diff --git a/hieradata/roles/apps/jupyter/hub.yaml b/hieradata/roles/apps/jupyter/hub.yaml
index 3e7eb51..630fafe 100644
--- a/hieradata/roles/apps/jupyter/hub.yaml
+++ b/hieradata/roles/apps/jupyter/hub.yaml
@@ -18,10 +18,33 @@ profiles::nginx::simpleproxy::nginx_aliases:
   - jupyterhub.query.consul
   - "jupyterhub.service.%{facts.country}-%{facts.region}.consul"
 
+profiles::nginx::simpleproxy::proxy_host: 127.0.0.1
 profiles::nginx::simpleproxy::proxy_port: 8000
 profiles::nginx::simpleproxy::proxy_path: '/'
+profiles::nginx::simpleproxy::use_default_location: false
 nginx::client_max_body_size: 20M
 
+profiles::nginx::simpleproxy::locations:
+  # authorised access from external
+  default:
+    ensure: 'present'
+    server: "%{lookup('profiles::nginx::simpleproxy::nginx_vhost')}"
+    ssl_only: true
+    location: '/'
+    proxy: "http://%{lookup('profiles::nginx::simpleproxy::proxy_host')}:%{lookup('profiles::nginx::simpleproxy::proxy_port')}"
+    proxy_set_header:
+      - 'Host $host'
+      - 'X-Real-IP $remote_addr'
+      - 'X-Forwarded-For $proxy_add_x_forwarded_for'
+      - 'X-Forwarded-Host $host'
+      - 'X-Forwarded-Proto $scheme'
+      - 'Upgrade $http_upgrade'
+      - 'Connection $http_connection'
+      - 'X-Scheme $scheme'
+    proxy_redirect: 'off'
+    proxy_http_version: '1.1'
+    proxy_buffering: 'off'
+
 # additional altnames
 profiles::pki::vault::alt_names:
   - jupyterhub.service.consul