diff --git a/host_vars/portail.adm.auro.re.yml b/host_vars/portail.adm.auro.re.yml
new file mode 100644
index 0000000..65aea34
--- /dev/null
+++ b/host_vars/portail.adm.auro.re.yml
@@ -0,0 +1,40 @@
+---
+certbot:
+  domains:
+    - portail.auro.re
+  mail: tech.aurore@lists.crans.org
+  certname: auro.re
+
+nginx:
+  ssl:
+    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+
+  redirect_dnames: {}
+
+  redirect_tcp: {}
+
+  redirect_sites:
+    - from: portail.adm.auro.re
+      to: portail.auro.re
+      norequesturi: true
+
+    - from: 10.128.0.247
+      to: portail.auro.re
+      norequesturi: true
+
+    - from: 45.66.111.247
+      to: portail.auro.re
+      norequesturi: true
+
+  reverseproxy_sites:
+    - from: portail.auro.re
+      to: 10.128.0.20
+      custom_args:
+        - "allow 45.66.108.251"
+        - "allow 45.66.108.252"
+        - "allow 45.66.108.253"
+        - "allow 45.66.108.254"
+        - "allow 45.66.108.255"
+        - "deny all"
diff --git a/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2 b/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2
index 28e9b7d..9b0e8ca 100644
--- a/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2
+++ b/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2
@@ -9,7 +9,7 @@ server {
     server_name {{ site.from }};
 
     location / {
-        return 302 http://{{ site.to }}$request_uri;
+        return 302 http://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
     }
 }
 
@@ -24,7 +24,7 @@ server {
     include "/etc/nginx/snippets/options-ssl.conf";
 
     location / {
-        return 302 https://{{ site.to }}$request_uri;
+        return 302 https://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
     }
 }
 
@@ -43,7 +43,7 @@ server {
     server_name {{ from }};
 
     location / {
-        return 302 http://{{ site.to }}$request_uri;
+        return 302 http://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
     }
 }
 
@@ -58,7 +58,7 @@ server {
     include "/etc/nginx/snippets/options-ssl.conf";
 
     location / {
-        return 302 https://{{ site.to }}$request_uri;
+        return 302 https://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
     }
 }
 
diff --git a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2
index d29d13c..9c8c152 100644
--- a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2
+++ b/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2
@@ -47,6 +47,12 @@ server {
     set_real_ip_from 2a0c:700:0:2::/64;
     real_ip_header P-Real-Ip;
 
+{% if site.custom_args is defined -%}
+{% for arg in site.custom_args %}
+    {{ arg }};
+{% endfor %}
+{% endif %}
+
     location / {
         proxy_pass http://{{ site.to }};
         include "/etc/nginx/snippets/options-proxypass.conf";
diff --git a/services_web.yml b/services_web.yml
index 6bc6a6d..73b900b 100755
--- a/services_web.yml
+++ b/services_web.yml
@@ -11,7 +11,7 @@
     - passbolt
 
 # Deploy reverse proxy
-- hosts: proxy*.adm.auro.re
+- hosts: portail.adm.auro.re,proxy*.adm.auro.re
   roles:
     - certbot
     - nginx_reverseproxy