diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
index de10ddc..6bdc6a7 100644
--- a/tf/environments/prod/main.tf
+++ b/tf/environments/prod/main.tf
@@ -287,6 +287,7 @@ module "ooni_th_droplet" {
     "3d:81:99:17:b5:d1:20:a5:fe:2b:14:96:67:93:d6:34",
     "f6:4b:8b:e2:0e:d2:97:c5:45:5c:07:a6:fe:54:60:0e"
   ]
+
   dns_zone_ooni_io = local.dns_zone_ooni_io
 }
 
@@ -515,7 +516,7 @@ module "ooniapi_oonifindings_deployer" {
 module "ooniapi_oonifindings" {
   source = "../../modules/ooniapi_service"
 
-  first_run          = true
+  # first_run          = true
   vpc_id             = module.network.vpc_id
   public_subnet_ids  = module.network.vpc_subnet_public[*].id
   private_subnet_ids = module.network.vpc_subnet_private[*].id
@@ -563,7 +564,7 @@ module "ooniapi_ooniauth_deployer" {
 
 module "ooniapi_ooniauth" {
   source = "../../modules/ooniapi_service"
-  #first_run = true
+  # first_run = true
 
   vpc_id             = module.network.vpc_id
   private_subnet_ids = module.network.vpc_subnet_private[*].id
diff --git a/tf/modules/ooni_backendproxy/main.tf b/tf/modules/ooni_backendproxy/main.tf
index 81c98ee..110461d 100644
--- a/tf/modules/ooni_backendproxy/main.tf
+++ b/tf/modules/ooni_backendproxy/main.tf
@@ -17,6 +17,13 @@ resource "aws_security_group" "nginx_sg" {
     cidr_blocks = var.private_subnet_cidr
   }
 
+  ingress {
+    protocol    = "tcp"
+    from_port   = 80
+    to_port     = 80
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
   ingress {
     protocol    = "tcp"
     from_port   = 22
diff --git a/tf/modules/ooni_th_droplet/main.tf b/tf/modules/ooni_th_droplet/main.tf
index b62b47e..9836ac6 100644
--- a/tf/modules/ooni_th_droplet/main.tf
+++ b/tf/modules/ooni_th_droplet/main.tf
@@ -34,6 +34,7 @@ resource "digitalocean_droplet" "ooni_th_docker" {
 
   lifecycle {
     create_before_destroy = true
+    ignore_changes = all
   }
 }
 resource "aws_route53_record" "ooni_th" {