diff --git a/inventory/group_vars/ffmwu-monitoring b/inventory/group_vars/ffmwu-monitoring
index a263364..80b0c1d 100644
--- a/inventory/group_vars/ffmwu-monitoring
+++ b/inventory/group_vars/ffmwu-monitoring
@@ -11,6 +11,7 @@ common_repos:
 http_meshviewer_prefix: map
 http_grafana_prefix: stats
 http_lookingglass_prefix: lg
+http_prometheus_prefix: prom
 
 prometheus_conf_main: prometheus/prometheus.yml.j2
 
diff --git a/roles/service-prometheus/defaults/main.yml b/roles/service-prometheus/defaults/main.yml
index 3cf2984..236256d 100644
--- a/roles/service-prometheus/defaults/main.yml
+++ b/roles/service-prometheus/defaults/main.yml
@@ -15,6 +15,9 @@ alertmanager_version: 0.15.2
 
 gosu_version: "1.10"
 
+prometheus_url_external: "{{ http_prometheus_prefix }}.{{ http_domain_external }}"
+prometheus_url_internal: "{{ http_prometheus_prefix }}.{{ http_domain_internal }}"
+
 prometheus_install_path: /opt/prometheus
 prometheus_config_path: /etc/prometheus
 prometheus_rule_path: "{{ prometheus_config_path }}/rules"
diff --git a/roles/service-prometheus/tasks/prometheus.yml b/roles/service-prometheus/tasks/prometheus.yml
index c66e57d..0a6cfd1 100644
--- a/roles/service-prometheus/tasks/prometheus.yml
+++ b/roles/service-prometheus/tasks/prometheus.yml
@@ -12,6 +12,11 @@
   set_fact:
     prometheus_default_opts: "{{ prometheus_default_opts }} --web.console.templates={{ prometheus_daemon_dir }}/consoles  --web.console.libraries={{ prometheus_daemon_dir }}/console_libraries"
 
+- name: install python-passlib
+  package:
+    name: python-passlib
+    state: present
+
 - name: download and untar prometheus tarball
   unarchive:
     src: "{{ prometheus_tarball_url }}"
@@ -80,3 +85,22 @@
     name: prometheus
     enabled: yes
     state: started
+
+- name: create htpasswd
+  htpasswd:
+    path: /etc/nginx/htpasswd_prometheus
+    name: admin
+    password: "{{ lookup('passwordstore', 'prometheus/admin') }}"
+    owner: root
+    group: nginx
+    mode: 0640
+  notify: restart nginx
+
+- name: write vhost
+  template:
+    src: prometheus_vhost.conf.j2
+    dest: /etc/nginx/conf.d/prometheus.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart nginx
diff --git a/roles/service-prometheus/templates/prometheus_vhost.conf.j2 b/roles/service-prometheus/templates/prometheus_vhost.conf.j2
new file mode 100644
index 0000000..1c36b67
--- /dev/null
+++ b/roles/service-prometheus/templates/prometheus_vhost.conf.j2
@@ -0,0 +1,25 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ prometheus_url_external }} {{ prometheus_url_internal }};
+
+    include /etc/nginx/snippets/redirect-to-ssl.conf;
+    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name {{ prometheus_url_external }} {{ prometheus_url_internal }};
+
+    ssl_certificate     /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
+
+    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
+
+    location / {
+      auth_basic "Prometheus";
+      auth_basic_user_file /etc/nginx/htpasswd_prometheus;
+      proxy_pass http://127.0.0.1:9090;
+    }
+}