diff --git a/tunnel b/tunnel
new file mode 100755
index 0000000..b9dfc03
--- /dev/null
+++ b/tunnel
@@ -0,0 +1,4 @@
+echo "If prompted for private key password, copy-paste output of ssh-agent then run ssh-add."
+echo "Otherwise, tunnel may not recover from network interruption."
+echo "Starting tunnel..."
+autossh -M 9081 -N -R 9080:localhost:8080 cheesyarena@cheesyarena.com
diff --git a/tunnel_nginx_config b/tunnel_nginx_config
new file mode 100644
index 0000000..268d3d9
--- /dev/null
+++ b/tunnel_nginx_config
@@ -0,0 +1,39 @@
+server {
+  listen 443;
+  server_name cheesyarena.com;
+
+  ssl on;
+  ssl_certificate /etc/letsencrypt/live/cheesyarena.com/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/cheesyarena.com/privkey.pem;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+  ssl_prefer_server_ciphers on;
+
+  location / {
+    return 301 https://$host/display;
+  }
+
+  location /static/ {
+    proxy_pass http://localhost:9080/static/;
+  }
+
+  location /api/ {
+    proxy_pass http://localhost:9080/api/;
+  }
+
+  location ~ ^/display.*/websocket$ {
+    proxy_set_header Host $host;
+    proxy_pass http://localhost:9080$request_uri;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+  }
+
+  location ~ ^/display {
+    proxy_pass http://localhost:9080$request_uri;
+  }
+
+  location ~ /.well-known {
+    root /usr/share/nginx/html;
+  }
+}