diff --git a/server/scripts/deploy/README.md b/server/scripts/deploy/README.md
index 40da5183f..81ebb6356 100644
--- a/server/scripts/deploy/README.md
+++ b/server/scripts/deploy/README.md
@@ -36,6 +36,9 @@ using systemd as "services". More examples and details
   convenience [script](update-and-restart-museum.sh) that pre-downloads the
   latest image to further reduce the delay during a restart.
 
+* Optionally and alternatively, museum can also be run behind an Nginx. This
+  option has a separate service definition.
+
 ## Installation
 
 To bring up an additional museum node:
@@ -44,25 +47,40 @@ To bring up an additional museum node:
 
 * Setup [promtail](../../../infra/services/promtail/README.md), [prometheus and node-exporter](../../../infra/services/prometheus/README.md) services
 
+* If running behind Nginx, install the
+  [nginx](../../../infra/services/nginx/README.md) service.
+
 * Add credentials
 
       sudo mkdir -p /root/museum/credentials
-      sudo tee /root/museum/credentials/tls.cert
-      sudo tee /root/museum/credentials/tls.key
       sudo tee /root/museum/credentials/pst-service-account.json
       sudo tee /root/museum/credentials/fcm-service-account.json
       sudo tee /root/museum/credentials.yaml
 
+* If not running behind Nginx, add the TLS credentials (otherwise add them to
+  Nginx)
+
+      sudo tee /root/museum/credentials/tls.cert
+      sudo tee /root/museum/credentials/tls.key
+
 * Copy the service definition and restart script to the new instance. The
   restart script can remain in the ente user's home directory. Move the service
   definition to its proper place.
 
-      scp </path-to-museum>/scripts/museum.service <instance>:
-      scp update-and-restart-museum.sh <instance>:
+      scp scripts/deploy/{museum.service,update-and-restart-museum.sh} <instance>:
 
       sudo mv museum.service /etc/systemd/system
       sudo systemctl daemon-reload
 
+* If running behind Nginx, a separate set of service definition and convenience
+  scripts need to be added.
+
+      scp scripts/deploy/{museum-nginx.service,update-and-restart-museum-nginx.sh} <instance>:
+
+      sudo mv museum-nginx.service /etc/systemd/system
+      sudo systemctl daemon-reload
+      sudo systemctl restart nginx
+
 ## Starting
 
 SSH into the instance, and run
diff --git a/server/scripts/deploy/museum.nginx.conf b/server/scripts/deploy/museum.nginx.conf
new file mode 100644
index 000000000..9af7b41a0
--- /dev/null
+++ b/server/scripts/deploy/museum.nginx.conf
@@ -0,0 +1,17 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    ssl_certificate         /etc/ssl/certs/cert.pem;
+    ssl_certificate_key     /etc/ssl/private/key.pem;
+
+    server_name api.ente.io;
+
+    location / {
+        proxy_pass http://host.docker.internal:9000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+