diff --git a/docker-compose.yml b/docker-compose.yml
index e27a8ed..5ad82bc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,15 +5,29 @@ services:
     image: ${ECR_AWS_ACCOUNT_ID}.dkr.ecr.${ECR_AWS_REGION}.amazonaws.com/${ECR_CLIENT_IMAGE_TAG}
     networks:
       - hydroshift
+    env_file:
+      - .env
     restart: unless-stopped
     mem_limit: 4GB
     mem_reservation: 2GB
     stdin_open: true
+
+  nginx:
+    container_name: nginx
+    init: true
+    image: nginx:stable-alpine
+    networks:
+      - hydroshift
+    volumes:
+      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf
+    restart: unless-stopped
+    mem_limit: 0.5GB
+    mem_reservation: 0.25GB
     labels:
       - 'traefik.enable=true'
-      - 'traefik.http.routers.client.rule=Host(`${PROD_APP_HOST}`)'
-      - 'traefik.http.routers.client.tls=true'
-      - 'traefik.http.routers.client.tls.certresolver=letsencrypt'
+      - 'traefik.http.routers.nginx.rule=Host(`${PROD_APP_HOST}`)'
+      - 'traefik.http.routers.nginx.tls=true'
+      - 'traefik.http.routers.nginx.tls.certresolver=letsencrypt'
       - 'traefik.docker.network=hydroshift_hydroshift'
       - 'traefik.http.routers.static.middlewares=secHeaders@file'
 networks:
diff --git a/nginx/default.conf b/nginx/default.conf
new file mode 100644
index 0000000..ff6fc7e
--- /dev/null
+++ b/nginx/default.conf
@@ -0,0 +1,25 @@
+server {
+    listen 80;
+    server_name hydroshift.dewberryanalytics.com www.hydroshift.dewberryanalytics.com;
+    index index.php index.html index.htm;
+    location / {
+        proxy_pass http://client:80/;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+        proxy_redirect off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+        add_header Content-Security-Policy "default-src * data: blob: 'unsafe-eval' 'unsafe-inline'" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Referrer-Policy "no-referrer-when-downgrade" always;
+        add_header Permissions-Policy "autoplay=(), geolocation=(), camera=(), fullscreen=()";
+    }
+    error_page 404 /404.html;
+    error_page 500 502 503 504 /50x.html;
+location = /50x.html {
+        root /usr/share/nginx/html;
+    }
+}
\ No newline at end of file