diff --git a/op-service/httputil/server.go b/op-service/httputil/server.go
index 727201bc7cc44..b17d5f8017510 100644
--- a/op-service/httputil/server.go
+++ b/op-service/httputil/server.go
@@ -74,7 +74,7 @@ func (s *HTTPServer) Start() error {
 		},
 	}
 
-	if s.config.tls != nil {
+	if s.config.tls != nil && s.config.tls.CLIConfig.Enabled {
 		srv.TLSConfig = s.config.tls.Config
 	}
 
diff --git a/op-service/rpc/handler.go b/op-service/rpc/handler.go
index 40563a25ad329..361dce26f1d64 100644
--- a/op-service/rpc/handler.go
+++ b/op-service/rpc/handler.go
@@ -148,13 +148,9 @@ func (b *Handler) AddRPC(route string) error {
 
 	// default to 404 not-found
 	handler = http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
-		b.log.Info("oh no!")
 		http.NotFound(writer, request)
 	})
 
-	// Health endpoint is lowest priority.
-	handler = b.newHealthMiddleware(handler)
-
 	// serve RPC on configured RPC path (but not on arbitrary paths)
 	handler = b.newHttpRPCMiddleware(srv, handler)
 
@@ -167,6 +163,10 @@ func (b *Handler) AddRPC(route string) error {
 	for _, middleware := range b.middlewares {
 		handler = middleware(handler)
 	}
+
+	// Health endpoint applies before user middleware
+	handler = b.newHealthMiddleware(handler)
+
 	b.rpcRoutes[route] = srv
 
 	b.mux.Handle(route+"/", http.StripPrefix(route+"/", handler))
diff --git a/op-service/rpc/server_test.go b/op-service/rpc/server_test.go
index 900ebbba26d52..8774f93642283 100644
--- a/op-service/rpc/server_test.go
+++ b/op-service/rpc/server_test.go
@@ -114,6 +114,57 @@ func testServer(t *testing.T, endpoint string, appVersion string, namespace stri
 	})
 }
 
+// TestUserMiddlewareBeforeHealth tests that the health endpoint is always available, in front of user-middleware.
+func TestUserMiddlewareBeforeHealth(t *testing.T) {
+	appVersion := "test"
+	logger := testlog.Logger(t, log.LevelTrace)
+	server := ServerFromConfig(&ServerConfig{
+		HttpOptions: nil,
+		RpcOptions: []Option{
+			WithLogger(logger),
+			WithWebsocketEnabled(),
+			WithMiddleware(func(next http.Handler) http.Handler {
+				return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+					w.WriteHeader(http.StatusTeapot)
+				})
+			}),
+		},
+		Host:       "127.0.0.1",
+		Port:       0,
+		AppVersion: appVersion,
+	})
+	server.AddAPI(rpc.API{
+		Namespace: "test",
+		Service:   new(testAPI),
+	})
+	require.NoError(t, server.Start(), "must start")
+
+	t.Cleanup(func() {
+		err := server.Stop()
+		if err != nil {
+			panic(err)
+		}
+	})
+
+	t.Run("does not support other GET /foobar", func(t *testing.T) {
+		res, err := http.Get(server.httpServer.HTTPEndpoint() + "/foobar")
+		require.NoError(t, err)
+		defer res.Body.Close()
+		require.Equal(t, http.StatusTeapot, res.StatusCode)
+	})
+
+	t.Run("supports GET /healthz", func(t *testing.T) {
+		res, err := http.Get(server.httpServer.HTTPEndpoint() + "/healthz")
+		require.NoError(t, err)
+		defer res.Body.Close()
+		require.Equal(t, http.StatusOK, res.StatusCode)
+		body, err := io.ReadAll(res.Body)
+		require.NoError(t, err)
+		require.EqualValues(t, fmt.Sprintf("{\"version\":\"%s\"}\n", appVersion), string(body))
+	})
+
+}
+
 func TestAuthServer(t *testing.T) {
 	secret := [32]byte{0: 4}
 	badSecret := [32]byte{0: 5}