diff --git a/bucket_policy.json.tftpl b/bucket_policy.json.tftpl
index ab9ef98..e89f078 100644
--- a/bucket_policy.json.tftpl
+++ b/bucket_policy.json.tftpl
@@ -15,13 +15,6 @@
           "AWS:SourceArn": "${source_arn}"
         }
       }
-    },
-    {
-      "Sid": "PublicRead",
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": "s3:GetObject",
-      "Resource": "${bucket_arn}/.well-known/acme-challenge/*"
     }
   ]
 }
diff --git a/cloudfront.tf b/cloudfront.tf
index f4dc4f8..148742e 100644
--- a/cloudfront.tf
+++ b/cloudfront.tf
@@ -6,6 +6,14 @@ data "aws_acm_certificate" "default" {
   most_recent = true
 }
 
+data "aws_cloudfront_cache_policy" "default" {
+  name = "Managed-CachingDisabled"
+}
+
+data "aws_cloudfront_origin_request_policy" "default" {
+  name = "Managed-AllViewerExceptHostHeader"
+}
+
 resource "aws_cloudfront_distribution" "default" {
   origin {
     domain_name              = aws_s3_bucket.default.bucket_regional_domain_name
@@ -15,6 +23,56 @@ resource "aws_cloudfront_distribution" "default" {
     connection_timeout       = 10
   }
 
+  dynamic "origin" {
+    for_each = var.reverse_proxy_origin != null ? [1] : []
+
+    content {
+      connection_attempts = 3
+      connection_timeout  = 10
+      domain_name         = var.reverse_proxy_origin
+      origin_id           = var.reverse_proxy_origin
+
+      custom_origin_config {
+          http_port                = 80
+          https_port               = 443
+          origin_keepalive_timeout = 5
+          origin_protocol_policy   = "https-only"
+          origin_read_timeout      = 30
+          origin_ssl_protocols     = [
+            "TLSv1.2",
+          ]
+      }
+    }
+  }
+
+  dynamic "ordered_cache_behavior" {
+    for_each = var.reverse_proxy_origin != null ? [1] : []
+
+    content {
+      allowed_methods        = [
+          "DELETE",
+          "GET",
+          "HEAD",
+          "OPTIONS",
+          "PATCH",
+          "POST",
+          "PUT",
+        ]
+      cached_methods         = [
+          "GET",
+          "HEAD",
+        ]
+      compress               = true
+      path_pattern           = "/v2/*"
+      smooth_streaming       = false
+      target_origin_id       = var.reverse_proxy_origin
+      viewer_protocol_policy = "redirect-to-https"
+      cache_policy_id            = data.aws_cloudfront_cache_policy.default.id
+      origin_request_policy_id   = data.aws_cloudfront_origin_request_policy.default.id
+
+    }
+  }
+
   default_root_object = "index.html"
   enabled         = true
   comment         = "Console assets"
@@ -56,3 +114,14 @@ resource "aws_cloudfront_origin_access_control" "default" {
   signing_behavior                  = "always"
   signing_protocol                  = "sigv4"
 }
+
+resource "aws_cloudfront_response_headers_policy" "strict-origin-when-cross-origin" {
+  name = "strict-origin-when-cross-origin"
+
+  security_headers_config {
+    referrer_policy {
+         override        = true
+         referrer_policy = "strict-origin-when-cross-origin"
+    }
+  }
+}
diff --git a/input.tf b/input.tf
index 0b9e155..5759bd9 100644
--- a/input.tf
+++ b/input.tf
@@ -27,3 +27,7 @@ variable "viewer_protocol_policy" {
     error_message = "ERROR: Invalid viewer protocol policy!"
   }
 }
+
+variable "reverse_proxy_origin" {
+  type = string
+}