diff --git a/.includes/nginx.sh b/.includes/nginx.sh
index 82568a1..6a618c8 100644
--- a/.includes/nginx.sh
+++ b/.includes/nginx.sh
@@ -36,14 +36,72 @@ ensure_ufw() {
     return 0
 }
 
-install_nginx() {
+enable_nginx_service() {
+    # `sudoFlags` is initialized by the main launcher before sourcing this file.
+    # shellcheck disable=SC2154
+    if ! sudo "${sudoFlags[@]}" systemctl enable --now nginx; then
+        msgbox "nginx was configured, but the service failed to enable or start."
+        return 1
+    fi
+
+    return 0
+}
+
+web_ports_open() {
+    local statusLine=""
+    local hasHttp="No"
+    local hasHttps="No"
+
+    if ! ufw_installed; then
+        return 1
+    fi
+
+    while IFS= read -r statusLine; do
+        if [[ "$statusLine" =~ ^[[:space:]]*80/tcp[[:space:]]+ALLOW[[:space:]]+Anywhere([[:space:]]*\(v6\))?[[:space:]]*$ ]]; then
+            hasHttp="Yes"
+        elif [[ "$statusLine" =~ ^[[:space:]]*443/tcp[[:space:]]+ALLOW[[:space:]]+Anywhere([[:space:]]*\(v6\))?[[:space:]]*$ ]]; then
+            hasHttps="Yes"
+        fi
+    done < <(
+        # `sudoFlags` is initialized by the main launcher before sourcing this file.
+        # shellcheck disable=SC2154
+        sudo "${sudoFlags[@]}" ufw status 2>&1
+    )
+
+    [[ "$hasHttp" == "Yes" && "$hasHttps" == "Yes" ]]
+}
+
+offer_open_web_ports() {
+    if ! ufw_installed; then
+        return 0
+    fi
+
+    if web_ports_open; then
+        return 0
+    fi
+
+    if [[ "$(yesno "ufw is installed. Open 80/tcp and 443/tcp for nginx now?")" != "Yes" ]]; then
+        return 0
+    fi
+
+    open_web_ports
+}
+
+ensure_nginx() {
     local clacksHeader=""
 
-    if ! nginx_installed; then
-        if ! install_package nginx; then
-            msgbox "Failed to install nginx."
-            return 1
-        fi
+    if nginx_installed; then
+        return 0
+    fi
+
+    if [[ "$(yesno "nginx is not installed. Install it now and continue?")" != "Yes" ]]; then
+        msgbox "nginx action cancelled."
+        return 1
+    fi
+
+    if ! install_package nginx; then
+        msgbox "Failed to install nginx."
+        return 1
     fi
 
     clacksHeader="$(prompt_clacks_header || true)"
@@ -52,13 +110,11 @@ install_nginx() {
         return 1
     fi
 
-    # `sudoFlags` is initialized by the main launcher before sourcing this file.
-    # shellcheck disable=SC2154
-    if ! sudo "${sudoFlags[@]}" systemctl enable --now nginx; then
-        msgbox "nginx was configured, but the service failed to enable or start."
+    if ! enable_nginx_service; then
         return 1
     fi
 
+    offer_open_web_ports || return 1
     msgbox "nginx is installed and running."
     return 0
 }
@@ -256,10 +312,7 @@ create_site() {
     local siteConfigFile=""
     local defaultIndexFile=""
 
-    if ! nginx_installed; then
-        msgbox "Install nginx first."
-        return 1
-    fi
+    ensure_nginx || return 1
 
     siteName="$(inputbox "Enter a short site name for the config file, for example example.com.")" || return 1
     if [[ -z "$siteName" || ! "$siteName" =~ ^[A-Za-z0-9._-]+$ ]]; then
@@ -353,10 +406,7 @@ select_site_file() {
 enable_site() {
     local siteName=""
 
-    if ! nginx_installed; then
-        msgbox "Install nginx first."
-        return 1
-    fi
+    ensure_nginx || return 1
 
     siteName="$(select_site_file "$nginxSitesAvailable" f)" || {
         msgbox "No available site configs were found."
@@ -377,10 +427,7 @@ enable_site() {
 disable_site() {
     local siteName=""
 
-    if ! nginx_installed; then
-        msgbox "Install nginx first."
-        return 1
-    fi
+    ensure_nginx || return 1
 
     siteName="$(select_site_file "$nginxSitesEnabled" l)" || {
         msgbox "No enabled sites were found."
@@ -403,10 +450,7 @@ test_nginx_config() {
     local status=0
     local statusText=""
 
-    if ! nginx_installed; then
-        msgbox "Install nginx first."
-        return 1
-    fi
+    ensure_nginx || return 1
 
     tempFile="$(mktemp)"
     # `sudoFlags` is initialized by the main launcher before sourcing this file.
@@ -420,10 +464,7 @@ test_nginx_config() {
 }
 
 reload_nginx() {
-    if ! nginx_installed; then
-        msgbox "Install nginx first."
-        return 1
-    fi
+    ensure_nginx || return 1
 
     if ! test_nginx_config; then
         msgbox "nginx was not reloaded because the config test failed."
@@ -461,21 +502,46 @@ open_web_ports() {
     return 0
 }
 
+close_web_ports() {
+    ensure_ufw || return 1
+
+    # `sudoFlags` is initialized by the main launcher before sourcing this file.
+    # shellcheck disable=SC2154
+    if ! sudo "${sudoFlags[@]}" ufw delete allow 80/tcp; then
+        msgbox "Failed to close 80/tcp."
+        return 1
+    fi
+
+    # shellcheck disable=SC2154
+    if ! sudo "${sudoFlags[@]}" ufw delete allow 443/tcp; then
+        msgbox "Failed to close 443/tcp."
+        return 1
+    fi
+
+    msgbox "Web ports 80/tcp and 443/tcp were removed."
+    return 0
+}
+
+web_ports_menu_label() {
+    if web_ports_open; then
+        printf '%s\n' "Close web ports"
+    else
+        printf '%s\n' "Open web ports"
+    fi
+}
+
 while true; do
+    webPortsChoice="$(web_ports_menu_label)"
     nginxChoice="$(menulist \
-        "Install nginx" \
         "Create site" \
         "Enable site" \
         "Disable site" \
         "Test config" \
         "Reload nginx" \
-        "Open web ports" \
+        "$webPortsChoice" \
         "Back")" || break
 
     case "$nginxChoice" in
-        "Install nginx")
-            install_nginx
-            ;;
         "Create site")
             create_site
             ;;
@@ -494,6 +560,9 @@ while true; do
         "Open web ports")
             open_web_ports
             ;;
+        "Close web ports")
+            close_web_ports
+            ;;
         "Back")
             break
             ;;