diff --git a/cdk/lib/nginx-stack.ts b/cdk/lib/nginx-stack.ts
index 9aaa7180..fa8a8337 100644
--- a/cdk/lib/nginx-stack.ts
+++ b/cdk/lib/nginx-stack.ts
@@ -1,6 +1,7 @@
 import {
   aws_ecr,
   aws_ecs,
+  aws_ssm,
   aws_ecs_patterns,
   aws_elasticloadbalancingv2,
   aws_logs, aws_route53, aws_route53_targets,
@@ -46,6 +47,11 @@ export class NginxStack extends Stack {
 
     const nginxCspWorkerSrc: string[] = [];
 
+
+    const pAuthSourceAddress = aws_ssm.StringParameter.fromStringParameterAttributes(this, 'pAuthSourceAddress', {
+      parameterName: `/${props.environment}/restricteddata/auth_source_address`,
+    });
+
     const nginxContainer = nginxTaskDefinition.addContainer('nginx', {
       image: aws_ecs.ContainerImage.fromEcrRepository(nginxRepo, props.envProps.NGINX_IMAGE_TAG),
       environment: {
@@ -70,6 +76,8 @@ export class NginxStack extends Stack {
         CKAN_HOST: `ckan.${props.namespace.namespaceName}`,
         CKAN_PORT: '5000',
         NGINX_ROBOTS_ALLOW: props.allowRobots,
+        NGINX_PROXY_ADDRESS: props.loadBalancer.loadBalancerDnsName,
+        AUTH_SOURCE_ADDRESS: pAuthSourceAddress.stringValue,
       },
       logging: aws_ecs.LogDrivers.awsLogs({
         logGroup: nginxLogGroup,
diff --git a/ckan/ckanext/ckanext-restricteddata/ckanext/restricteddata/logic/action.py b/ckan/ckanext/ckanext-restricteddata/ckanext/restricteddata/logic/action.py
index c81d7652..957dd5ec 100644
--- a/ckan/ckanext/ckanext-restricteddata/ckanext/restricteddata/logic/action.py
+++ b/ckan/ckanext/ckanext-restricteddata/ckanext/restricteddata/logic/action.py
@@ -182,7 +182,7 @@ def authorize_paha_session(context: Context, data_dict: DataDict):
     paha_jwt_token = _decode_paha_jwt_token(encoded_token)
     if not paha_jwt_token:
         log.error("No valid PAHA JWT provided")
-        return toolkit.abort(400)
+        raise toolkit.ValidationError("No valid PAHA JWT provided")
 
     user = _create_or_authenticate_paha_user(paha_jwt_token)
     organization = _create_or_get_paha_organization(paha_jwt_token)
diff --git a/docker/.env.template b/docker/.env.template
index ab4e5df7..1f0c70aa 100644
--- a/docker/.env.template
+++ b/docker/.env.template
@@ -78,3 +78,5 @@ CKAN_PORT=5000
 # nginx
 NGINX_HOST=nginx
 NGINX_PORT=80
+NGINX_PROXY_ADDRESS=172.20.0.1/32  # docker host ip
+AUTH_SOURCE_ADDRESS=172.20.0.2/32  # another IP from the same pool for testing
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index bc63b77b..448f2191 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -155,6 +155,8 @@ services:
       - NAMESERVER=${NAMESERVER}
       - CKAN_HOST=${CKAN_HOST}
       - CKAN_PORT=${CKAN_PORT}
+      - NGINX_PROXY_ADDRESS=${NGINX_PROXY_ADDRESS}
+      - AUTH_SOURCE_ADDRESS=${AUTH_SOURCE_ADDRESS}
 
   mailhog:
     image: mailhog/mailhog:latest
diff --git a/docker/nginx/templates/server.conf.template b/docker/nginx/templates/server.conf.template
index 90ecb87f..7a6043f9 100644
--- a/docker/nginx/templates/server.conf.template
+++ b/docker/nginx/templates/server.conf.template
@@ -50,6 +50,15 @@ location ~ ^/(.*)$ {
     add_header Cache-Control private;
   }
 
+  location ~ ^/paha(.*)$ {
+    proxy_pass http://$ckan_target/paha$1$is_args$args;
+    set_real_ip_from  ${NGINX_PROXY_ADDRESS};
+    real_ip_header    X-Forwarded-For;
+    real_ip_recursive on;
+    allow ${AUTH_SOURCE_ADDRESS};
+    deny all;
+  }
+
   location ~ /(fi|en_GB|sv)/organization/(.*)/embed {
     proxy_pass http://$ckan_target/$1/organization/$2/embed$is_args$args;