diff --git a/dev/bitwarden.yml b/dev/bitwarden.yml
index 7925204..911a8ef 100644
--- a/dev/bitwarden.yml
+++ b/dev/bitwarden.yml
@@ -5,6 +5,7 @@
     - host_vars/bitwarden.yml
   roles:
     - base
+    - nginx
     - docker
     - traefik
     - bitwarden
diff --git a/dev/host_vars/bitwarden.yml b/dev/host_vars/bitwarden.yml
index c14f96b..628303b 100644
--- a/dev/host_vars/bitwarden.yml
+++ b/dev/host_vars/bitwarden.yml
@@ -2,6 +2,9 @@
 allow_reboot: false
 manage_network: false
 
+# nginx proxy
+proxy: helloworld
+
 # docker
 docker_users:
   - vagrant
@@ -13,6 +16,9 @@ traefik_domain: traefik.vm.krislamo.org
 traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
 #traefik_acme_email: realemail@example.com # Let's Encrypt settings
 #traefik_production: true
+traefik_ports:
+  - "8000:80"
+  - "4430:443"
 
 # bitwarden
 # Get Installation ID & Key at https://bitwarden.com/host/
diff --git a/roles/nginx/tasks/proxy.yml b/roles/nginx/tasks/proxy.yml
index e69de29..75ea13a 100644
--- a/roles/nginx/tasks/proxy.yml
+++ b/roles/nginx/tasks/proxy.yml
@@ -0,0 +1,17 @@
+- name: Install nginx
+  apt:
+    name: nginx
+    state: present
+
+- name: Install nginx configuration
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    mode: '0644'
+  register: nginx_conf
+
+- name: Reload nginx
+  service:
+    name: nginx
+    state: reloaded
+    enabled: true
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2
new file mode 100644
index 0000000..e2bb7c2
--- /dev/null
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -0,0 +1,45 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+    log_format    main  '$remote_addr - $remote_user [$time_local] "$request" '
+                        '$status $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+    sendfile        on;
+    #tcp_nopush     on;
+    keepalive_timeout  65;
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}
+
+## tcp LB  and SSL passthrough for backend ##
+stream {
+    upstream traefik {
+        server 127.0.0.1:4430 max_fails=3 fail_timeout=10s;
+    }
+
+log_format basic '$remote_addr [$time_local] '
+                 '$protocol $status $bytes_sent $bytes_received '
+                 '$session_time "$upstream_addr" '
+                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+
+    access_log /var/log/nginx/traefik_access.log basic;
+    error_log  /var/log/nginx/traefik_error.log;
+
+    server {
+        listen 443;
+        proxy_pass traefik;
+        proxy_next_upstream on;
+    }
+}