diff --git a/docker/common/nginx/custom.conf b/docker/common/nginx/custom.conf
new file mode 100644
index 000000000..5834f1151
--- /dev/null
+++ b/docker/common/nginx/custom.conf
@@ -0,0 +1,33 @@
+server {
+  listen 8080;
+  proxy_hide_header WWW-Authenticate;
+  port_in_redirect off;
+  server_tokens off;
+  root /usr/share/nginx/html;
+  # SSL stuff for cloudflare proxy-ing - ignores SSL certificate and uses SNI
+  add_header Content-Security-Policy "frame-ancestors 'self'; connect-src 'self' $API_URL $PDFTRON_ALLOWED_HOSTS; default-src 'self' $API_URL; script-src 'self' blob: data: 'unsafe-eval' 'unsafe-inline'; script-src-elem 'self' data: blob: 'unsafe-inline'; script-src-attr 'self' data:; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:";
+
+  proxy_ssl_verify off;
+  proxy_read_timeout 1m;
+  proxy_ssl_server_name on;
+
+  location / {
+    return 302 http://$http_host/ui/;
+  }
+
+  location /ui/ {
+   proxy_hide_header WWW-Authenticate;
+   try_files $uri $uri/ /ui/index.html =404;
+  }
+
+  client_max_body_size 0;
+  gzip_min_length 1000;
+  gzip on;
+  gzip_http_version 1.0;
+  gzip_vary on;
+  gzip_proxied any;
+  gzip_comp_level 6;
+  gzip_buffers 16 8k;
+  gzip_types application/javascript text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+}
diff --git a/docker/common/nginx/nginx.conf b/docker/common/nginx/nginx.conf
index 5834f1151..4f64cd4dd 100644
--- a/docker/common/nginx/nginx.conf
+++ b/docker/common/nginx/nginx.conf
@@ -1,33 +1,32 @@
-server {
-  listen 8080;
-  proxy_hide_header WWW-Authenticate;
-  port_in_redirect off;
-  server_tokens off;
-  root /usr/share/nginx/html;
-  # SSL stuff for cloudflare proxy-ing - ignores SSL certificate and uses SNI
-  add_header Content-Security-Policy "frame-ancestors 'self'; connect-src 'self' $API_URL $PDFTRON_ALLOWED_HOSTS; default-src 'self' $API_URL; script-src 'self' blob: data: 'unsafe-eval' 'unsafe-inline'; script-src-elem 'self' data: blob: 'unsafe-inline'; script-src-attr 'self' data:; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:";
+user  nginx;
+worker_processes  auto;
 
-  proxy_ssl_verify off;
-  proxy_read_timeout 1m;
-  proxy_ssl_server_name on;
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
 
-  location / {
-    return 302 http://$http_host/ui/;
-  }
-
-  location /ui/ {
-   proxy_hide_header WWW-Authenticate;
-   try_files $uri $uri/ /ui/index.html =404;
-  }
-
-  client_max_body_size 0;
-  gzip_min_length 1000;
-  gzip on;
-  gzip_http_version 1.0;
-  gzip_vary on;
-  gzip_proxied any;
-  gzip_comp_level 6;
-  gzip_buffers 16 8k;
-  gzip_types application/javascript text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
 
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+    include /tmp/nginx/*.conf;
 }
diff --git a/docker/red-ui/09-set-application-config.sh b/docker/red-ui/09-set-application-config.sh
index 5719e1ea8..a9fdb61cb 100755
--- a/docker/red-ui/09-set-application-config.sh
+++ b/docker/red-ui/09-set-application-config.sh
@@ -55,10 +55,5 @@ echo '{
           "WATERMARK_PREVIEW_PAPER_FORMAT":"'"$WATERMARK_PREVIEW_PAPER_FORMAT"'"
        }' >/usr/share/nginx/html/ui/assets/config/config.json
 
-echo 'Env variables: '
+echo 'App config: '
 cat /usr/share/nginx/html/ui/assets/config/config.json
-
-echo 'Change files permissions:'
-chown a+rw -R /etc/nginx/conf.d
-chown a+rw /etc/nginx/conf.d/default.conf
-ls -al /etc/nginx/conf.d
diff --git a/docker/red-ui/40-check-config.sh b/docker/red-ui/40-check-config.sh
index 409fc2024..6bfc3d034 100755
--- a/docker/red-ui/40-check-config.sh
+++ b/docker/red-ui/40-check-config.sh
@@ -6,4 +6,6 @@ cat /etc/nginx/nginx.conf
 echo 'Default config:'
 cat /etc/nginx/conf.d/default.conf
 
+echo 'Custom config:'
+cat /tmp/nginx/custom.conf
 #nginx -g 'daemon off;'
diff --git a/docker/red-ui/Dockerfile b/docker/red-ui/Dockerfile
index 835b37180..51f1a750b 100644
--- a/docker/red-ui/Dockerfile
+++ b/docker/red-ui/Dockerfile
@@ -24,9 +24,11 @@ CMD ["/bin/cp", "-r", "/ng-app/dist/paligo-styles", "/tmp/styles-export"]
 
 
 FROM nginx:1.25.3-alpine
+ENV NGINX_ENVSUBST_OUTPUT_DIR=/tmp/nginx
 ENV PDFTRON_ALLOWED_HOSTS=''
 ## Copy our default nginx config
-COPY docker/common/nginx/nginx.conf /etc/nginx/templates/default.conf.template
+COPY docker/common/nginx/nginx.conf /etc/nginx/nginx.conf
+COPY docker/common/nginx/custom.conf /etc/nginx/templates/custom.conf.template
 
 ## Remove default nginx website
 RUN rm -rf /usr/share/nginx/html/*
@@ -35,9 +37,8 @@ RUN rm -rf /usr/share/nginx/html/*
 COPY --from=builder /ng-app/dist/apps/red-ui /usr/share/nginx/html/ui
 COPY version.json /usr/share/nginx/html/ui/assets/version/version.json
 
-USER root
-
-RUN chmod a+rw -R /etc/nginx/conf.d
+RUN mkdir /tmp/nginx
+RUN chmod a+rw -R /tmp/nginx
 RUN chmod o+r -R /usr/share/nginx/html
 RUN chmod g+r -R /usr/share/nginx/html
 
@@ -46,4 +47,3 @@ RUN chmod g+r -R /usr/share/nginx/html
 
 COPY docker/red-ui/09-set-application-config.sh docker-entrypoint.d/
 COPY docker/red-ui/40-check-config.sh docker-entrypoint.d/
-#CMD ["/docker-entrypoint.sh"]