diff --git a/docker/nginx/conf.d/client.conf b/docker/nginx/conf.d/client.conf
index 933e254c..a5db3ca6 100644
--- a/docker/nginx/conf.d/client.conf
+++ b/docker/nginx/conf.d/client.conf
@@ -21,6 +21,10 @@ server {
 	listen 80 default_server;
 	listen [::]:80 default_server;
 
+	# parse subdomain (a base32 encoded Skylink) into custom variable
+	server_name ~^([a-z0-9]{55}).*?;
+	set $subdomain $1;
+
 	# ddos protection: closing slow connections
 	client_body_timeout 5s;
 	client_header_timeout 5s;
@@ -31,6 +35,17 @@ server {
 	client_max_body_size 128k;
 
 	location / {
+		# The only safe thing to do inside an if in a location block is return
+		# or rewrite, since we need to proxy_pass we have to work our way around
+		# using a custom error code.
+		#
+		# See https://www.nginx.com/resources/wiki/start/topics/depth/ifisevil/
+		error_page 418 = @subdomain;
+		recursive_error_pages on;
+		if ($subdomain  != "") {
+			return 418;
+		}
+
 		include /etc/nginx/conf.d/include/cors;
 
 		root /var/www/webportal;
@@ -170,6 +185,20 @@ server {
 		proxy_pass http://siad/skynet/skylink/$skylink$is_args$args;
 	}
 
+	location @subdomain {
+		include /etc/nginx/conf.d/include/cors;
+		include /etc/nginx/conf.d/include/proxy-buffer;
+		include /etc/nginx/conf.d/include/proxy-cache-downloads;
+
+		limit_conn downloads_by_ip 100; # ddos protection: max 100 downloads at a time
+		add_header Cache-Control "public, max-age=86400"; # allow consumer to cache response
+
+		proxy_read_timeout 600;
+		proxy_set_header User-Agent: Sia-Agent;
+		# proxy this call to siad /skynet/skylink/ endpoint (make sure the ip is correct)
+		proxy_pass http://siad/skynet/skylink/$subdomain/$request_uri;
+	}
+
 	location ~ "^/file/([a-zA-Z0-9-_]{46}(/.*)?)$" {
 		include /etc/nginx/conf.d/include/cors;
 		include /etc/nginx/conf.d/include/proxy-buffer;