diff --git a/.gitignore b/.gitignore
index f8080f9..49138bc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -48,3 +48,7 @@ vignettes/*.pdf
 # Prerendered shiny content
 index.html
 /index_files/
+
+# Certs
+tls.crt
+tls.key
diff --git a/default.conf.template b/default.conf.template
new file mode 100644
index 0000000..c88a4c2
--- /dev/null
+++ b/default.conf.template
@@ -0,0 +1,48 @@
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  '' close;
+}
+
+server {
+  listen ${PROXY_PORT} ssl;
+
+  ssl_session_timeout  5m;
+  ssl_protocols  TLSv1.2;
+  ssl_ciphers  HIGH:!aNULL:!MD5;
+  ssl_prefer_server_ciphers   on;
+
+  ssl_certificate       /etc/ssl/tls.crt;
+  ssl_certificate_key   /etc/ssl/tls.key;
+
+  location / {
+
+    proxy_set_header    Host $host;
+    proxy_set_header    X-Real-IP $remote_addr;
+    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto $scheme;
+    proxy_pass          http://127.0.0.1:${APP_PORT};
+    proxy_read_timeout  20d;
+    proxy_buffering off;
+
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+    proxy_http_version 1.1;
+
+    proxy_redirect      / $scheme://$host/;
+
+  }
+
+}
+
+server {
+  listen 8081;
+
+  location /healthz {
+
+    return 200    '';
+    access_log    off;
+    log_not_found off;
+
+  }
+
+}
diff --git a/oc-process.sh b/oc-process.sh
index 32badf5..6b51af1 100755
--- a/oc-process.sh
+++ b/oc-process.sh
@@ -38,38 +38,46 @@ elif [ $i = "config" ]; then
 
   ITEM=".items[1]"
 
-elif [ $i = "secrets" ]; then
+elif [ $i = "nginx-config" ]; then
 
   ITEM=".items[2]"
 
-elif [ $i = "deploy-app" ]; then
+elif [ $i = "secrets" ]; then
 
   ITEM=".items[3]"
 
-elif [ $i = "deploy-api" ]; then
+elif [ $i = "nginx-secrets" ]; then
 
   ITEM=".items[4]"
 
-elif [ $i = "deploy-db" ]; then
+elif [ $i = "deploy-app" ]; then
 
   ITEM=".items[5]"
 
-elif [ $i = "service-app" ]; then
+elif [ $i = "deploy-api" ]; then
 
   ITEM=".items[6]"
 
-elif [ $i = "service-api" ]; then
+elif [ $i = "deploy-db" ]; then
 
   ITEM=".items[7]"
 
-elif [ $i = "service-db" ]; then
+elif [ $i = "service-app" ]; then
 
   ITEM=".items[8]"
 
-elif [ $i = "route" ]; then
+elif [ $i = "service-api" ]; then
 
   ITEM=".items[9]"
 
+elif [ $i = "service-db" ]; then
+
+  ITEM=".items[10]"
+
+elif [ $i = "route" ]; then
+
+  ITEM=".items[11]"
+
 elif [ $i = "all" ]; then
 
   ITEM=""
@@ -82,6 +90,9 @@ else
 fi
 
 DB_PASSWORD=$(echo -n $DB_PASSWORD | base64)
+NGINX_TEMPLATE=$(cat default.conf.template)
+TLS_CRT=$(cat tls.crt | base64)
+TLS_KEY=$(cat tls.key | base64)
 
 echo "# $(oc project finbif-dashboard)"
 
@@ -95,4 +106,7 @@ oc process -f $f \
   -p ERROR_EMAIL_TO="$ERROR_EMAIL_TO" \
   -p ERROR_EMAIL_FROM="$ERROR_EMAIL_FROM" \
   -p MEMORY="$MEMORY" \
+  -p NGINX_TEMPLATE="$NGINX_TEMPLATE" \
+  -p TLS_CRT="$TLS_CRT" \
+  -p TLS_KEY="$TLS_KEY" \
   | jq $ITEM
diff --git a/template.yml b/template.yml
index 35076e9..9942a05 100644
--- a/template.yml
+++ b/template.yml
@@ -24,6 +24,12 @@ parameters:
   - name: API_PORT
     required: true
     value: "8000"
+  - name: PROXY_PORT
+    required: true
+    value: "8080"
+  - name: PROXY_HEALTH_PORT
+    required: true
+    value: "8081"
   - name: DB
     required: true
     value: postgres
@@ -46,6 +52,12 @@ parameters:
     value: /pgdata
   - name: DB_PASSWORD
     required: true
+  - name: NGINX_TEMPLATE
+    required: true
+  - name: TLS_CRT
+    required: true
+  - name: TLS_KEY
+    required: true
   - name: FINBIF_PRIVATE_API
     required: true
   - name: HOST
@@ -56,6 +68,9 @@ parameters:
   - name: API_HEALTH
     required: true
     value: /healthz
+  - name: PROXY_HEALTH
+    required: true
+    value: /healthz
   - name: LIVENESS_PERIOD
     required: true
     value: "30"
@@ -98,6 +113,12 @@ objects:
     db_port: ${DB_PORT}
     app_port: ${APP_PORT}
     api_port: ${API_PORT}
+- kind: ConfigMap
+  apiVersion: v1
+  metadata:
+    name: nginx-template-${BRANCH}
+  data:
+    default.conf.template: ${NGINX_TEMPLATE}
 - kind: Secret
   apiVersion: v1
   metadata:
@@ -105,6 +126,14 @@ objects:
   type: Opaque
   data:
     db_password: ${DB_PASSWORD}
+- kind: Secret
+  apiVersion: v1
+  metadata:
+    name: tls-${BRANCH}
+  type: kubernetes.io/tls
+  data:
+    tls.crt: ${TLS_CRT}
+    tls.key: ${TLS_KEY}
 - kind: Deployment
   apiVersion: apps/v1
   metadata:
@@ -123,9 +152,54 @@ objects:
         labels:
           app: ${APP}
           branch: ${BRANCH}
-          port: ${APP_PORT}
+          port: ${PROXY_PORT}
       spec:
+        volumes:
+        - name: tls-${BRANCH}
+          secret:
+            secretName: tls-${BRANCH}
+        - name: nginx-template-${BRANCH}
+          configMap:
+            name: nginx-template-${BRANCH}
         containers:
+        - image: nginxinc/nginx-unprivileged:1.27.1
+          imagePullPolicy: Always
+          name: nginx-${BRANCH}
+          env:
+          - name: PROXY_PORT
+            value: ${PROXY_PORT}
+          - name: APP_PORT
+            value: ${APP_PORT}
+          startupProbe:
+            httpGet:
+              path: ${PROXY_HEALTH}
+              port: ${{PROXY_HEALTH_PORT}}
+            failureThreshold: ${{FAILURE_THRESHOLD}}
+            periodSeconds: ${{LIVENESS_PERIOD}}
+          livenessProbe:
+            httpGet:
+              path: ${PROXY_HEALTH}
+              port: ${{PROXY_HEALTH_PORT}}
+            failureThreshold: ${{FAILURE_THRESHOLD}}
+            periodSeconds: ${{LIVENESS_PERIOD}}
+          readinessProbe:
+            httpGet:
+              path: ${PROXY_HEALTH}
+              port: ${{PROXY_HEALTH_PORT}}
+            periodSeconds: ${{READINESS_PERIOD}}
+          ports:
+          - containerPort: ${{PROXY_PORT}}
+          resources:
+            limits:
+              cpu: "500m"
+              memory: "500Mi"
+          volumeMounts:
+          - name: tls-${BRANCH}
+            mountPath: /etc/ssl
+            readOnly: true
+          - name: nginx-template-${BRANCH}
+            mountPath: /etc/nginx/templates
+            readOnly: true
         - image: ghcr.io/luomus/${APP}:${BRANCH}
           imagePullPolicy: Always
           name: ${APP}-${BRANCH}
@@ -133,7 +207,7 @@ objects:
             - '/home/user/render.r'
           env:
           - name: DASHBOARD_API
-            value: ${API}-${BRANCH}
+            value: http://${API}-${BRANCH}.${APP}.svc.cluster.local:${API_PORT}
           - name: BRANCH
             valueFrom:
               configMapKeyRef:
@@ -141,8 +215,6 @@ objects:
                 key: branch
           - name: HOST
             value: ${HOST}
-          ports:
-          - containerPort: ${{APP_PORT}}
           startupProbe:
             httpGet:
               path: ${APP_HEALTH}
@@ -160,10 +232,10 @@ objects:
               path: ${APP_HEALTH}
               port: ${{APP_PORT}}
             periodSeconds: ${{READINESS_PERIOD}}
-        resources:
-          limits:
-            cpu: "2000m"
-            memory: ${MEMORY}
+          resources:
+            limits:
+              cpu: "2000m"
+              memory: ${MEMORY}
 - kind: Deployment
   apiVersion: apps/v1
   metadata:
@@ -322,13 +394,13 @@ objects:
       app: ${APP}
   spec:
     ports:
-    - name: ${APP_PORT}
-      port: ${{APP_PORT}}
-      targetPort: ${{APP_PORT}}
+    - name: ${PROXY_PORT}
+      port: ${{PROXY_PORT}}
+      targetPort: ${{PROXY_PORT}}
     selector:
       app: ${APP}
       branch: ${BRANCH}
-      port: ${APP_PORT}
+      port: ${PROXY_PORT}
 - kind: Service
   apiVersion: v1
   metadata:
@@ -368,8 +440,9 @@ objects:
   spec:
     host: ${HOST}
     port:
-      targetPort: ${{APP_PORT}}
+      targetPort: ${{PROXY_PORT}}
     tls:
+      termination: passthrough
       insecureEdgeTerminationPolicy: Redirect
     to:
       kind: Service