diff --git a/ownCast%2C-nginx-and-TLS.md b/ownCast%2C-nginx-and-TLS.md
new file mode 100644
index 0000000..71320da
--- /dev/null
+++ b/ownCast%2C-nginx-and-TLS.md
@@ -0,0 +1,90 @@
+Welcome to the Wiki.
+# owncast and nginx with SSL
+
+## assumptions
+
+* dns is configures so that your.domain.com points to the IP of your server
+* ownCast is already installed on your server and working at http://your.domain.com:PORT
+
+## install nginx
+
+```$ sudo apt install nginx```
+
+## install certbot and nginx module for it
+
+```$ sudo apt install certbot python3-certbot-nginx```
+
+## configure and run nginx
+
+```
+$ sudo touch /var/www/html/index.html
+$ sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/your.domain.com.conf
+```
+edit /etc/nginx/sites-available/your.domain.com.conf into something like:
+```
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name your.domain.com;
+
+	root /var/www/;
+	index index.html;
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+}
+```
+
+$ sudo ln -s /etc/nginx/sites-available/your.domain.com.conf /etc/nginx/sites-enabled/your.domain.com.conf
+$ sudo rm /etc/nginx/sites-enabled/default
+$ sytemctl restart nginx
+```
+Test your webserver by going with a browser to http://your.domain.com - does it work?
+
+## install certificates from Let's Encrypt 
+
+```$ sudo certbot -d your.domain.com```
+
+(it's better not to enable automatic forward to SSL-enabled site e.g. http->https)
+
+## reconfigure nginx to proxy to ownCast
+
+edit /etc/nginx/sites-available/your.domain.com.conf into something like this:
+```
+server {
+
+	server_name your.domain.com;
+
+	location / {
+        	proxy_set_header Host $host;
+        	proxy_set_header X-Forwarded-Host $host;
+        	proxy_set_header X-Forwarded-Server $host;
+        	proxy_set_header X-Forwarded-Proto $scheme;
+	        proxy_set_header X-Real-IP $remote_addr;
+	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	        proxy_http_version 1.1;
+	        proxy_set_header Upgrade $http_upgrade;
+	        proxy_set_header Connection $connection_upgrade;
+	        proxy_pass http://127.0.0.1:8080;        
+	}
+
+	listen [::]:443 ssl ipv6only=on; # managed by Certbot
+	listen 443 ssl; # managed by Certbot
+	ssl_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem; # managed by Certbot
+	ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem; # managed by Certbot
+	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+```
+(change your.domain.com to your own domain, and port in the proxy_pass setting to whatever you are using)
+
+Edit /etc/nginx/nginx.conf and add anywhere into html{} stanza:
+```
+map $http_upgrade $connection_upgrade {
+	default upgrade;
+	''      close;
+}
+```