - etc
 
+- name: Install apache2
+  apt:
+    name:
+      - apache2
+      - apache2-utils
+    state: present
+
+- name: Apache modules
+  apache2_module:
+    state: present
+    name: "{{ item }}"
+  loop:
+    - rewrite
+    - proxy
+    - proxy_http
+    - ssl
+    - headers
+
+- name: Copy apache config
+  template:
+    src: gerrit.vhost.j2
+    dest: /etc/apache2/sites-enabled/000-default.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: gerrit Reload apache2
+
 - name: Install podman-compose
   pip:
     name: podman-compose
diff --git a/playbooks/roles/gerrit/templates/gerrit.config b/playbooks/roles/gerrit/templates/gerrit.config
index 564f376cbd..f8ada444d9 100644
--- a/playbooks/roles/gerrit/templates/gerrit.config
+++ b/playbooks/roles/gerrit/templates/gerrit.config
@@ -3,11 +3,11 @@
 
 [gerrit]
 	basePath = git
-	canonicalWebUrl = https://review.opendev.org/
+	canonicalWebUrl = https://{{ gerrit_vhost_name }}/
 	changeScreen = OLD_UI
 	reportBugText = Get Help
 	reportBugUrl = https://docs.openstack.org/infra/system-config/project.html#contributing
-	gitHttpUrl = https://review.opendev.org/
+	gitHttpUrl = https://{{ gerrit_vhost_name }}/
 [database]
 {% if gerrit_database_type == 'MYSQL' %}
 	type = MYSQL
diff --git a/playbooks/roles/gerrit/templates/gerrit.vhost.j2 b/playbooks/roles/gerrit/templates/gerrit.vhost.j2
new file mode 100644
index 0000000000..608927374b
--- /dev/null
+++ b/playbooks/roles/gerrit/templates/gerrit.vhost.j2
@@ -0,0 +1,92 @@
+<VirtualHost *:80>
+  ServerName {{ gerrit_vhost_name }}
+  ServerAdmin webmaster@openstack.org
+
+  ErrorLog ${APACHE_LOG_DIR}/gerrit-error.log
+
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/gerrit-access.log combined
+
+  Redirect / https://{{ gerrit_vhost_name }}/
+
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+  ServerName {{ gerrit_vhost_name }}
+  ServerAdmin webmaster@openstack.org
+
+  AllowEncodedSlashes On
+
+  ErrorLog ${APACHE_LOG_DIR}/gerrit-ssl-error.log
+
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/gerrit-ssl-access.log combined
+
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+  SSLCertificateFile      {{ gerrit_ssl_cert_file }}
+  SSLCertificateKeyFile   {{ gerrit_ssl_key_file }}
+{% if gerrit_ssl_chain_file is defined %}
+  SSLCertificateChainFile {{ gerrit_ssl_chain_file }}
+{% endif %}
+
+  <FilesMatch "\.(cgi|shtml|phtml|php)$">
+      SSLOptions +StdEnvVars
+  </FilesMatch>
+  <Directory /usr/lib/cgi-bin>
+      SSLOptions +StdEnvVars
+  </Directory>
+
+  BrowserMatch "MSIE [2-6]" \
+      nokeepalive ssl-unclean-shutdown \
+      downgrade-1.0 force-response-1.0
+  # MSIE 7 and newer should be able to use keepalive
+  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+  RewriteEngine on
+
+  ProxyRequests off
+  ProxyVia off
+  ProxyPreserveHost on
+  ProxyStatus On
+
+  ProxyPassMatch ^/p/ !
+  ProxyPassMatch ^/robots.txt$ !
+  ProxyPassMatch ^/server-status !
+  ProxyPass / http://localhost:8081/ nocanon
+  ProxyPassReverse / http://localhost:8081/
+
+  Alias /robots.txt /home/gerrit2/review_site/static/robots.txt
+
+  SetEnv GIT_PROJECT_ROOT /opt/lib/git
+  SetEnv GIT_HTTP_EXPORT_ALL
+
+  AliasMatch ^/p/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /opt/lib/git/$1
+  AliasMatch ^/p/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /opt/lib/git/$1
+  ScriptAlias /p/ /usr/lib/git-core/git-http-backend/
+
+  <Directory /home/gerrit2/review_site/git/>
+    Require all granted
+    Order allow,deny
+    Allow from all
+  </Directory>
+  <Directory /usr/lib/git-core>
+    Require all granted
+    Allow from all
+    Satisfy Any
+  </Directory>
+  <Directory /home/gerrit2/review_site/static/>
+    Require all granted
+    Allow from all
+    Satisfy Any
+  </Directory>
+
+</VirtualHost>
+</IfModule>
diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml
index 3a8d553619..7e3884fa6f 100644
--- a/playbooks/zuul/run-base.yaml
+++ b/playbooks/zuul/run-base.yaml
@@ -92,6 +92,7 @@
         - host_vars/mirror-update01.opendev.org.yaml
         - host_vars/backup-test01.opendev.org.yaml
         - host_vars/backup-test02.opendev.org.yaml
+        - host_vars/review01.opendev.org.yaml
     - name: Display group membership
       command: ansible localhost -m debug -a 'var=groups'
     - name: Run base.yaml
diff --git a/playbooks/zuul/templates/host_vars/review01.opendev.org.yaml.j2 b/playbooks/zuul/templates/host_vars/review01.opendev.org.yaml.j2
new file mode 100644
index 0000000000..c6441fb8bf
--- /dev/null
+++ b/playbooks/zuul/templates/host_vars/review01.opendev.org.yaml.j2
@@ -0,0 +1,3 @@
+# TODO(mordred) Replace this with LE certs
+gerrit_ssl_cert_file: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+gerrit_ssl_key_file: '/etc/ssl/private/ssl-cert-snakeoil.key'