diff --git a/roles/websites/proxy-bitwarden/tasks/main.yml b/roles/websites/proxy-bitwarden/tasks/main.yml
new file mode 100644
index 0000000..6fe5dd2
--- /dev/null
+++ b/roles/websites/proxy-bitwarden/tasks/main.yml
@@ -0,0 +1,6 @@
+- name: ensure apache is configured to proxy for bitwarden
+  template:
+    src: bitwarden.httpd.conf.j2
+    dest: /etc/httpd/conf.d/bitwarden.conf
+    mode: '0644'
+  notify: reload httpd
diff --git a/roles/websites/proxy-bitwarden/templates/bitwarden.httpd.conf.j2 b/roles/websites/proxy-bitwarden/templates/bitwarden.httpd.conf.j2
new file mode 100644
index 0000000..d135648
--- /dev/null
+++ b/roles/websites/proxy-bitwarden/templates/bitwarden.httpd.conf.j2
@@ -0,0 +1,13 @@
+<VirtualHost *:443>
+ServerName bitwarden.pyrocufflink.blue
+ServerAlias bitwarden.pyrocufflink.net
+
+Include conf.d/ssl.include
+SSLCertificateFile /etc/pki/tls/certs/pyrocufflink.net.cer
+SSLCertificateKeyFile /etc/pki/tls/private/pyrocufflink.net.key
+
+SSLProxyEngine On
+ProxyRequests Off
+ProxyPass / https://bitwarden.pyrocufflink.blue/
+ProxyPassReverse / https://bitwarden.pyrocufflink.blue/
+</VirtualHost>
diff --git a/roles/websites/proxy-gitea/tasks/main.yml b/roles/websites/proxy-gitea/tasks/main.yml
new file mode 100644
index 0000000..75e71eb
--- /dev/null
+++ b/roles/websites/proxy-gitea/tasks/main.yml
@@ -0,0 +1,6 @@
+- name: ensure apache is configured to proxy for gitea
+  template:
+    src: gitea.httpd.conf.j2
+    dest: /etc/httpd/conf.d/gitea.conf
+    mode: '0644'
+  notify: reload httpd
diff --git a/roles/websites/proxy-gitea/templates/gitea.httpd.conf.j2 b/roles/websites/proxy-gitea/templates/gitea.httpd.conf.j2
new file mode 100644
index 0000000..18617f2
--- /dev/null
+++ b/roles/websites/proxy-gitea/templates/gitea.httpd.conf.j2
@@ -0,0 +1,13 @@
+<VirtualHost *:443>
+ServerName git.pyrocufflink.blue
+ServerAlias git.pyrocufflink.net
+
+Include conf.d/ssl.include
+SSLCertificateFile /etc/pki/tls/certs/pyrocufflink.net.cer
+SSLCertificateKeyFile /etc/pki/tls/private/pyrocufflink.net.key
+
+SSLProxyEngine On
+ProxyRequests Off
+ProxyPass / https://git.pyrocufflink.blue/
+ProxyPassReverse / https://git.pyrocufflink.blue/
+</VirtualHost>
diff --git a/roles/websites/proxy-jenkins/tasks/main.yml b/roles/websites/proxy-jenkins/tasks/main.yml
new file mode 100644
index 0000000..2701779
--- /dev/null
+++ b/roles/websites/proxy-jenkins/tasks/main.yml
@@ -0,0 +1,6 @@
+- name: ensure apache is configured to proxy for jenkins
+  template:
+    src: jenkins.httpd.conf.j2
+    dest: /etc/httpd/conf.d/jenkins.conf
+    mode: '0644'
+  notify: reload httpd
diff --git a/roles/websites/proxy-jenkins/templates/jenkins.httpd.conf.j2 b/roles/websites/proxy-jenkins/templates/jenkins.httpd.conf.j2
new file mode 100644
index 0000000..a8a38b7
--- /dev/null
+++ b/roles/websites/proxy-jenkins/templates/jenkins.httpd.conf.j2
@@ -0,0 +1,13 @@
+<VirtualHost *:443>
+ServerName jenkins.pyrocufflink.blue
+ServerAlias jenkins.pyrocufflink.net
+
+Include conf.d/ssl.include
+SSLCertificateFile /etc/pki/tls/certs/pyrocufflink.net.cer
+SSLCertificateKeyFile /etc/pki/tls/private/pyrocufflink.net.key
+
+SSLProxyEngine On
+ProxyRequests Off
+ProxyPass / https://jenkins.pyrocufflink.blue/
+ProxyPassReverse / https://jenkins.pyrocufflink.blue/
+</VirtualHost>
diff --git a/roles/websites/proxy-nextcloud/tasks/main.yml b/roles/websites/proxy-nextcloud/tasks/main.yml
new file mode 100644
index 0000000..455abe9
--- /dev/null
+++ b/roles/websites/proxy-nextcloud/tasks/main.yml
@@ -0,0 +1,6 @@
+- name: ensure apache is configured to proxy for nextcloud
+  template:
+    src: nextcloud.httpd.conf.j2
+    dest: /etc/httpd/conf.d/nextcloud.conf
+    mode: '0644'
+  notify: reload httpd
diff --git a/roles/websites/proxy-nextcloud/templates/nextcloud.httpd.conf.j2 b/roles/websites/proxy-nextcloud/templates/nextcloud.httpd.conf.j2
new file mode 100644
index 0000000..b17ca14
--- /dev/null
+++ b/roles/websites/proxy-nextcloud/templates/nextcloud.httpd.conf.j2
@@ -0,0 +1,13 @@
+<VirtualHost *:443>
+ServerName nextcloud.pyrocufflink.blue
+ServerAlias nextcloud.pyrocufflink.net
+
+Include conf.d/ssl.include
+SSLCertificateFile /etc/pki/tls/certs/pyrocufflink.net.cer
+SSLCertificateKeyFile /etc/pki/tls/private/pyrocufflink.net.key
+
+SSLProxyEngine On
+ProxyRequests Off
+ProxyPass / https://cloud0.pyrocufflink.blue/
+ProxyPassReverse / https://cloud0.pyrocufflink.blue/
+</VirtualHost>
diff --git a/roles/websites/proxy-openvpn/tasks/main.yml b/roles/websites/proxy-openvpn/tasks/main.yml
new file mode 100644
index 0000000..863e924
--- /dev/null
+++ b/roles/websites/proxy-openvpn/tasks/main.yml
@@ -0,0 +1,6 @@
+- name: ensure apache is configured to proxy for openvpn
+  template:
+    src: openvpn.httpd.conf.j2
+    dest: /etc/httpd/conf.d/openvpn.conf
+    mode: '0644'
+  notify: reload httpd
diff --git a/roles/websites/proxy-openvpn/templates/openvpn.httpd.conf.j2 b/roles/websites/proxy-openvpn/templates/openvpn.httpd.conf.j2
new file mode 100644
index 0000000..4189a4b
--- /dev/null
+++ b/roles/websites/proxy-openvpn/templates/openvpn.httpd.conf.j2
@@ -0,0 +1,19 @@
+<VirtualHost *:443>
+ServerName vpn.pyrocufflink.net
+
+Include conf.d/ssl.include
+SSLCertificateKeyFile /etc/pki/tls/private/pyrocufflink.net.key
+SSLCertificateFile /etc/pki/tls/certs/pyrocufflink.net.cer
+
+<Location />
+    Require all denied
+</Location>
+ProxyRequests On
+AllowCONNECT 1194
+<Proxy "*">
+    Require all denied
+</Proxy>
+<Proxy "vpn.pyrocufflink.net:1194">
+    Require ip 74.122.204.67
+</Proxy>
+</VirtualHost>
diff --git a/websites.yml b/websites.yml
index 2c5c128..7f6be03 100644
--- a/websites.yml
+++ b/websites.yml
@@ -11,6 +11,12 @@
       cert_key_dest: /etc/pki/tls/private/pyrocufflink.net.key
     tags:
     - websites/pyrocufflink.net
+    - websites/proxy
+    - websites/proxy-bitwarden
+    - websites/proxy-gitea
+    - websites/proxy-jenkins
+    - websites/proxy-nextcloud
+    - websites/proxy-openvpn
   - role: websites/pyrocufflink.net
     tags: websites/pyrocufflink.net
   - role: websites/dustin.hatch.name
@@ -29,6 +35,26 @@
     tags: websites/chmod777.sh
   - role: websites/chmod777.sh
     tags: websites/chmod777.sh
+  - role: websites/proxy-bitwarden
+    tags:
+    - websites/proxy
+    - websites/proxy-bitwarden
+  - role: websites/proxy-gitea
+    tags:
+    - websites/proxy
+    - websites/proxy-gitea
+  - role: websites/proxy-jenkins
+    tags:
+    - websites/proxy
+    - websites/proxy-jenkins
+  - role: websites/proxy-nextcloud
+    tags:
+    - websites/proxy
+    - websites/proxy-nextcloud
+  - role: websites/proxy-openvpn
+    tags:
+    - websites/proxy
+    - websites/proxy-openvpn
   tasks:
   - name: ensure httpd service is running
     service: