diff --git a/HOWTO/satnogs-monitor-proxy-howto.txt b/HOWTO/satnogs-monitor-proxy-howto.txt
new file mode 100644
index 0000000..22499c6
--- /dev/null
+++ b/HOWTO/satnogs-monitor-proxy-howto.txt
@@ -0,0 +1,116 @@
+# Just some notes for now... INCOMPLETE
+# See apache configs too
+
+Buster install
+apt install apache2 python3-certbot-apache
+a2enmod proxy proxy_http ssl 
+# open ports 80, 443 in firewall
+certbot
+
+# add users for satnogs-clients
+adduser cruftpi1
+adduser cruftpi3
+
+
+#################################
+# On raspberry pi satnogs-client machine:
+#git clone https://github.com/yudai/gotty
+# Get binary release here XXX from 2017:
+# https://github.com/yudai/gotty/releases
+# wget https://github.com/yudai/gotty/releases/download/v2.0.0-alpha.3/gotty_2.0.0-alpha.3_linux_amd64.tar.gz
+# meh.
+#
+# Do this instead ?
+# on cruftpi1
+sudo apt install golang cargo cmake libglib2.0-dev
+# install lm-snsors? howto get temp on Pi?
+go get github.com/yudai/gotty
+
+mkdir ~/devel
+cd ~/devel
+
+git clone https://github.com/cubehub/libgpredict.git
+mkdir libgpredict/build
+cd libgpredict/build
+cmake ../ && make
+sudo make install
+sudo ldconfig
+
+
+# MEH, skip this, no need to build it, use package!
+######################################
+cd ~/devel
+git clone https://github.com/wose/satnogs-monitor
+cd satnogs-monitor/monitor
+mkdir ~/.config/satnogs-monitor
+cp examples/config.toml ~/.config/satnogs-monitor/
+edit ~/.config/satnogs-monitor/config.toml
+# Run it manually to make sure it is good to run.
+# The first time takes XXX forever to download and run 
+#cargo run --release -- --orbits 3 --local 1152 --station 1152
+cargo run --release
+# If you want to refresh:
+cargo clean
+######################################
+
+# see https://github.com/wose/satnogs-monitor/releases
+cd ~/devel
+wget https://github.com/wose/satnogs-monitor/releases/download/0.3.1/satnogs-monitor_0.3.1_armhf.deb
+sudo dpkg -i satnogs-monitor_0.3.1_armhf.deb
+# If any deps are now needed, this will fix:
+sudo apt -f install
+
+# Test if it minimally works
+satnogs-monitor --station 1152
+# moar
+satnogs-monitor --spectrum --waterfall --orbits 3 --local 1152
+
+# Make script:
+cat > ~/satnogs-monitor-run <<EOF
+#!/bin/bash
+satnogs-monitor --spectrum --waterfall --orbits 3 --local 1152
+EOF
+
+chmod +x ~/satnogs-monitor-run
+
+# now run it in gotty..
+~/go/bin/gotty ~/satnogs-monitor-run
+# woo
+~/go/bin/gotty --address 127.0.0.1 --port 9091 --width 0 --height 0      ~/satnogs-monitor-run
+
+
+# If that is all working, set up tunnel.
+# create key on cruftpi1
+ssh-keygen -t ed25519
+# This gets copied over to apache server location:
+# /home/cruftpi1/.ssh/authorized_keys
+cat .ssh/id_ed25519.pub
+
+# Set up ssh config:
+vim .ssh/config
+# ala:
+Host spacecruft-monitor
+        Hostname 185.165.171.165
+	User cruftpi1
+        Port 22
+
+
+# On apache server machine as root (crufty way to do this):
+sudo su -
+mkdir /home/cruftpi1/.ssh
+# copy over that key:
+echo "ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA pi@cruftpi1" >> /home/cruftpi1/.ssh/authorized_keys
+chown -R cruftpi1:cruftpi1 /home/cruftpi1/.ssh/
+
+# On cruftpi1
+# Run a ssh tunnel to server:
+ssh -N -C -R 9091:localhost:9091 spacecruft-monitor
+
+# You can test in on spacecruft-monitor server:
+telnet localhost 9091
+GET /
+
+# Configure apache proxy on spacecruft-monitor:
+a2enmod headers
+a2enmod proxy_wstunnel
+vim /etc/apache2/sites-enabled/000-default-le-ssl.conf
diff --git a/conf/monitor.spacecruft.org/etc/apache2/sites-enabled/000-default-le-ssl.conf b/conf/monitor.spacecruft.org/etc/apache2/sites-enabled/000-default-le-ssl.conf
new file mode 100644
index 0000000..57c7da4
--- /dev/null
+++ b/conf/monitor.spacecruft.org/etc/apache2/sites-enabled/000-default-le-ssl.conf
@@ -0,0 +1,60 @@
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+	# The ServerName directive sets the request scheme, hostname and port that
+	# the server uses to identify itself. This is used when creating
+	# redirection URLs. In the context of virtual hosts, the ServerName
+	# specifies what hostname must appear in the request's Host: header to
+	# match this virtual host. For the default virtual host (this file) this
+	# value is not decisive as it is used as a last resort host regardless.
+	# However, you must set it for any further virtual host explicitly.
+	#ServerName www.example.com
+
+	ServerAdmin webmaster@localhost
+	DocumentRoot /var/www/html
+
+	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+	# error, crit, alert, emerg.
+	# It is also possible to configure the loglevel for particular
+	# modules, e.g.
+	#LogLevel info ssl:warn
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+	# For most configuration files from conf-available/, which are
+	# enabled or disabled at a global level, it is possible to
+	# include a line for only one particular virtual host. For example the
+	# following line enables the CGI configuration for this host only
+	# after it has been globally disabled with "a2disconf".
+	#Include conf-available/serve-cgi-bin.conf
+
+    RewriteEngine on
+    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
+    RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
+    RewriteRule /(.*) ws://127.0.0.1:9091/$1 [P]
+
+    LoadModule proxy_module modules/mod_proxy.so
+    LoadModule proxy_http_module modules/mod_proxy_http.so
+
+    <Location />
+        ProxyPass http://127.0.0.1:9091/
+    </Location>
+    ProxyVia On
+    ProxyPreserveHost On
+    RequestHeader set X-Forwarded-Proto 'https'env=HTTPS
+
+    SSLProtocol -All TLSv1.2 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+    SSLHonorCipherOrder On
+    SSLCompression off
+    SSLVerifyClient None
+    SSLCipherSuite AES256+EECDH
+    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+    SSLSessionTickets Off
+
+
+ServerName monitor.spacecruft.org
+SSLCertificateFile /etc/letsencrypt/live/monitor.spacecruft.org/fullchain.pem
+SSLCertificateKeyFile /etc/letsencrypt/live/monitor.spacecruft.org/privkey.pem
+Include /etc/letsencrypt/options-ssl-apache.conf
+</VirtualHost>
+</IfModule>
diff --git a/conf/monitor.spacecruft.org/etc/apache2/sites-enabled/000-default.conf b/conf/monitor.spacecruft.org/etc/apache2/sites-enabled/000-default.conf
new file mode 100644
index 0000000..0241f5a
--- /dev/null
+++ b/conf/monitor.spacecruft.org/etc/apache2/sites-enabled/000-default.conf
@@ -0,0 +1,34 @@
+<VirtualHost *:80>
+	# The ServerName directive sets the request scheme, hostname and port that
+	# the server uses to identify itself. This is used when creating
+	# redirection URLs. In the context of virtual hosts, the ServerName
+	# specifies what hostname must appear in the request's Host: header to
+	# match this virtual host. For the default virtual host (this file) this
+	# value is not decisive as it is used as a last resort host regardless.
+	# However, you must set it for any further virtual host explicitly.
+	#ServerName www.example.com
+
+	ServerAdmin webmaster@localhost
+	DocumentRoot /var/www/html
+
+	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+	# error, crit, alert, emerg.
+	# It is also possible to configure the loglevel for particular
+	# modules, e.g.
+	#LogLevel info ssl:warn
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+	# For most configuration files from conf-available/, which are
+	# enabled or disabled at a global level, it is possible to
+	# include a line for only one particular virtual host. For example the
+	# following line enables the CGI configuration for this host only
+	# after it has been globally disabled with "a2disconf".
+	#Include conf-available/serve-cgi-bin.conf
+RewriteEngine on
+RewriteCond %{SERVER_NAME} =monitor.spacecruft.org
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet