diff --git a/gateway/Dockerfile.in b/gateway/Dockerfile.in
index 40346571587..f8c44a7750f 100644
--- a/gateway/Dockerfile.in
+++ b/gateway/Dockerfile.in
@@ -6,8 +6,9 @@ RUN apt-get update -y && \
 
 RUN rm -f /etc/nginx/sites-enabled/default
 ADD @nginx_conf@ /etc/nginx/conf.d/hail.conf
+ADD gzip.conf /etc/nginx/conf.d/gzip.conf
 
 RUN ln -sf /dev/stdout /var/log/nginx/access.log
 RUN ln -sf /dev/stderr /var/log/nginx/error.log
 
-CMD ["nginx", "-g", "daemon off;"]
+CMD ["nginx", "-g", "daemon off;"]
\ No newline at end of file
diff --git a/gateway/gzip.conf b/gateway/gzip.conf
new file mode 100644
index 00000000000..2c8366a97d8
--- /dev/null
+++ b/gateway/gzip.conf
@@ -0,0 +1,28 @@
+# Re-enable when we migrate to 10.15.8: gzip on;
+gzip_vary on;
+gzip_comp_level 6;
+gzip_buffers 16 8k;
+gzip_http_version 1.1;
+gzip_min_length 512;
+gzip_proxied any;
+
+# suggestions: https://www.fastly.com/blog/new-gzip-settings-and-deciding-what-compress
+# defaults: https://nginx.org/en/docs/http/ngx_http_gzip_module.html
+gzip_types
+    text/plain
+    text/css
+    text/javascript
+    application/json
+    application/javascript
+    application/x-font-ttf
+    application/x-font-truetype
+    application/font-woff
+    font/woff2
+    woff
+    font/eot
+    font/otf
+    font/opentype
+    image/svg+xml
+    svg
+    svgz
+    image/x-icon;
\ No newline at end of file
diff --git a/gateway/hail.nginx.conf.in b/gateway/hail.nginx.conf.in
index f434823f4d1..58d6543b31e 100644
--- a/gateway/hail.nginx.conf.in
+++ b/gateway/hail.nginx.conf.in
@@ -158,3 +158,107 @@ server {
     include /etc/letsencrypt/options-ssl-nginx.conf;
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 }
+
+server {
+    server_name app.@domain@;
+
+    location / {
+        proxy_pass http://web/;
+    }
+
+    listen [::]:443 ssl;
+    listen 443 ssl;
+    ssl_certificate /etc/letsencrypt/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}
+
+server {
+    server_name notebook-api.@domain@;
+
+    # Support large URI's stemming from access tokens
+    client_header_buffer_size 64k;
+    large_client_header_buffers 4 64k;
+
+    location = /auth {
+        internal;
+
+        resolver kube-dns.kube-system.svc.cluster.local;
+        proxy_pass http://auth-gateway.default.svc.cluster.local/verify/$auth_request_uri;
+    }
+
+    location = /auth-notebook {
+        internal;
+
+        resolver kube-dns.kube-system.svc.cluster.local;
+        proxy_pass http://notebook-api.default.svc.cluster.local/api/verify/$svc_name/$auth_request_uri;
+    }
+
+    location / {
+        if ($request_method = 'OPTIONS') {
+            add_header 'Access-Control-Allow-Origin' '*';
+            add_header 'Access-Control-Allow-Credentials' 'true';
+            add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, OPTIONS';
+            add_header 'Access-Control-Allow-Headers' 'Authorization,Keep-Alive,User-Agent,X-Requested-With,Cache-Control,Content-Type';
+            add_header 'Access-Control-Max-Age' 86400;
+            add_header 'Content-Type' 'text/plain charset=UTF-8';
+            add_header 'Content-Length' 0;
+            return 204;
+            break;
+        }
+
+        set $auth_request_uri "$is_args$args";
+        auth_request /auth;
+        auth_request_set $auth_user $upstream_http_user;
+        auth_request_set $auth_scope $upstream_http_scope;
+        proxy_pass http://notebook-api;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header User $auth_user;
+        proxy_set_header Scope $auth_scope;
+
+        proxy_http_version 1.1;
+        proxy_read_timeout 86400;
+        proxy_buffering off;
+    }
+
+    location ~ /instance/([^/]+)/(.*) {
+        set $svc_name $1;
+        #set $auth_request_uri "$is_args$args";
+        #auth_request /auth-notebook;
+
+        resolver kube-dns.kube-system.svc.cluster.local;
+        proxy_pass http://$svc_name.default.svc.cluster.local$request_uri;
+
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_http_version 1.1;
+        proxy_redirect off;
+        proxy_buffering off;
+        proxy_read_timeout 86400;
+        proxy_connect_timeout 10s;
+    }
+
+    add_header 'Access-Control-Allow-Origin' '*';
+    add_header 'Access-Control-Allow-Credentials' 'true';
+    add_header 'Access-Control-Allow-Methods' 'GET, POST, DELETE, OPTIONS';
+    add_header 'Access-Control-Allow-Headers' 'Authorization,Keep-Alive,User-Agent,Cache-Control,Content-Type';
+
+    listen [::]:443 ssl;
+    listen 443 ssl;
+    ssl_certificate /etc/letsencrypt/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}
\ No newline at end of file
diff --git a/letsencrypt/domains.txt b/letsencrypt/domains.txt
index cb0777a6d1f..5c421ccb533 100644
--- a/letsencrypt/domains.txt
+++ b/letsencrypt/domains.txt
@@ -2,6 +2,8 @@
 ci.@domain@
 dev1.@domain@
 notebook.@domain@
+notebook-api.@domain@
+app.@domain@
 scorecard.@domain@
 test.@domain@
 upload.@domain@