diff --git a/host_vars/portail.adm.auro.re.yml b/host_vars/portail.adm.auro.re.yml
index 8af0987..cb3c466 100644
--- a/host_vars/portail.adm.auro.re.yml
+++ b/host_vars/portail.adm.auro.re.yml
@@ -1,53 +1,116 @@
 ---
-certbot:
+loc_certbot:
   domains:
-    - portail.auro.re
+    - portail-fleming.auro.re
+    - portail-pacaterie.auro.re
+    - portail-rives.auro.re
+    - portail-edc.auro.re
+    - portail-gs.auro.re
   mail: tech.aurore@lists.crans.org
   certname: auro.re
 
-nginx:
-  ssl:
-    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
-    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
-    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+loc_nginx:
+  service_name: captive_portal
+  default_server: '$server_addr'
+  default_ssl_server: '$server_addr'
 
-  redirect_dnames: {}
+  servers:
+    - ssl: false
+      server_name:
+        - "10.13.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-fleming.auro.re/portail/"
 
-  redirect_tcp: {}
+    - ssl: true
+      server_name:
+        - portail-fleming.auro.re
+      locations:
+        - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.80"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-fleming.auro.re/portail/"
 
-  redirect_sites:
-    - from: 10.13.0.247
-      to: portail-fleming.auro.re
-      norequesturi: true
+    - ssl: false
+      server_name:
+        - 10.23.0.247
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-pacaterie.auro.re/portail/"
 
-    - from: 10.23.0.247
-      to: portail-.auro.re
-      norequesturi: true
+    - ssl: true
+      server_name:
+        - portail-pacaterie.auro.re
+      locations:
+        - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.80"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-pacaterie.auro.re/portail/"
 
-    - from: 10.33.0.247
-      to: portail-rives.auro.re
-      norequesturi: true
+    - ssl: false
+      server_name:
+        - "10.33.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-rives.auro.re/portail/"
 
-    - from: 10.43.0.247
-      to: portail-edc.auro.re
-      norequesturi: true
+    - ssl: true
+      server_name:
+        - portail-rives.auro.re
+      locations:
+        - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.80"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-rives.auro.re/portail/"
 
-    - from: 10.53.0.247
-      to: portail-gs.auro.re
-      norequesturi: true
+    - ssl: false
+      server_name:
+        - "10.43.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-edc.auro.re/portail/"
 
-  reverseproxy_sites:
-    - from: portail-fleming.auro.re
-      to: 10.128.0.20
+    - ssl: true
+      server_name:
+        - portail-edc.auro.re
+      locations:
+        - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.80"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-edc.auro.re/portail/"
 
-    - from: portail-pacaterie.auro.re
-      to: 10.128.0.20
+    - ssl: false
+      server_name:
+        - "10.53.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-gs.auro.re/portail/"
 
-    - from: portail-rives.auro.re
-      to: 10.128.0.20
-
-    - from: portail-edc.auro.re
-      to: 10.128.0.20
-
-    - from: portail-gs.auro.re
-      to: 10.128.0.20
+    - ssl: true
+      server_name:
+        - portail-gs.auro.re
+      locations:
+        - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.80"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-gs.auro.re/portail/"
diff --git a/hosts b/hosts
index 3f03ed2..55cf3fc 100644
--- a/hosts
+++ b/hosts
@@ -489,3 +489,8 @@ ldap-replica-ovh.adm.auro.re
 [ldap_replica_rives]
 ldap-replica-rives.adm.auro.re
 
+[certbot]
+portail.adm.auro.re
+
+[nginx]
+portail.adm.auro.re
diff --git a/services_web.yml b/services_web.yml
index 73b900b..62b7044 100755
--- a/services_web.yml
+++ b/services_web.yml
@@ -11,7 +11,15 @@
     - passbolt
 
 # Deploy reverse proxy
-- hosts: portail.adm.auro.re,proxy*.adm.auro.re
+- hosts: proxy*.adm.auro.re
   roles:
     - certbot
     - nginx_reverseproxy
+
+- hosts: portail.adm.auro.re
+  vars:
+    certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+    nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
+  roles:
+    - certbot
+    - nginx