diff --git a/config-example.toml b/config-example.toml
index d279e50c..319a4a3b 100644
--- a/config-example.toml
+++ b/config-example.toml
@@ -10,6 +10,9 @@
 listen_port = 8080
 listen_port_tls = 8443
 
+# Optional. If you listen on a custom port like 8443 but redirect with firewall to 443
+# tls_redirection_port = 443
+
 # Optional for h2 and http1.1
 tcp_listen_backlog = 1024
 
diff --git a/rpxy-bin/src/config/toml.rs b/rpxy-bin/src/config/toml.rs
index b2a70bb5..5f244757 100644
--- a/rpxy-bin/src/config/toml.rs
+++ b/rpxy-bin/src/config/toml.rs
@@ -13,6 +13,7 @@ pub struct ConfigToml {
   pub listen_port: Option<u16>,
   pub listen_port_tls: Option<u16>,
   pub listen_ipv6: Option<bool>,
+  pub tls_redirection_port: Option<u16>,
   pub tcp_listen_backlog: Option<u32>,
   pub max_concurrent_streams: Option<u32>,
   pub max_clients: Option<u32>,
@@ -107,6 +108,8 @@ impl TryInto<ProxyConfig> for &ConfigToml {
       // listen port and socket
       http_port: self.listen_port,
       https_port: self.listen_port_tls,
+      https_redirection_port: if self.tls_redirection_port.is_some() {
+        self.tls_redirection_port } else { self.listen_port_tls },
       ..Default::default()
     };
     ensure!(
diff --git a/rpxy-lib/src/message_handler/handler_main.rs b/rpxy-lib/src/message_handler/handler_main.rs
index 9ce63f8f..3a443956 100644
--- a/rpxy-lib/src/message_handler/handler_main.rs
+++ b/rpxy-lib/src/message_handler/handler_main.rs
@@ -121,7 +121,7 @@ where
         "Redirect to secure connection: {}",
         <&ServerName as TryInto<String>>::try_into(&backend_app.server_name).unwrap_or_default()
       );
-      return secure_redirection_response(&backend_app.server_name, self.globals.proxy_config.https_port, &req);
+      return secure_redirection_response(&backend_app.server_name, self.globals.proxy_config.https_redirection_port, &req);
     }
 
     // Find reverse proxy for given path and choose one of upstream host