diff --git a/pillar/paas/docker.sls b/pillar/paas/docker.sls
--- a/pillar/paas/docker.sls
+++ b/pillar/paas/docker.sls
@@ -8,7 +8,6 @@
 
 docker_aliases:
   - &ipv4_equatower 51.255.124.10
-  - &intra_equatower 10.0.1.1
 
 #   -------------------------------------------------------------
 #   Images
@@ -191,8 +190,14 @@
 
     registry:
       registry:
+        host: registry.nasqueron.org
         app_port: 5000
-        ip: *intra_equatower
+        allowed_ips:
+          # Localhost
+          - 127.0.0.1
+
+          # Dwellers (through temporary tunnel)
+          - 10.0.2.1
 
     #
     # CI and CD
diff --git a/roles/paas-docker/containers/registry.sls b/roles/paas-docker/containers/registry.sls
--- a/roles/paas-docker/containers/registry.sls
+++ b/roles/paas-docker/containers/registry.sls
@@ -43,6 +43,6 @@
     - ports:
       - 5000
     - port_bindings:
-      - {{ container['ip'] }}:{{ container['app_port'] }}:5000 # HTTP
+      - 127.0.0.1:{{ container['app_port'] }}:5000 # HTTP
 
 {% endfor %}
diff --git a/roles/paas-docker/nginx/files/vhosts/registry.conf b/roles/paas-docker/nginx/files/vhosts/registry.conf
new file mode 100644
--- /dev/null
+++ b/roles/paas-docker/nginx/files/vhosts/registry.conf
@@ -0,0 +1,57 @@
+#   -------------------------------------------------------------
+#   Configuration for Docker PaaS front-end nginx
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#   Author:         Sébastien Santoro aka Dereckson
+#   Created:        2018-11-13
+#   Source file:    roles/paas-docker/nginx/files/vhosts/registry.conf
+#   -------------------------------------------------------------
+#
+#   <auto-generated>
+#       This file is managed by our rOPS SaltStack repository.
+#
+#       Changes to this file may cause incorrect behavior
+#       and will be lost if the state is redeployed.
+#   </auto-generated>
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ fqdn }};
+
+    include includes/letsencrypt;
+
+    return 301 https://$host$request_uri;
+}
+
+server {
+    server_name {{ fqdn }};
+
+    include includes/tls;
+    ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
+    ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+
+    include includes/letsencrypt;
+
+    location / {
+{%- for ip in args['allowed_ips'] %}
+        allow {{ ip }};
+{%- endfor %}
+        deny all;
+
+        # Allows large image uploads, with chunked transfers (avoids HTTP 411 and 413)
+        client_max_body_size 0;
+        chunked_transfer_encoding on;
+
+        proxy_pass http://localhost:{{ app_port }};
+        proxy_set_header  Host              $http_host;
+        proxy_set_header  X-Real-IP         $remote_addr;
+        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Proto $scheme;
+        proxy_read_timeout                  900;
+    }
+
+    root /var/wwwroot-502/_default;
+    error_page 502 /502.html;
+    location /502.html {}
+
+}