diff --git a/modules/nixos/nginx/proxied.nix b/modules/nixos/nginx/proxied.nix
index f62b8c51..fc5158b7 100644
--- a/modules/nixos/nginx/proxied.nix
+++ b/modules/nixos/nginx/proxied.nix
@@ -9,6 +9,10 @@ let
     set $proxied_cf on;
     set $proxied_host_cf ${host};
   '';
+  xNotCloudflared = ''
+    set $proxied_cf "";
+    set $proxied_host_cf "";
+  '';
   xHeadersProxied = {xvars}: ''
     ${xvars.init "forwarded_for" "$proxy_add_x_forwarded_for"}
     if ($http_x_forwarded_proto) {
@@ -104,6 +108,9 @@ let
         (mkIf (cfg.enable == "cloudflared" && virtualHost.proxied.enable != "cloudflared") (
           mkJustBefore (xCloudflared {inherit virtualHost;})
         ))
+        (mkIf (cfg.enabled && emitVars && cfg.enable != "cloudflared") (
+          mkJustBefore xNotCloudflared
+        ))
         (mkIf (xInit && emitVars) (
           mkJustBefore (xHeadersProxied {inherit xvars;})
         ))
@@ -212,6 +219,9 @@ let
         (mkIf (cfg.enable == "cloudflared") (
           mkOrder orderJustBefore (xCloudflared {virtualHost = config;})
         ))
+        (mkIf (cfg.enabled && cfg.enable != "cloudflared") (
+          mkOrder orderJustBefore xNotCloudflared
+        ))
         (mkIf (xInit && cfg.enabled && config.xvars.enable) (
           mkOrder (orderJustBefore + 25) (xHeadersProxied {inherit xvars;})
         ))
diff --git a/systems/logistics/nixos.nix b/systems/logistics/nixos.nix
index fc5e12c6..c51a2b19 100644
--- a/systems/logistics/nixos.nix
+++ b/systems/logistics/nixos.nix
@@ -72,6 +72,12 @@ in {
     enable = true;
     user = "logistics";
   };
+  services.nginx = {
+    commonHttpConfig = ''
+      proxy_headers_hash_max_size 1024;
+      proxy_headers_hash_bucket_size 128;
+    '';
+  };
 
   sops = {
     defaultSopsFile = ./secrets.yaml;