diff --git a/conf/nginx.conf b/conf/nginx.conf
new file mode 100644
index 0000000..3356186
--- /dev/null
+++ b/conf/nginx.conf
@@ -0,0 +1,29 @@
+server {
+    listen 80;
+    listen [::]:80;
+    listen 443 http2 ssl;
+    listen [::]:443 http2 ssl;
+
+    server_name argos.example.org;
+
+    ssl_certificate     /etc/letsencrypt/live/argos.example.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/argos.example.org/privkey.pem;
+
+    access_log  /var/log/nginx/argos.example.org.access.log;
+    error_log   /var/log/nginx/argos.example.org.error.log;
+
+    if ($scheme != "https") {
+        rewrite ^ https://$http_host$request_uri? permanent;
+    }
+
+    location ~ ^/($|domains?/|result/|task/|refresh/) {
+        auth_basic "Closed site";
+        auth_basic_user_file argos.passwd;
+        include proxy_params;
+        proxy_pass       http://127.0.0.1:8000;
+    }
+    location / {
+        include proxy_params;
+        proxy_pass       http://127.0.0.1:8000;
+    }
+}
diff --git a/conf/systemd-server.service b/conf/systemd-server.service
index 285d37e..9326b39 100644
--- a/conf/systemd-server.service
+++ b/conf/systemd-server.service
@@ -9,9 +9,10 @@ PartOf=postgresql.service
 User=www-data
 WorkingDirectory=/var/www/argos/
 Environment="ARGOS_SERVER_WORKERS=4"
+Environment="ARGOS_SERVER_SOCKET=127.0.0.1:8000"
 ExecStartPre=/var/www/argos/venv/bin/argos server migrate
 ExecStartPre=/var/www/argos/venv/bin/argos server reload-config
-ExecStart=/var/www/argos/venv/bin/gunicorn "argos.server.main:get_application()" -w $ARGOS_SERVER_WORKERS -k uvicorn.workers.UvicornWorker
+ExecStart=/var/www/argos/venv/bin/gunicorn "argos.server.main:get_application()" -w $ARGOS_SERVER_WORKERS -k uvicorn.workers.UvicornWorker -b $ARGOS_SERVER_SOCKET
 ExecReload=/var/www/argos/venv/bin/argos server reload
 SyslogIdentifier=argos-server
 
diff --git a/docs/deployment/nginx.md b/docs/deployment/nginx.md
new file mode 100644
index 0000000..5f974d0
--- /dev/null
+++ b/docs/deployment/nginx.md
@@ -0,0 +1,15 @@
+# Using Nginx as reverse proxy
+
+As Argos has no authentication mechanism for the front-end, you need to protect some routes with HTTP authentication.
+
+To do so on Debian, install `apache2-utils` then create a file containing the wanted credentials:
+```bash
+htpasswd -c /etc/nginx/argos.passwd argos_admin
+```
+
+You can then use this file to protect the front-end’s routes:
+```{literalinclude} ../../conf/nginx.conf
+---
+caption: /etc/nginx/sites-available/argos.example.org
+---
+```
diff --git a/docs/index.md b/docs/index.md
index 823469d..bbcb6d1 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -55,6 +55,7 @@ api
 :caption: Deployment
 :hidden:
 deployment/systemd
+deployment/nginx
 ```
 
 ```{toctree}