diff --git a/nginx/README.md b/nginx/README.md
new file mode 100644
index 0000000..1f21583
--- /dev/null
+++ b/nginx/README.md
@@ -0,0 +1,41 @@
+---
+gitea: none
+include_toc: true
+---
+
+# Reverse proxy with nginx
+
+Clients connecting from the Internet to our Matrix environment will usually
+use SSL/TLS to encrypt whatever they want to send. This is one thing that
+nginx does better than Synapse.
+
+Furthermore, granting or denying access to specific endpoints is much easier
+in nginx.
+
+Synapse listens only on localhost, so nginx has to pass connections on from
+the wild west that is the Internet to our server listening on the inside.
+
+
+# Installing
+
+Installing nginx and the [Let's Encrypt](https://letsencrypt.org/) plugin is
+easy:
+
+```
+apt install nginx python3-certbot-nginx
+```
+
+# Configuration
+
+Almost all traffic should be encrypted, so a redirect from http to https seems
+like a good idea.
+
+However, `.well-known/matrix/client` has to be available via http and https,
+so that should *NOT* be redirected to https. Some clients don't understand the
+redirect and will therefore not find the server if you redirect everything.
+
+
+
+# Firewall
+
+For normal use, at least ports 80 and 443 must be openend, see [Firewall](../firewall).