diff --git a/README.md b/README.md
index 3c60598..a88c26b 100644
--- a/README.md
+++ b/README.md
@@ -55,8 +55,9 @@ The SSL protocols and cipher suites that are used/allowed when clients make secu
     apache_mods_enabled:
       - rewrite.load
       - ssl.load
+    apache_mods_disabled: []
 
-(Debian/Ubuntu ONLY) Which Apache mods to enable (these will be symlinked into the apporopriate location). See the `mods-available` directory inside the apache configuration directory (`/etc/apache2/mods-available` by default) for all the available mods.
+(Debian/Ubuntu ONLY) Which Apache mods to enable or disable (these will be symlinked into the appropriate location). See the `mods-available` directory inside the apache configuration directory (`/etc/apache2/mods-available` by default) for all the available mods.
 
     apache_packages:
       - [platform-specific]
diff --git a/defaults/main.yml b/defaults/main.yml
index 105245c..36a4334 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -25,6 +25,8 @@ apache_vhosts_ssl: []
 apache_ssl_protocol: "All -SSLv2 -SSLv3"
 apache_ssl_cipher_suite: "AES256+EECDH:AES256+EDH"
 
+# Only used on Debian/Ubuntu.
 apache_mods_enabled:
   - rewrite.load
   - ssl.load
+apache_mods_disabled: []
diff --git a/tasks/configure-Debian.yml b/tasks/configure-Debian.yml
index f653e8c..6ed3a4a 100644
--- a/tasks/configure-Debian.yml
+++ b/tasks/configure-Debian.yml
@@ -16,6 +16,13 @@
   with_items: apache_mods_enabled
   notify: restart apache
 
+- name: Disable Apache mods.
+  file:
+    path: "{{ apache_server_root }}/mods-enabled/{{ item }}"
+    state: absent
+  with_items: apache_mods_disabled
+  notify: restart apache
+
 - name: Add apache vhosts configuration.
   template:
     src: "vhosts-{{ apache_vhosts_version }}.conf.j2"