diff --git a/config/proxy-config.conf b/config/proxy-config.conf
new file mode 100644
index 0000000..e57c247
--- /dev/null
+++ b/config/proxy-config.conf
@@ -0,0 +1,60 @@
+user  nginx;
+worker_processes  auto;
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+  worker_connections  1024;
+}
+
+http {
+  # Basic config
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+  sendfile        on;
+  keepalive_timeout  65;
+
+  # We define two upstreams: external and internal
+  upstream external_ingress {
+    server nginx-external.ingress-nginx.svc.cluster.local:80;
+  }
+  upstream internal_ingress {
+    server nginx-internal.ingress-nginx.svc.cluster.local:80;
+  }
+
+  # Server block for HTTP (port 80)
+  server {
+    listen 80 default_server;
+    server_name _;
+
+    # For infra.mrcynic.site
+    # (We do a separate server block for clarity. Could be done with if/host checks.)
+  }
+
+  server {
+    listen 80;
+    server_name ~^(?<subdomain>.+)\.infra\.mrcynic\.site$;
+
+    location / {
+      proxy_pass http://external_ingress;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+    }
+  }
+
+  # dev.mrcynic.site - allow only LAN
+  server {
+    listen 80;
+    server_name ~^(?<subdomain>.+)\.dev\.mrcynic\.site$;
+
+    # Block if not LAN (192.168.0.0/24). You can expand or tighten this as needed.
+    allow 192.168.0.0/24;
+    deny all;
+
+    location / {
+      proxy_pass http://internal_ingress;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+    }
+  }
+}
\ No newline at end of file
diff --git a/kustomization.yaml b/kustomization.yaml
index 3160de3..6daf2f2 100644
--- a/kustomization.yaml
+++ b/kustomization.yaml
@@ -6,6 +6,12 @@ resources:
   - internal-controller.yaml
   - namespace.yaml
   - services.yaml
+  - proxy.yaml
+
+configMapGenerator:
+  - name: proxy-config
+    files:
+      - config/proxy-config.conf
 
 generatorOptions:
   annotations:
diff --git a/proxy.yaml b/proxy.yaml
new file mode 100644
index 0000000..0349ca8
--- /dev/null
+++ b/proxy.yaml
@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: edge-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: edge-proxy
+  template:
+    metadata:
+      labels:
+        app: edge-proxy
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:stable-alpine
+          volumeMounts:
+            - name: config-volume
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
+          ports:
+            - containerPort: 80
+      volumes:
+        - name: config
+          configMap:
+            name: proxy-config
diff --git a/services.yaml b/services.yaml
index 94f934f..6cf9bb4 100644
--- a/services.yaml
+++ b/services.yaml
@@ -15,3 +15,18 @@ spec:
     - name: https
       port: 443
       targetPort: 443
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: edge-proxy-service
+  namespace: ingress-nginx
+spec:
+  type: LoadBalancer
+  selector:
+    app: edge-proxy
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+      nodePort: 30080