diff --git a/group_vars/re2o_front.yml b/group_vars/re2o_front.yml
index 189656f3..c7ca4528 100644
--- a/group_vars/re2o_front.yml
+++ b/group_vars/re2o_front.yml
@@ -1,14 +1,16 @@
 ---
 glob_re2o_front:
   server_names:
-    - "{{ query('ldap', 'ip', 're2o', 'adm') | ipv4 | first }}"
-    - "[{{ query('ldap', 'ip', 're2o', 'adm') | ipv6 | first }}]"
+    - "{{ query('ldap', 'ip', 'c3po', 'adm') | ipv4 | first }}"
+    - "[{{ query('ldap', 'ip', 'c3po', 'adm') | ipv6 | first }}]"
+  # - "{{ query('ldap', 'ip', 're2o', 'adm') | ipv4 | first }}"
+  # - "[{{ query('ldap', 'ip', 're2o', 'adm') | ipv6 | first }}]"
     - re2o.adm.crans.org
     - intranet.adm.crans.org
     - re2o.crans.org
     - intranet.crans.org
 
-loc_nginx:
+service_nginx:
   service_name: re2o
   ssl: []
   servers:
diff --git a/host_vars/re2o.cachan-adm.crans.org.yml b/host_vars/re2o.cachan-adm.crans.org.yml
index eedea2f3..70efd4cf 100644
--- a/host_vars/re2o.cachan-adm.crans.org.yml
+++ b/host_vars/re2o.cachan-adm.crans.org.yml
@@ -15,22 +15,37 @@ loc_re2o:
   admins:
     - ('Root', 'root@crans.org')
   allowed_hosts:
-    - 're2o.cachan-adm.crans.org'
-    - 'intranet.cachan-adm.crans.org'
+    - "{{ query('ldap', 'ip', 're2o', 'cachan-adm') | ipv4 | first }}"
+    - "[{{ query('ldap', 'ip', 're2o', 'cachan-adm') | ipv6 | first }}]"
+    - "{{ query('ldap', 'ip', 'c3po', 'adm') | ipv4 | first }}"
+    - "[{{ query('ldap', 'ip', 'c3po', 'adm') | ipv6 | first }}]"
+    - re2o.cachan-adm.crans.org
+    - intranet.cachan-adm.crans.org
+    - re2o.adm.crans.org
+    - re2o.crans.org
+    - intranet.crans.org
   from_email: "root@crans.org"
   ldap:
     master_password: "{{ vault.ldap_master_password }}"
-    uri: "ldap://re2o-ldap.cachan-adm.crans.org/"
+    uri: "ldap://{{ query('ldap', 'ip', 're2o-ldap', 'cachan-adm') | ipv4 | first }}/"
     dn: "cn=admin,dc=crans,dc=org"
   database:
       password: "{{ vault.re2o_db_password }}"
-      uri: "gulp.cachan-adm.crans.org"
+      uri: "{{ query('ldap', 'ip', 'gulp', 'cachan-adm') | ipv4 | first }}"
+
+loc_nginx:
+  real_ip_from:
+    - "172.17.0.0/16"
+    - "fd00:0:0:3000::/56"
 
 loc_re2o_front:
   server_names:
     - "{{ query('ldap', 'ip', 're2o', 'cachan-adm') | ipv4 | first }}"
     - "[{{ query('ldap', 'ip', 're2o', 'cachan-adm') | ipv6 | first }}]"
+    - "{{ query('ldap', 'ip', 'c3po', 'adm') | ipv4 | first }}"
+    - "[{{ query('ldap', 'ip', 'c3po', 'adm') | ipv6 | first }}]"
     - re2o.cachan-adm.crans.org
     - intranet.cachan-adm.crans.org
-    - re2o_crans.crans.org
-    - intranet-crans.crans.org
+    - re2o.adm.crans.org
+    - re2o.crans.org
+    - intranet.crans.org
diff --git a/host_vars/routeur-gulp.cachan-adm.crans.org/radius.yml b/host_vars/routeur-gulp.cachan-adm.crans.org/radius.yml
index 17e0093f..0dc1b1b3 100644
--- a/host_vars/routeur-gulp.cachan-adm.crans.org/radius.yml
+++ b/host_vars/routeur-gulp.cachan-adm.crans.org/radius.yml
@@ -16,8 +16,8 @@ loc_re2o:
   from_email: "root@crans.org"
   ldap:
     master_password: "{{ vault.ldap_master_password }}"
-    uri: "ldap://re2o-ldap.cachan-adm.crans.org/"
+    uri: "ldap://{{ query('ldap', 'ip', 're2o-ldap', 'cachan-adm') | ipv4 | first }}/"
     dn: "cn=admin,dc=crans,dc=org"
   database:
       password: "{{ vault.re2o_db_password }}"
-      uri: "gulp.cachan-adm.crans.org"
+      uri: "{{ query('ldap', 'ip', 'gulp', 'cachan-adm') | ipv4 | first }}"
diff --git a/plays/nginx.yml b/plays/nginx.yml
index a9dd033c..6a89fdd0 100755
--- a/plays/nginx.yml
+++ b/plays/nginx.yml
@@ -4,5 +4,6 @@
 - hosts: nginx,!adh_server
   vars:
     nginx: '{{ glob_nginx | default({}) | combine(service_nginx | default({}) | combine(loc_nginx | default({}))) }}'
+    re2o_front: '{{ glob_re2o_front | default({}) | combine(loc_re2o_front | default({})) }}'  # necessary for re2o-front
   roles:
     - nginx
diff --git a/plays/re2o.yml b/plays/re2o.yml
index 01453f41..c775b171 100755
--- a/plays/re2o.yml
+++ b/plays/re2o.yml
@@ -9,7 +9,7 @@
 - hosts: re2o_front
   vars:
     re2o_front: "{{ glob_re2o_front | default({}) | combine(loc_re2o_front | default({})) }}"
-    nginx: "{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}"
+    nginx: "{{ glob_nginx | default({}) | combine(service_nginx | default({})) | combine(loc_nginx | default({})) }}"
   roles:
     - nginx
     - re2o-front
diff --git a/roles/re2o/templates/re2o/settings_local.py.j2 b/roles/re2o/templates/re2o/settings_local.py.j2
index c558c032..c8703387 100644
--- a/roles/re2o/templates/re2o/settings_local.py.j2
+++ b/roles/re2o/templates/re2o/settings_local.py.j2
@@ -93,4 +93,6 @@ GID_RANGES = {
 OPTIONNAL_APPS_RE2O = ()
 
 # Some Django apps you want to add in you local project
-OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + ('api', 'captcha',)
+OPTIONNAL_APPS = OPTIONNAL_APPS_RE2O + ('api', 'captcha', 'prefix_delegation',)
+
+PREFIX_DELEGATION_OWNER = 'users.User'