diff --git a/modules/caddyhttp/caddyhttp.go b/modules/caddyhttp/caddyhttp.go
index 756a6c30..d3be288b 100644
--- a/modules/caddyhttp/caddyhttp.go
+++ b/modules/caddyhttp/caddyhttp.go
@@ -326,6 +326,18 @@ func (app *App) automaticHTTPS() error {
 			continue
 		}
 
+		// if all listeners are on the HTTPS port, make sure
+		// there is at least one TLS connection policy; it
+		// should be obvious that they want to use TLS without
+		// needing to specify one empty policy to enable it
+		if !srv.listenersUseAnyPortOtherThan(app.httpsPort()) && len(srv.TLSConnPolicies) == 0 {
+			app.logger.Info("server is only listening on the HTTPS port but has no TLS connection policies; adding one to enable TLS",
+				zap.String("server_name", srvName),
+				zap.Int("https_port", app.httpsPort()),
+			)
+			srv.TLSConnPolicies = append(srv.TLSConnPolicies, new(caddytls.ConnectionPolicy))
+		}
+
 		// find all qualifying domain names, de-duplicated
 		domainSet := make(map[string]struct{})
 		for routeIdx, route := range srv.Routes {
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 6ce6b9e6..658adb95 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -106,6 +106,7 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) (*tls.Config, error) {
 }
 
 // ConnectionPolicy specifies the logic for handling a TLS handshake.
+// An empty policy is valid; safe and sensible defaults will be used.
 type ConnectionPolicy struct {
 	// How to match this policy with a TLS ClientHello. If
 	// this policy is the first to match, it will be used.