diff --git a/config/application.rb b/config/application.rb
index 06c0c6b..b81a9d0 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -18,6 +18,9 @@ module Ensl
     # Custom error pages
     config.exceptions_app = self.routes
 
+    # Secret key
+    config.require_master_key = false 
+
     # Load Rails 5
     # config.load_defaults 5.0
 
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 7f0443b..a972299 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -43,4 +43,8 @@ Rails.application.configure do
   # Specifies the header that your server uses for sending files
   # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
   config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
+
+  # Secret key
+  config.require_master_key = false 
+
 end
diff --git a/ext/nginx.conf.d/production.conf.template b/ext/nginx.conf.d/production.conf.template
index 4624405..764972b 100644
--- a/ext/nginx.conf.d/production.conf.template
+++ b/ext/nginx.conf.d/production.conf.template
@@ -7,14 +7,19 @@ upstream ensl_production {
   # server unix:/var/tmp/puma.$RAILS_ENV.sock fail_timeout=0;
 }
 
+upstream gathers {
+  #  server unix:/srv/ensl/puma.production.sock fail_timeout=0;
+  server ensl_gather_production:6500;
+}
+
 # root-level -> www redirect
 server {
   listen *:$PRODUCTION_PORT;
   listen *:$PRODUCTION_PORT_SSL ssl;
 
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_certificate /etc/ssl/ensl/fullchain.pem;
-  ssl_certificate_key /etc/ssl/ensl/privkey.pem;
+  ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
 
   server_name $PRODUCTION_ROOT_DOMAIN;
   root $PRODUCTION_NGINX_PUBLIC;
@@ -39,8 +44,8 @@ server {
   root $PRODUCTION_NGINX_PUBLIC;
   index index.html index.htm index.php;
 
-  ssl_certificate /etc/ssl/ensl/fullchain.pem;
-  ssl_certificate_key /etc/ssl/ensl/privkey.pem;
+  ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
 
   # ssl-cert /etc/ssl/certs/ssl-cert-snakeoil.pem
   # ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key
@@ -49,8 +54,8 @@ server {
   ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
   ssl_session_timeout 1d;
   ssl_session_cache shared:SSL:50m;
-  ssl_stapling on;
-  ssl_stapling_verify on;
+  # ssl_stapling on;
+  # ssl_stapling_verify on;
   # add_header Strict-Transport-Security max-age=15768000;
 
   # Fixme: add logs as volume
@@ -87,3 +92,52 @@ server {
 
   try_files $uri/index.html $uri @puma;
 }
+
+
+# HTTP -> HTTPS redirect
+server {
+  listen *:80;
+  server_name gathers.ensl.org;
+  return 301 https://gathers.ensl.org$request_uri;
+}
+
+server {
+  listen *:443 ssl;
+  server_name gathers.ensl.org;
+  root /srv/ensl/gathers/public;
+  index index.html index.htm index.php;
+
+  ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:50m;
+  # ssl_stapling on;
+  # ssl_stapling_verify on;
+  add_header Strict-Transport-Security max-age=0;
+
+  access_log /var/log/nginx/ensl.gathers.access.log;
+  error_log /var/log/nginx/ensl.gathers.error.log;
+
+  rewrite_log on;
+  client_max_body_size 20M;
+  keepalive_timeout 10;
+
+  location ~ /.well-known {
+    allow all;
+    autoindex on;
+  }
+  location ^~ /assets/ {
+    gzip_static on;
+    expires max;
+    add_header Cache-Control public;
+  }
+  location @gathers {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_pass http://gathers;
+  }
+
+  try_files $uri/index.html $uri @gathers;
+}
diff --git a/ext/nginx.conf.d/staging.conf.template b/ext/nginx.conf.d/staging.conf.template
index 761049d..1ba0f43 100644
--- a/ext/nginx.conf.d/staging.conf.template
+++ b/ext/nginx.conf.d/staging.conf.template
@@ -46,8 +46,8 @@ server {
   # auth_basic           "Staging Area";
   # auth_basic_user_file "/etc/nginx/conf.d/.htpasswd_staging";
 
-  ssl_certificate /etc/ssl/ensl/fullchain.pem;
-  ssl_certificate_key /etc/ssl/ensl/privkey.pem;
+  ssl_certificate /etc/letsencrypt/live/ensl.org/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/ensl.org/privkey.pem;
 
   # ssl-cert /etc/ssl/certs/ssl-cert-snakeoil.pem
   # ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key