diff --git a/roles/proxy/templates/caddy/Caddyfile.j2 b/roles/proxy/templates/caddy/Caddyfile.j2
index 72abde8..ec1c209 100644
--- a/roles/proxy/templates/caddy/Caddyfile.j2
+++ b/roles/proxy/templates/caddy/Caddyfile.j2
@@ -37,7 +37,19 @@ ipfs-gateway.{{ proxy_vars[env].app01.apps_base_domain }},
         -Server
     }
 
+{% if env == 'production' %}
     reverse_proxy {{ proxy_vars[env].app01.internal_ipv4 }}:8080
+{% else %}
+    @local {
+        remote_ip {{ proxy_trusted_subnets | join(' ') }}
+    }
+
+    handle @local {
+        reverse_proxy {{ proxy_vars[env].app01.internal_ipv4 }}:8080
+    }
+
+    respond 403
+{% endif %}
 }
 
 xmr.local.{{ proxy_vars[env].app01.apps_base_domain }} {
@@ -62,20 +74,28 @@ xmr.local.{{ proxy_vars[env].app01.apps_base_domain }} {
 }
 
 cloud.{{ proxy_vars[env].app01.apps_base_domain }} {
-{% if env == 'production' %}
-    tls {{ tls_email }}
-{% else %}
     tls {{ tls_email }} {
         dns njalla {{ njalla_api_token }}
     }
-{% endif %}
 
     header {
         Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
         -Server
     }
 
+{% if env == 'production' %}
     reverse_proxy {{ proxy_vars[env].app01.internal_ipv4 }}:8080
+{% else %}
+    @local {
+        remote_ip {{ proxy_trusted_subnets | join(' ') }}
+    }
+
+    handle @local {
+        reverse_proxy {{ proxy_vars[env].app01.internal_ipv4 }}:8080
+    }
+
+    respond 403
+{% endif %}
 }
 
 # END Environment: {{ env }}