diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf
index f47fbfdf9..6cb2d0691 100644
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -1,5 +1,10 @@
-{%- set managerip = salt['pillar.get']('manager:mainip', '') %}
 {%- set role = grains.id.split('_') | last %}
+{%- if role == 'fleet' %}
+	{% set MAININT = salt['pillar.get']('host:mainint') %}
+	{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
+{%- endif %}
+
+{%- set managerip = salt['pillar.get']('manager:mainip', '') %}
 {%- set url_base = salt['pillar.get']('global:url_base') %}
 
 {%- set fleet_manager = salt['pillar.get']('global:fleet_manager') %}
@@ -37,25 +42,7 @@ http {
 
 	include /etc/nginx/conf.d/*.conf;
 
-	{%- if airgap is sameas true %}
-	server {
-		listen 7788;
-		server_name {{ url_base }};
-		root /opt/socore/html/repo;
-		location /rules/ {
-			allow all;
-			sendfile on;
-			sendfile_max_chunk 1m;
-			autoindex on;
-			autoindex_exact_size off;
-			autoindex_format html;
-			autoindex_localtime on;
-		}
-	}
-	{%- endif %}
-
-
-	{%- if fleet_manager %}
+	{%- if fleet_manager or role == 'fleet' %}
 	server {
 		listen       8090 ssl http2 default_server;
 		server_name  {{ url_base }};
@@ -70,16 +57,21 @@ http {
 		ssl_prefer_server_ciphers on;
 
 		location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
+			{%- if role == 'fleet' %}
+			grpc_pass  grpcs://{{ MAINIP }}:8080;
+			{%- else %}
 			grpc_pass  grpcs://{{ managerip }}:8080;
+			{%- endif %}
 			grpc_set_header Host $host;
 			grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 			proxy_buffering off;
 		}
-
 	}
 	{%- endif %}
 
-	{%- if role in ['eval', 'managersearch', 'manager', 'standalone'] %}
+
+	{%- if role in ['eval', 'managersearch', 'manager', 'standalone', 'fleet', 'import'] %}
+
 	server {
 		listen 80 default_server;
 		server_name _;
@@ -99,6 +91,55 @@ http {
 		ssl_prefer_server_ciphers on;
 	}
 
+	{%- endif %}
+
+	{%- if role == 'fleet' %}
+	server {
+		listen       443 ssl http2;
+		server_name  {{ url_base }};
+		root         /opt/socore/html;
+		index        index.html;
+
+		ssl_certificate "/etc/pki/nginx/server.crt";
+		ssl_certificate_key "/etc/pki/nginx/server.key";
+		ssl_session_cache shared:SSL:1m;
+		ssl_session_timeout  10m;
+		ssl_ciphers HIGH:!aNULL:!MD5;
+		ssl_prefer_server_ciphers on;
+
+		location /fleet/ {
+			proxy_pass https://{{ MAINIP }}:8080;
+			proxy_read_timeout    90;
+			proxy_connect_timeout 90;
+			proxy_set_header      Host $host;
+			proxy_set_header      X-Real-IP $remote_addr;
+			proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header      Proxy "";
+			proxy_set_header      X-Forwarded-Proto $scheme;
+		}
+		error_page 500 502 503 504 /50x.html;
+				location = /usr/share/nginx/html/50x.html {
+		}
+	}
+	{%- elif role in ['eval', 'managersearch', 'manager', 'standalone', 'import'] %}
+
+	{%- if airgap is sameas true %}
+	server {
+		listen 7788;
+		server_name {{ url_base }};
+		root /opt/socore/html/repo;
+		location /rules/ {
+			allow all;
+			sendfile on;
+			sendfile_max_chunk 1m;
+			autoindex on;
+			autoindex_exact_size off;
+			autoindex_format html;
+			autoindex_localtime on;
+		}
+	}
+	{%- endif %}
+
 	server {
 		listen       443 ssl http2;
 		server_name  {{ url_base }};
@@ -249,10 +290,11 @@ http {
 		}
 
 		{%- if fleet_node %}
+
 		location /fleet/ {
 			return 301 https://{{ fleet_ip }}/fleet;
 		}
-		
+
 		{%- else %}
 
 		location /fleet/ {
@@ -265,6 +307,7 @@ http {
 			proxy_set_header      Proxy "";
 			proxy_set_header      X-Forwarded-Proto $scheme;
 		}
+
 		{%- endif %}
 
 		location /thehive/ {