diff --git a/.env.example b/.env.example
index 28b5e682e..3e6da9fd8 100644
--- a/.env.example
+++ b/.env.example
@@ -1,5 +1,7 @@
 # Public hostmane
 WEBGIS_PUBLIC_HOSTNAME=dev.g3wsuite.it
+WEBGIS_ADMIN_EMAIL=info@gis3w.it
+# WEBGIS_SSL=1
 
 # Shared volume mount (docker internal: shared-volume)
 # I suggest not to use the /tmp/ folder, /tmp/ folder is cleaned at each reboot
diff --git a/README.md b/README.md
index 6bda15459..26a777eab 100644
--- a/README.md
+++ b/README.md
@@ -97,10 +97,9 @@ the conf file will be mounted into docker container at runtime to PGSERVICEFILE
 
 To active https with LetsEncrypt just follow the following instructions:
 
-- uncomment ssl section within `config/nginx/nginx.conf`
-- update `WEBGIS_PUBLIC_HOSTNAME` environment variable within the `.env` and `config/nginx/nginx.conf` files
+- toggle `WEBGIS_SSL` environment variable within your `.env` file
 - launch `sudo ./run_certbot.sh`
-- restart compose: `docker compose down && docker compose up -d`
+- restart compose: `docker compose up -d --force-recreate`
 - make sure the certs are renewed by adding a cron job with `sudo crontab -e` and add the following line:
   `0 3 * * * /<path_to_your_docker_files>/run_certbot.sh`
 
diff --git a/config/nginx/django b/config/nginx/conf/django
similarity index 89%
rename from config/nginx/django
rename to config/nginx/conf/django
index 638e5ba8c..2e75f825e 100644
--- a/config/nginx/django
+++ b/config/nginx/conf/django
@@ -1,6 +1,6 @@
 # HTTP reverse proxy server (g3w-suite)
 server {
-  include /etc/nginx/conf.d/locations;
+  include /etc/nginx/conf.d/conf/locations;
 
   location / {
     keepalive_timeout                   500;
@@ -21,7 +21,7 @@ server {
 
 # HTTPS (redirect)
 server {
-  include /etc/nginx/conf.d/locations;
+  include /etc/nginx/conf.d/conf/locations;
 
   location / {
     return 302 http://$host:8080$request_uri;
diff --git a/config/nginx/django_ssl b/config/nginx/conf/django_ssl
similarity index 79%
rename from config/nginx/django_ssl
rename to config/nginx/conf/django_ssl
index 3bd2c658d..5013b5a3e 100644
--- a/config/nginx/django_ssl
+++ b/config/nginx/conf/django_ssl
@@ -1,7 +1,7 @@
 # HTTPS reverse proxy server (g3w-suite)
 server {
-  include /etc/nginx/conf.d/locations;
-  include /etc/nginx/conf.d/letsencrypt;
+  include /etc/nginx/conf.d/conf/locations;
+  include /etc/nginx/conf.d/conf/letsencrypt;
 
   location / {
     proxy_read_timeout                  120;
@@ -19,7 +19,7 @@ server {
 
 # HTTP (redirect)
 server {
-  include /etc/nginx/conf.d/locations;
+  include /etc/nginx/conf.d/conf/locations;
 
   location / {
     return 301 https://$host$request_uri;
diff --git a/config/nginx/error_pages b/config/nginx/conf/error_pages
similarity index 100%
rename from config/nginx/error_pages
rename to config/nginx/conf/error_pages
diff --git a/config/nginx/letsencrypt b/config/nginx/conf/letsencrypt
similarity index 100%
rename from config/nginx/letsencrypt
rename to config/nginx/conf/letsencrypt
diff --git a/config/nginx/locations b/config/nginx/conf/locations
similarity index 82%
rename from config/nginx/locations
rename to config/nginx/conf/locations
index 045c83f47..e555b0ced 100644
--- a/config/nginx/locations
+++ b/config/nginx/conf/locations
@@ -1,4 +1,4 @@
-include /etc/nginx/conf.d/error_pages;
+include /etc/nginx/conf.d/conf/error_pages;
 
 # Block *.php
 location ~\.php$ {
@@ -27,4 +27,4 @@ location /.well-known/acme-challenge/ {
   root /var/www;
 }
 
-server_name $WEBGIS_PUBLIC_HOSTNAME;
\ No newline at end of file
+server_name $NGINX_SERVER_NAME;
\ No newline at end of file
diff --git a/config/nginx/html/502.html b/config/nginx/html/502.html
index e2391d01d..b9174d9f0 100644
--- a/config/nginx/html/502.html
+++ b/config/nginx/html/502.html
@@ -183,9 +183,9 @@ <h1 class="error-title">Bad Gateway</h1>
         </g>
     </svg>
   </main>
-  <!--# if expr="WEBGIS_ADMIN_EMAIL" -->
+  <!--# if expr="NGINX_ADMIN_EMAIL" -->
   <aside class="report-bug">
-    <a href="mailto:<!--# echo var='WEBGIS_ADMIN_EMAIL'-->?subject=[502] Bad Gateway - <!--# echo var='HOST' default=''-->&body=Bug report" style="text-decoration-line: none;" title="Bug report">🪲</a>
+    <a href="mailto:<!--# echo var='NGINX_ADMIN_EMAIL'-->?subject=[502] Bad Gateway - <!--# echo var='HOST' default=''-->&body=Bug report" style="text-decoration-line: none;" title="Bug report">🪲</a>
   </aside>
   <!--# endif -->
   <script>
diff --git a/config/nginx/nginx.conf b/config/nginx/nginx.conf
deleted file mode 100644
index 57059a761..000000000
--- a/config/nginx/nginx.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-client_max_body_size 200M;
-client_body_timeout  600;
-
-upstream g3w_suite {
-  ip_hash;
-  server g3w-suite:8000;
-}
-
-map "" $WEBGIS_PUBLIC_HOSTNAME {
-  default dev.g3wsuite.it;                    # CHANGE ME: according to your-domain.com
-}
-
-map "" $WEBGIS_ADMIN_EMAIL {
-  default info@gis3w.it;                      # CHANGE ME: according to your-domain.com
-}
-
-# HTTP server
-include /etc/nginx/conf.d/django;             # Remove this line if you want activate https
-
-# HTTPS server
-# include /etc/nginx/conf.d/django_ssl;
\ No newline at end of file
diff --git a/config/nginx/nginx.conf.template b/config/nginx/nginx.conf.template
new file mode 100644
index 000000000..25401439e
--- /dev/null
+++ b/config/nginx/nginx.conf.template
@@ -0,0 +1,22 @@
+client_max_body_size 200M;
+client_body_timeout  600;
+
+upstream g3w_suite {
+  ip_hash;
+  server g3w-suite:8000;
+}
+
+# Expose some ENV variables in NGINX config from docker-compose.yml
+# -----------------------------------------------------------------
+# Ref: docker-nginx/entrypoint/20-envsubst-on-templates.sh
+
+map "" $NGINX_SERVER_NAME {
+  default $WEBGIS_PUBLIC_HOSTNAME;                       # ENVSUBST
+}
+
+map "" $NGINX_ADMIN_EMAIL {
+  default $WEBGIS_ADMIN_EMAIL;                           # ENVSUBST
+}
+
+# HTTP(S) server
+include /etc/nginx/conf.d/conf/django$WEBGIS_SSL;        # ENVSUBST
\ No newline at end of file
diff --git a/docker-compose-consumer.yml b/docker-compose-consumer.yml
index bbe9afba5..d14792784 100644
--- a/docker-compose-consumer.yml
+++ b/docker-compose-consumer.yml
@@ -129,12 +129,19 @@ services:
       - "443:443"
     expose:
       - "8080"
+    environment:
+      - WEBGIS_PUBLIC_HOSTNAME=${WEBGIS_PUBLIC_HOSTNAME:-dev.g3wsuite.it}
+      - WEBGIS_ADMIN_EMAIL=${WEBGIS_ADMIN_EMAIL:-info@gis3w.it}
+      - WEBGIS_SSL=${WEBGIS_SSL:+_ssl}
+      - NGINX_ENVSUBST_TEMPLATE_SUFFIX=.template
+      - NGINX_ENVSUBST_TEMPLATE_DIR=/etc/nginx/conf.d
     volumes:
       - ${WEBGIS_DOCKER_SHARED_VOLUME}:/shared-volume
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt:ro
       - ./config/g3w-suite/overrides/static:/shared-volume/static/overrides:ro
-      - ./config/nginx:/etc/nginx/conf.d/:ro
+      - ./config/nginx:/etc/nginx/conf.d/
+      - ./config/nginx/conf:/etc/nginx/conf.d/conf/:ro
       - ./config/nginx/html:/var/www/html:ro
     logging:
       driver: "json-file"
diff --git a/docker-compose.yml b/docker-compose.yml
index d4ba1c123..7e7f82a7a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -86,12 +86,19 @@ services:
       - "443:443"
     expose:
       - "8080"
+    environment:
+      - WEBGIS_PUBLIC_HOSTNAME=${WEBGIS_PUBLIC_HOSTNAME:-dev.g3wsuite.it}
+      - WEBGIS_ADMIN_EMAIL=${WEBGIS_ADMIN_EMAIL:-info@gis3w.it}
+      - WEBGIS_SSL=${WEBGIS_SSL:+_ssl}
+      - NGINX_ENVSUBST_TEMPLATE_SUFFIX=.template
+      - NGINX_ENVSUBST_TEMPLATE_DIR=/etc/nginx/conf.d
     volumes:
       - ${WEBGIS_DOCKER_SHARED_VOLUME}:/shared-volume
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt:ro
       - ./config/g3w-suite/overrides/static:/shared-volume/static/overrides:ro
-      - ./config/nginx:/etc/nginx/conf.d/:ro
+      - ./config/nginx:/etc/nginx/conf.d/
+      - ./config/nginx/conf:/etc/nginx/conf.d/conf/:ro
       - ./config/nginx/html:/var/www/html:ro
     logging:
       driver: "json-file"
diff --git a/run_certbot.sh b/run_certbot.sh
index 683123f6c..f5b944403 100755
--- a/run_certbot.sh
+++ b/run_certbot.sh
@@ -16,16 +16,25 @@ if [ "${WEBGIS_DOCKER_SHARED_VOLUME}" = "" ]; then
     exit 1
 fi
 
-mkdir -p "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/"
+certs_folder="${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt"
+acme_folder="${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known"
+default_ssl_conf="https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
+default_ssl_pem="https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
+domain="$WEBGIS_PUBLIC_HOSTNAME"
 
-curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/options-ssl-nginx.conf"
-curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/ssl-dhparams.pem"
+# STEP 1
+echo "### Downloading recommended TLS parameters ..."
+mkdir -p "$certs_folder"
+curl -s "$default_ssl_conf" > "${certs_folder}/options-ssl-nginx.conf"
+curl -s "$default_ssl_pem"  > "${certs_folder}/ssl-dhparams.pem"
 
-docker run -it --rm --name certbot \
-  -v ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt \
-  -v ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known \
+# STEP 2
+echo "### Requesting Let's Encrypt certificate for $domain ..."
+docker run -it --rm --name certbot --pull=missing \
+  -v ${certs_folder}:/etc/letsencrypt \
+  -v ${acme_folder}:/var/www/.well-known \
   certbot/certbot -t certonly \
   --agree-tos --renew-by-default \
   --no-eff-email \
   --webroot -w /var/www \
-  -d ${WEBGIS_PUBLIC_HOSTNAME}
+  -d ${domain}