diff --git a/roles/nginx/tasks/nginx.yml b/roles/nginx/tasks/nginx.yml
index 26252c38..c3a617c7 100644
--- a/roles/nginx/tasks/nginx.yml
+++ b/roles/nginx/tasks/nginx.yml
@@ -38,6 +38,7 @@
     volumes: "{{ nginx_volumes }}"
     networks:
       - name: "{{ docker_network_name }}"
+    network_mode: bridge
     log_driver: "{{ docker_log_driver }}"
     log_options:
       max-size: "{{ docker_log_max_size }}"
diff --git a/roles/prometheus/README.md b/roles/prometheus/README.md
index 06a227dd..d40fcb64 100644
--- a/roles/prometheus/README.md
+++ b/roles/prometheus/README.md
@@ -21,6 +21,8 @@ prometheus_port: 127.0.0.1:9999 # default: 127.0.0.1:9090
 prometheus_retention_time: "30d" # default: "15d"
 prometheus_etc_hosts: # defaults: {}
   "server.example.com": 10.42.5.2
+prometheus_proxy_basic_auth_username: metric # default: prometheus
+prometheus_proxy_basic_auth_password: # default: "{{ vault_prometheus_proxy_basic_auth_password }}"
 
 prometheus_node_exporter_basic_auth_username: node-exporter
 prometheus_node_exporter_basic_auth_password: # default: "{{ vault_prometheus_node_exporter_basic_auth_password }}"
diff --git a/roles/prometheus/defaults/main.yml b/roles/prometheus/defaults/main.yml
index a3ee404f..f52e790b 100644
--- a/roles/prometheus/defaults/main.yml
+++ b/roles/prometheus/defaults/main.yml
@@ -5,6 +5,8 @@ prometheus_volume_name: "{{ prometheus_hostname }}"
 prometheus_data_dir: /usr/share/{{ prometheus_hostname }}
 prometheus_hosts: "{{ groups['all'] }}"
 prometheus_etc_hosts: {}
+prometheus_proxy_basic_auth_username: prometheus
+prometheus_proxy_basic_auth_password: "{{ vault_prometheus_proxy_basic_auth_password }}"
 prometheus_retention_time: 15d
 prometheus_alertmanager_basic_auth_password: "{{ vault_prometheus_alertmanager_basic_auth_password }}"
 prometheus_node_exporter_basic_auth_password: "{{ vault_prometheus_node_exporter_basic_auth_password }}"
diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml
index 158c2d9b..ec338f84 100644
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@@ -4,3 +4,10 @@
   when: prometheus_image is defined
   tags:
     - prometheus
+
+- name: Include {{ role_name }} nginx config tasks
+  ansible.builtin.include_tasks: "{{ role_name }}_nginx_config.yml"
+  when: prometheus_proxy_basic_auth_password is defined
+  tags:
+    - prometheus
+    - prometheus_nginx_config
diff --git a/roles/prometheus/tasks/prometheus_nginx_config.yml b/roles/prometheus/tasks/prometheus_nginx_config.yml
new file mode 100644
index 00000000..62f5d067
--- /dev/null
+++ b/roles/prometheus/tasks/prometheus_nginx_config.yml
@@ -0,0 +1,16 @@
+---
+- name: Ensure nginx data dir exists
+  ansible.builtin.file:
+    path: "{{ nginx_data_dir }}/proxies"
+    state: directory
+
+- name: Configure user access for {{ role_name }}
+  community.general.htpasswd:
+    path: "{{ nginx_data_dir }}/proxies/prometheus.htpasswd"
+    name: "{{ prometheus_proxy_basic_auth_username }}"
+    password: "{{ prometheus_proxy_basic_auth_password }}"
+
+- name: Copy nginx {{ role_name }} conf
+  ansible.builtin.template:
+    src: prometheus.nginx
+    dest: "{{ nginx_data_dir }}/proxies/prometheus.nginx"
diff --git a/roles/prometheus/templates/prometheus.nginx b/roles/prometheus/templates/prometheus.nginx
new file mode 100644
index 00000000..b8e81122
--- /dev/null
+++ b/roles/prometheus/templates/prometheus.nginx
@@ -0,0 +1,6 @@
+location / {
+    auth_basic "{{ prometheus_proxy_basic_auth_username }}";
+    auth_basic_user_file /etc/nginx/conf.d/proxies/prometheus.htpasswd;
+    proxy_pass http://{{ prometheus_hostname }}:9090;
+    include /etc/nginx/conf.d/proxy-params.conf;
+}
\ No newline at end of file