diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml
index 2797712..834ad82 100644
--- a/stack/templates/oidc_proxy.yaml
+++ b/stack/templates/oidc_proxy.yaml
@@ -1,5 +1,6 @@
 {{ $global := . }}
 {{- $allHosts := list -}}
+{{- $allOIDCProtectedServces := list -}}
 {{ range $serviceName, $serviceValues := .Values.services }}
   {{- $globalValuesDict := $global.Values.global | toYaml -}}
   {{- $values := fromYaml $globalValuesDict -}}
@@ -8,9 +9,16 @@
 
   {{- with $values -}}
   {{- if .ingress.oidcProtected -}}
+
+  {{- $allOIDCProtectedServces = append 
+    $allOIDCProtectedServces 
+    (printf "http://%s.%s.svc.cluster.local:%d" $serviceName $global.Release.Namespace ($values.service.port | int)) 
+  -}}
+
   {{ range $i, $rule := .ingress.rules }}
   {{- $allHosts = append $allHosts $rule.host }}
   {{- end -}}
+
   {{- end -}}
   {{- end -}}
 {{- end -}}
@@ -59,13 +67,20 @@ spec:
             - --pass-authorization-header=true
             - --reverse-proxy
             - --skip-jwt-bearer-tokens
+
+            {{- range $allOIDCProtectedServces }}
+            - --upstream={{ . }}
+            {{ end -}}
+
             {{- range .Values.oidcProxy.skipAuth }}
+            # for backwards compatibility, could also just be provided using extraArgs
             {{ if contains "*" .method }}
             - --skip-auth-route={{ .path }}
             {{- else -}}
             - --skip-auth-route={{ .method }}={{ .path }}
             {{- end -}}
             {{- end -}}
+
             {{- range $allHosts -}}
             {{- printf "- --whitelist-domain=%s" . | nindent 12 -}}
             {{- printf "- --cookie-domain=%s" . | nindent 12 -}}
diff --git a/stack/tests/oidc_test.yaml b/stack/tests/oidc_test.yaml
index ecb5619..3e72f4c 100644
--- a/stack/tests/oidc_test.yaml
+++ b/stack/tests/oidc_test.yaml
@@ -106,7 +106,7 @@ tests:
               path: "/v1/api/docs2"
             - method: POST
               path: "/v1/api/docs3"
-            - path: "/v1/api/llm/*"
+            - path: "/v1/api/llm/.*"
               method: ".*"
           extraArgs:
             - "--skip-auth-route=/v1/api/docs"
@@ -127,7 +127,7 @@ tests:
       - documentIndex: 0
         lengthEqual:
           path: spec.template.spec.containers[0].args
-          count: 19
+          count: 18
       - documentIndex: 0
         contains:
           path: spec.template.spec.containers[0].args
@@ -188,6 +188,8 @@ tests:
   - it: oidc proxy has volumes mounted
     set:
       global:
+        service:
+          port: 2222
         ingress:
           host: "stack.play.dev.czi.team"
         oidcProxy:
@@ -202,6 +204,11 @@ tests:
               name: oauth2-proxy-sign-in-template
       services:
         service1:
+          service:
+            port: 4123
+          ingress:
+            oidcProtected: true
+        service2:
           ingress:
             oidcProtected: true
     asserts:
@@ -209,6 +216,14 @@ tests:
         equal:
           path: spec.template.spec.containers[0].volumeMounts[0].mountPath
           value: /templates/oauth2-proxy/sign_in.html
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].args
+          content: --upstream=http://service1.NAMESPACE.svc.cluster.local:4123
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].args
+          content: --upstream=http://service2.NAMESPACE.svc.cluster.local:2222
       - documentIndex: 0
         equal:
           path: spec.template.spec.containers[0].volumeMounts[0].name
@@ -356,7 +371,7 @@ tests:
       - documentIndex: 0
         lengthEqual:
           path: spec.template.spec.containers[0].args
-          count: 19
+          count: 22
       - documentIndex: 0
         contains:
           path: spec.template.spec.containers[0].args