diff --git a/README.md b/README.md
index 3c83af6..f1b1a35 100644
--- a/README.md
+++ b/README.md
@@ -123,9 +123,13 @@ Visit http://localhost:5762/login.pl to log in and get started.
 
 No persistant data is stored in the LedgerSMB container.
 
-All LedgerSMB data is stored in Postgres, so you can stop/destroy/run a
+All LedgerSMB data is stored in PostgreSQL, so you can stop/destroy/run a
 new LedgerSMB container as often as you want.
 
+In case of the Docker Compose setup, all PostgreSQL data is stored on the
+Docker volume with the name ending in `_pgdata`. This volume is not destroyed
+when updating the containers; only explicit removal destroys the data.
+
 # Environment Variables
 
 The LedgerSMB image uses several environment variables. They are all optional.
@@ -176,7 +180,51 @@ The following parameters are now supported to set mail preferences:
 * `LSMB_MAIL_SMTPPASS`
 * `LSMB_MAIL_SMTPAUTHMECH`
 
+# Advanced setup
 
+## Docker Compose with reverse proxy
+
+The `docker-compose-reverseproxy.yml` file shows a docker-compose setup
+which adds an Nginx reverse proxy configuration on top of the base
+`docker-compose.yml` configuration file. If the content of this repository
+is cloned into the current directory (`git clone https://github.com/ledgersmb/ledgersmb-docker.git ; cd ledgersmb-docker`), it can be used as:
+
+```plain
+ $ docker-compose \
+    -f docker-compose.yml \
+    -f docker-compose-reverseproxy.yml \
+       up -d
+```
+
+This setup can be used in combination with an image which runs the
+Certbot certificate renewal process *and* Nginx to do TLS termination. The
+default reverse proxy is mostly an example; it publishes on
+[http://localhost:8080/](http://localhost:8080/).
+
+An example of such an image can be found at
+[https://github.com/jonasalfredsson/docker-nginx-certbot](https://github.com/jonasalfredsson/docker-nginx-certbot),
+which is published on Docker Hub as
+[jonasal/nginx-certbot](https://hub.docker.com/r/jonasal/nginx-certbot).
+
+**Upgrade note** When upgrading this setup, please remove the volume ending
+in `_lsmbdata` before starting the upgraded containers. Without that, the
+webcontent won't be upgraded! E.g.:
+
+```plain
+  $ docker-compose \
+      -f docker-compose.yml \
+      -f docker-compose-reverseproxy.yml \
+        rm -s -f -v && \
+    docker volume rm ledgersmb-docker_lsmbdata && \
+    docker-compose \
+      -f docker-compose.yml \
+      -f docker-compose-reverseproxy.yml \
+        pull && \
+    docker-compose \
+      -f docker-compose.yml \
+      -f docker-compose-reverseproxy.yml \
+        up -d
+```
 
 # Troubleshooting/Developing
 
diff --git a/docker-compose-reverseproxy.yml b/docker-compose-reverseproxy.yml
new file mode 100644
index 0000000..133b18a
--- /dev/null
+++ b/docker-compose-reverseproxy.yml
@@ -0,0 +1,34 @@
+# Use this docker-compose file as:
+#
+#  docker-compose -f docker-compose.yml -f docker-compose-reverseproxy.yml up -d
+#
+#
+# This command creates one
+# compose 'project' consisting of three containers
+#
+#  1. The PostgreSQL data  container
+#  2. The LedgerSMB application container
+#  3. The Nginx reverse proxy container
+#
+# In addition to publishing LedgerSMB on port 5762 on localhost,
+# this project also publishes Nginx's reverse proxied content on
+# port 8080 on localhost
+
+version: "3.2"
+services:
+  # Note that the container needs to be named "postgres" here,
+  # because that allows us to use the default hostname ("postgres")
+  # from the LedgerSMB configuration
+  proxy:
+    image: nginx:1-alpine
+    volumes:
+      - "lsmbdata:/srv/ledgersmb"
+      - "./nginx.conf:/etc/nginx/nginx.conf"
+    ports:
+      - "8080:8080"
+  lsmb:
+    volumes:
+      - "lsmbdata:/srv/ledgersmb"
+
+volumes:
+  lsmbdata:
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..477e682
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,81 @@
+# This is a full (minimal) nginx configuration file
+
+error_log /dev/stderr info;
+pid /tmp/nginx.pid;
+worker_processes 1;
+
+events {
+   worker_connections 1024;
+}
+
+http {
+   client_body_temp_path /tmp/client_body;
+   proxy_temp_path /tmp/proxy_temp;
+   fastcgi_temp_path /tmp/fastcgi_temp;
+   scgi_temp_path /tmp/scgi_temp;
+   uwsgi_temp_path /tmp/uwsgi_temp;
+
+   sendfile on;
+   tcp_nopush on;
+   tcp_nodelay on;
+   keepalive_timeout 65;
+   types_hash_max_size 2048;
+   include /etc/nginx/mime.types;
+   default_type application/octet-stream;
+
+   access_log /dev/stdout;
+   error_log /dev/stderr info;
+
+   gzip off;
+   gzip_static on;
+
+   server {
+      listen 8080 default_server;
+      listen [::]:8080 default_server ipv6only=on;
+
+      root /srv/ledgersmb/UI;
+
+      access_log /dev/stdout;
+      error_log /dev/stderr info;
+
+      # Don't log status polls
+      location /nginx_status {
+               stub_status on;
+               access_log off;
+               allow 127.0.0.1;
+               allow ::1;
+               deny all;
+      }
+
+      # Configuration files don't exist
+      location ^~ \.conf$ {
+         return 404;
+      }
+
+      # 'Hidden' files don't exist
+      location ~ /\. {
+         return 404;
+      }
+
+      location = / {
+         return 301 /login.pl;
+      }
+
+      # JS & CSS
+      location ~* \.(js|css)$ {
+         add_header Pragma "public";
+         add_header Cache-Control "public, must-revalidate, proxy-revalidate"; # Production
+         expires     7d; # Indicate that the resource can be cached for 1 week # Production
+         try_files $uri =404;
+      }
+
+      location / {
+         proxy_set_header        Host $host;
+         proxy_set_header        X-Real-IP $remote_addr;
+         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+         proxy_set_header        X-Forwarded-Proto $scheme;
+         proxy_read_timeout      300;
+         proxy_pass              http://lsmb:5762;
+      }
+   }
+}