diff --git a/machine/catacomb/mirror.nix b/machine/catacomb/mirror.nix
index 6d9b161..f37b822 100644
--- a/machine/catacomb/mirror.nix
+++ b/machine/catacomb/mirror.nix
@@ -5,10 +5,18 @@
   services.nginx = {
     enable = true;
     virtualHosts."mirror.catacomb.home" = {
-      listen = [ { addr = "10.22.20.2"; } ];
+      listen = [
+        { addr = "10.22.20.2"; }
+        # Binding to 10.22.20.2:80 here confuses the empyrean revproxy, even when the revproxy
+        # is configured with the same hostname, and it serves from fileserver.nix instead.
+        # This nonstandard port supports the revproxy use case.
+        { addr = "10.22.20.2"; port = 7474; }
+      ];
       root = "/nas/doc/website/mirror";
     };
   };
 
+  networking.firewall.allowedTCPPorts = [ 7474 ];
+
   users.users.nginx.extraGroups = ["nas"];
 }