diff --git a/README.md b/README.md
index 04c9f32..c02706f 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,9 @@ upstreams: {}
 # name: *vhostconfig*, see below for definition
 vhosts: {}
 
+# name: *mapsconfig*, see below for definition
+maps: {}
+
 # force all traffic on ssl, except letsencrypt challenges
 force_ssl: True
 
@@ -76,6 +79,12 @@ custom: []
 # array of locations, see below
 locations: [*locationconfig*, .. ]
 
+# array of files to include at the server level
+includes: []
+
+# configure authentication, disabled by default. See *authconfig* below for definition
+auth: *authconfig*
+
 # array of headers to add on this vhost
 add_headers: []
 ```
@@ -89,6 +98,22 @@ match: ''
 alias: None
 ```
 
+**authconfig**
+```
+# Boolean: enable authentication
+enabled: False
+
+# Path to a htpasswd file
+path :''
+
+# can be 'all' or 'any'
+satisfy: 'all
+```
+
+**mapsconfig**:
+```
+```
+
 **phpconfog**:
 ```
 ini:
diff --git a/defaults/main.yml b/defaults/main.yml
index cfb280e..2dbdaf6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,11 +5,11 @@ nginx:
     "127.0.0.1": {}
     "::1": {}
   monitoring: true
-  serverpki: true
   php: false
   force_ssl: true
   upstreams: {}
   vhosts: {}
+  maps: {}
   resolver:
     - 8.8.8.8
     - 8.8.4.4
diff --git a/files/config/nginx.conf b/files/config/nginx.conf
index bbf179c..d6915f3 100644
--- a/files/config/nginx.conf
+++ b/files/config/nginx.conf
@@ -22,6 +22,7 @@ http {
 	reset_timedout_connection on;
 
 	server_names_hash_bucket_size 64;
+	map_hash_bucket_size 64;
 	# server_name_in_redirect off;
 
         include /etc/nginx/mime.types;
diff --git a/meta/main.yml b/meta/main.yml
index d173dfc..d4fb308 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,5 +1,4 @@
 ---
 dependencies:
   - { role: monitoring, when: nginx.monitoring }
-  - { role: x509certs }
   - certificates
diff --git a/tasks/main.yml b/tasks/main.yml
index 03cccca..7f2de40 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -44,6 +44,13 @@
   notify:
   - restart nginx
 
+- name: execute maps template
+  template:
+    src: maps.conf.j2
+    dest: /etc/nginx/conf.d/maps.conf
+  notify:
+  - restart nginx
+
 - name: create nginx vhosts
   template:
     src: vhost.conf.j2
diff --git a/templates/maps.conf.j2 b/templates/maps.conf.j2
new file mode 100644
index 0000000..b1c165f
--- /dev/null
+++ b/templates/maps.conf.j2
@@ -0,0 +1,10 @@
+{% for map in nginx.maps %}
+{% set m = nginx.maps[map] %}
+# {{ map }}
+map ${{ m.source }} ${{ m.destination }} {
+{% for i in m.data %}
+	'{{ i }}' '{{ m.data[i] }}';
+{% endfor %}
+}
+
+{% endfor %}
diff --git a/templates/ssl_files.conf.j2 b/templates/ssl_files.conf.j2
index a2e65f5..20ccd02 100644
--- a/templates/ssl_files.conf.j2
+++ b/templates/ssl_files.conf.j2
@@ -1,8 +1,6 @@
-{% if nginx.serverpki %}
 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
 ssl_certificate /etc/ssl/{{ inventory_hostname }}.crt;
 ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.key;
-{% endif %}
 
 # verify chain of trust of OCSP response using Root CA and Intermediate certs
 ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
diff --git a/templates/vhost.conf.j2 b/templates/vhost.conf.j2
index 8f8b5e3..ce6a27e 100644
--- a/templates/vhost.conf.j2
+++ b/templates/vhost.conf.j2
@@ -32,7 +32,7 @@ server {
 		proxy_pass {{ vhost.backend }};
 
 		# add proxy headers
-		proxy_set_header  Host $host;
+		proxy_set_header  Host			{% if 'host' in vhost %}"{{ vhost.host }}"{% else %}$host{% endif %};
 		proxy_set_header  X-Real-IP		$remote_addr;
 		proxy_set_header  X-Forwarded-For	$proxy_add_x_forwarded_for;
 		proxy_set_header  X-Forwarded-Proto	$scheme;
@@ -61,8 +61,19 @@ server {
 	}
 	{% endfor %}
 
+	{% if vhost.auth.enable|default(False) %}
+	auth_basic           "restricted area";
+	auth_basic_user_file {{ vhost.auth.path }}; 
+	satisfy {{ vhost.auth.satisfy|d('all') }};
+	{% endif %}
+
+
+	{% for include in vhost.includes|default([]) %}
+	include {{ include }};
+	{% endfor %}
+
 	{% if vhost.letsencrypt|d(False) %}
-		ssl_certificate /etc/ssl/nginx_{{ vhost_name }}.chain.crt;
-		ssl_certificate_key /etc/ssl/private/nginx_{{ vhost_name }}.key;
+	ssl_certificate /etc/ssl/nginx_{{ vhost_name }}.chain.crt;
+	ssl_certificate_key /etc/ssl/private/nginx_{{ vhost_name }}.key;
 	{% endif %}
 }