diff --git a/contrib/local-environment/dex.yaml b/contrib/local-environment/dex.yaml
index f0a2ead4..e3ed0f8f 100644
--- a/contrib/local-environment/dex.yaml
+++ b/contrib/local-environment/dex.yaml
@@ -6,7 +6,7 @@ storage:
   type: etcd
   config:
     endpoints:
-    - http://etcd:2379
+      - http://etcd:2379
     namespace: dex/
 web:
   http: 0.0.0.0:5556
@@ -16,17 +16,18 @@ expiry:
   signingKeys: "4h"
   idTokens: "1h"
 staticClients:
-- id: oauth2-proxy
-  redirectURIs:
-  # These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
-  - 'http://oauth2-proxy.localtest.me:4180/oauth2/callback' # For basic proxy example.
-  - 'http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback' # For nginx and traefik example.
-  name: 'OAuth2 Proxy'
-  secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
+  - id: oauth2-proxy
+    redirectURIs:
+      # These redirect URIs point to the `--redirect-url` for OAuth2 proxy.
+      - "http://oauth2-proxy.localtest.me:4180/oauth2/callback" # For basic proxy example.
+      - "http://oauth2-proxy.localtest.me:8080/oauth2/callback" # For nginx example.
+      - "http://oauth2-proxy.oauth2-proxy.localhost/oauth2/callback" # For traefik example.
+    name: "OAuth2 Proxy"
+    secret: b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK
 enablePasswordDB: true
 staticPasswords:
-- email: "admin@example.com"
-  # bcrypt hash of the string "password"
-  hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
-  username: "admin"
-  userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
+  - email: "admin@example.com"
+    # bcrypt hash of the string "password"
+    hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+    username: "admin"
+    userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
diff --git a/contrib/local-environment/docker-compose-keycloak.yaml b/contrib/local-environment/docker-compose-keycloak.yaml
index eec20e35..70d2042b 100644
--- a/contrib/local-environment/docker-compose-keycloak.yaml
+++ b/contrib/local-environment/docker-compose-keycloak.yaml
@@ -10,7 +10,7 @@
 #
 # Access http://oauth2-proxy.localtest.me:4180 to initiate a login cycle using user=admin@example.com, password=password
 # Access http://keycloak.localtest.me:9080 with the same credentials to check out the settings
-version: '3.0'
+version: "3.0"
 services:
   oauth2-proxy:
     container_name: oauth2-proxy
@@ -43,9 +43,9 @@ services:
     image: keycloak/keycloak:25.0
     hostname: keycloak
     command:
-      - 'start-dev'
-      - '--http-port=9080'
-      - '--import-realm'
+      - "start-dev"
+      - "--http-port=9080"
+      - "--import-realm"
     volumes:
       - ./keycloak:/opt/keycloak/data/import
     environment:
diff --git a/contrib/local-environment/docker-compose-nginx.yaml b/contrib/local-environment/docker-compose-nginx.yaml
index d14536ed..2aa403ec 100644
--- a/contrib/local-environment/docker-compose-nginx.yaml
+++ b/contrib/local-environment/docker-compose-nginx.yaml
@@ -23,11 +23,11 @@ version: "3.0"
 services:
   oauth2-proxy:
     image: quay.io/oauth2-proxy/oauth2-proxy:v7.15.2
-    ports:
-      - 4180:4180/tcp
+    ports: []
     hostname: oauth2-proxy
     container_name: oauth2-proxy
     command: --config /oauth2-proxy.cfg
+    restart: unless-stopped
     volumes:
       - "./oauth2-proxy-nginx.cfg:/oauth2-proxy.cfg"
     networks:
diff --git a/contrib/local-environment/nginx.conf b/contrib/local-environment/nginx.conf
index f3761387..0e7bf7b4 100644
--- a/contrib/local-environment/nginx.conf
+++ b/contrib/local-environment/nginx.conf
@@ -1,49 +1,44 @@
-# Reverse proxy to oauth2-proxy
-server {
-  listen       8080;
-  server_name  oauth2-proxy.localtest.me;
-
-  location / {
-    proxy_set_header Host       $host;
-    proxy_set_header X-Real-IP  $remote_addr;
-    proxy_set_header X-Forwarded-Uri $request_uri;
-
-    proxy_pass http://oauth2-proxy:4180/;
-  }
-}
-
 # Reverse proxy to httpbin
 server {
   listen      8080;
-  server_name httpbin.localtest.me;
+  server_name oauth2-proxy.localtest.me;
 
-  auth_request /internal-auth/oauth2/auth;
+  location /oauth2/ {
+    proxy_pass       http://oauth2-proxy:4180;
+    proxy_set_header Host                    $host;
+    proxy_set_header X-Real-IP               $remote_addr;
+    proxy_set_header X-Forwarded-Uri         $request_uri;
+    proxy_set_header X-Auth-Request-Redirect $request_uri;
+  }
 
-  # On 401, redirect to the sign_in page via a named location
-  # This ensures a proper 302 redirect that browsers will follow
-  error_page 401 = @oauth2_signin;
+  location = /oauth2/auth {
+    proxy_pass       http://oauth2-proxy:4180;
+    proxy_set_header Host             $host;
+    proxy_set_header X-Real-IP        $remote_addr;
+    proxy_set_header X-Forwarded-Uri  $request_uri;
+    # nginx auth_request includes headers but not body
+    proxy_set_header Content-Length   "";
+    proxy_pass_request_body           off;
+  }
 
   location / {
+    auth_request /oauth2/auth;
+    error_page 401 = @oauth2_signin;
+
+    # pass information via X-User and X-Email headers to backend,
+    # requires running with --set-xauthrequest flag
+    auth_request_set $user   $upstream_http_x_auth_request_user;
+    auth_request_set $email  $upstream_http_x_auth_request_email;
+    proxy_set_header X-User  $user;
+    proxy_set_header X-Email $email;
+
     proxy_pass http://httpbin/;
+    # or "root /path/to/site;" or "fastcgi_pass ..." etc
   }
 
-  # Named location for OAuth2 sign-in redirect
-  # Returns a proper 302 that works with --skip-provider-button
+  # Named location for handling OAuth2 sign-in redirects
+  # This ensures the browser receives a proper 302 redirect that it will follow
   location @oauth2_signin {
-    return 302 http://oauth2-proxy.localtest.me:8080/oauth2/sign_in?rd=$scheme://$host$request_uri;
-  }
-
-  # auth_request must be a URI so this allows an internal path to then proxy to
-  # the real auth_request path.
-  # The trailing /'s are required so that nginx strips the prefix before proxying.
-  location /internal-auth/ {
-    internal; # Ensure external users can't access this path
-
-    # Make sure the OAuth2 Proxy knows where the original request came from.
-    proxy_set_header Host       $host;
-    proxy_set_header X-Real-IP  $remote_addr;
-    proxy_set_header X-Forwarded-Uri $request_uri;
-
-    proxy_pass http://oauth2-proxy:4180/;
+    return 302 /oauth2/sign_in?rd=$scheme://$http_host$request_uri;
   }
 }
diff --git a/contrib/local-environment/oauth2-proxy-nginx.cfg b/contrib/local-environment/oauth2-proxy-nginx.cfg
index 0a383ab7..2565c226 100644
--- a/contrib/local-environment/oauth2-proxy-nginx.cfg
+++ b/contrib/local-environment/oauth2-proxy-nginx.cfg
@@ -9,7 +9,7 @@ whitelist_domains=[".localtest.me"] # Required to allow redirection back to orig
 # dex provider
 client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
 client_id="oauth2-proxy"
-redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback"
+redirect_url="http://oauth2-proxy.localtest.me:8080/oauth2/callback"
 
 oidc_issuer_url="http://dex.localtest.me:5556/dex"
 provider="oidc"