diff --git a/.infra/Frey-state-terraform.tfstate b/.infra/Frey-state-terraform.tfstate
index 3a9376b..d97a0d8 100644
--- a/.infra/Frey-state-terraform.tfstate
+++ b/.infra/Frey-state-terraform.tfstate
@@ -1,7 +1,7 @@
 {
     "version": 3,
     "terraform_version": "0.7.3",
-    "serial": 30,
+    "serial": 31,
     "lineage": "deedcad1-a3e9-4e02-9135-c347bbbe0be0",
     "modules": [
         {
@@ -128,7 +128,7 @@
                             "description": "Infra tusd",
                             "egress.#": "0",
                             "id": "sg-60cc290d",
-                            "ingress.#": "3",
+                            "ingress.#": "4",
                             "ingress.2214680975.cidr_blocks.#": "1",
                             "ingress.2214680975.cidr_blocks.0": "0.0.0.0/0",
                             "ingress.2214680975.from_port": "80",
@@ -143,6 +143,13 @@
                             "ingress.2541437006.security_groups.#": "0",
                             "ingress.2541437006.self": "false",
                             "ingress.2541437006.to_port": "22",
+                            "ingress.2617001939.cidr_blocks.#": "1",
+                            "ingress.2617001939.cidr_blocks.0": "0.0.0.0/0",
+                            "ingress.2617001939.from_port": "443",
+                            "ingress.2617001939.protocol": "tcp",
+                            "ingress.2617001939.security_groups.#": "0",
+                            "ingress.2617001939.self": "false",
+                            "ingress.2617001939.to_port": "443",
                             "ingress.516175195.cidr_blocks.#": "1",
                             "ingress.516175195.cidr_blocks.0": "0.0.0.0/0",
                             "ingress.516175195.from_port": "8080",
diff --git a/.infra/Freyfile.hcl b/.infra/Freyfile.hcl
index 0658e0e..a8df4d6 100644
--- a/.infra/Freyfile.hcl
+++ b/.infra/Freyfile.hcl
@@ -87,6 +87,12 @@ infra resource aws_security_group "fw-tusd-main" {
     protocol    = "tcp"
     to_port     = 80
   }
+  ingress {
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port   = 443
+    protocol    = "tcp"
+    to_port     = 443
+  }
   ingress {
     cidr_blocks = ["0.0.0.0/0"]
     from_port   = 22
diff --git a/.infra/files/nginx.conf b/.infra/files/nginx.conf
index d9aaf7f..36aaa0d 100644
--- a/.infra/files/nginx.conf
+++ b/.infra/files/nginx.conf
@@ -2,6 +2,12 @@ server {
     listen 80 default_server;
     listen [::]:80 default_server ipv6only=on;
 
+    listen 443 ssl;
+    listen [::]:443 ipv6only=on ssl;
+
+    ssl_certificate /etc/letsencrypt/live/master.tus.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/master.tus.io/privkey.pem;
+
     server_name master.tus.io;
 
     # certbot will place the files required for the HTTP challenge in the