diff --git a/conf/nginx.conf b/conf/nginx.conf
index 7c3e52f..e8aea12 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -14,32 +14,22 @@ location / {
   proxy_read_timeout 86400s; 
   proxy_send_timeout 86400s;
 
+  # Include SSOWAT user panel
+  access_by_lua_file /usr/share/ssowat/access.lua;
+
   location ~ \.(js|css|woff|woff2|ttf|png) {
     proxy_pass http://localhost:9220;
-    access_by_lua_file /usr/share/ssowat/access.lua;
-  }
-	
-  location /webui {
-    proxy_pass http://localhost:9220/;
-    access_by_lua_file /usr/share/ssowat/access.lua;
-    # Include SSOWAT user panel.
-    include conf.d/yunohost_panel.conf.inc;
   }
 
   location ~ /webmin {
     proxy_pass http://localhost:9220$uri;
-    access_by_lua_file /usr/share/ssowat/access.lua;
   }
-	
-  location ~ /modules {
-    proxy_pass http://localhost:9220;
-    access_by_lua_file /usr/share/ssowat/access.lua;
+
+  location ~ ^/bma(.*)$ {
+    proxy_pass http://localhost:__PORT__$1$is_args$args;
   }
 
   location /ws2p {
-    proxy_pass http://127.0.0.1:20901;
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection "upgrade";
+    proxy_pass http://localhost:20901;
   }
 }
diff --git a/scripts/install b/scripts/install
index 1782688..893cac7 100644
--- a/scripts/install
+++ b/scripts/install
@@ -134,8 +134,12 @@ ynh_systemd_action --service_name=$app --action="start" --log_path=systemd
 #=================================================
 ynh_script_progression --message="Configuring permissions…"
 
-# Make app public
-ynh_permission_update --permission="main" --add="visitors"
+# Change main group to protect sensitive sub-routes (client, API) to Duniter web admin interface, give access to choosen admin
+ynh_permission_update --permission "main" --add "$admin" --remove "all_users"
+ynh_permission_url --permission "main" --add_url "/webmin"
+
+# Create apis permission group to public to allow BMA and WS2P APIs accessible to visitors
+ynh_permission_create --permission "apis" --url "/bma" --additional_urls "/ws2p" --auth_header=false --allowed "visitors"
 
 #=================================================
 # RELOAD NGINX