diff --git a/.env b/.env
index 429bba0..c45332d 100644
--- a/.env
+++ b/.env
@@ -1,2 +1,4 @@
 POSTGRES_USER=postgres
 POSTGRES_PASSWORD=password
+OWNER_UID=1000
+OWNER_GID=1000
diff --git a/app/Dockerfile b/app/Dockerfile
index 8ec1c3b..d82212b 100644
--- a/app/Dockerfile
+++ b/app/Dockerfile
@@ -12,4 +12,9 @@ ADD scripts/update /etc/periodic/15min/
 
 RUN sed -i.bak 's/^listen = 127.0.0.1:9000/listen = 9000/' /etc/php7/php-fpm.d/www.conf
 
+ARG OWNER_UID
+ARG OWNER_GID
+
+RUN mkdir -p /var/www && addgroup -g ${OWNER_GID} app && adduser -D -h /var/www/html -G app -u ${OWNER_UID} app
+
 CMD /startup.sh
diff --git a/app/startup.sh b/app/startup.sh
index 46100c5..377a300 100755
--- a/app/startup.sh
+++ b/app/startup.sh
@@ -1,6 +1,5 @@
 #!/bin/sh -ex
 
-OWNER=nobody
 DST_DIR=/var/www/html/tt-rss
 SRC_REPO=https://git.tt-rss.org/fox/tt-rss.git
 
@@ -15,7 +14,13 @@ else
 	cd $DST_DIR && git pull origin master
 fi
 
-chown -R $OWNER $DST_DIR
+if [ ! -d $DST_DIR/plugins.local/nginx_xaccel ]; then
+	git clone https://git.tt-rss.org/fox/ttrss-nginx-xaccel.git $DST_DIR/plugins.local/nginx_xaccel
+else
+	cd $DST_DIR/plugins.local/nginx_xaccel && git pull origin master
+fi
+
+chown -R $OWNER_UID:$OWNER_GID $DST_DIR
 chmod +x /etc/periodic/15min/*
 
 for d in cache lock feed-icons; do
@@ -30,10 +35,11 @@ if [ ! -s $DST_DIR/config.php ]; then
 	SELF_URL_PATH=$(echo $SELF_URL_PATH | sed -e 's/[\/&]/\\&/g')
 
 	sed \
-		-e "s/define('DB_HOST'.*/define('DB_HOST','$DB_HOST');/" \
-		-e "s/define('DB_USER'.*/define('DB_USER','$DB_USER');/" \
-		-e "s/define('DB_NAME'.*/define('DB_NAME','$DB_NAME');/" \
-		-e "s/define('DB_PASS'.*/define('DB_PASS','$DB_PASS');/" \
+		-e "s/define('DB_HOST'.*/define('DB_HOST', '$DB_HOST');/" \
+		-e "s/define('DB_USER'.*/define('DB_USER', '$DB_USER');/" \
+		-e "s/define('DB_NAME'.*/define('DB_NAME', '$DB_NAME');/" \
+		-e "s/define('DB_PASS'.*/define('DB_PASS', '$DB_PASS');/" \
+		-e "s/define('PLUGINS'.*/define('PLUGINS', 'auth_internal, note, nginx_xaccel');/" \
 		-e "s/define('SELF_URL_PATH'.*/define('SELF_URL_PATH','$SELF_URL_PATH');/" \
 		< $DST_DIR/config.php-dist > $DST_DIR/config.php
 fi
diff --git a/docker-compose.yml b/docker-compose.yml
index 7768eed..13ad3ee 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -14,7 +14,12 @@ services:
       - POSTGRES_USER=${POSTGRES_USER}
 
   app:
-    build: ./app
+    build: 
+      context:
+        ./app
+      args:
+        - OWNER_UID=${OWNER_UID}
+        - OWNER_GID=${OWNER_GID}
     restart: unless-stopped
     environment:
       - DB_TYPE=pgsql
@@ -22,6 +27,8 @@ services:
       - DB_NAME=${POSTGRES_USER}
       - DB_USER=${POSTGRES_USER}
       - DB_PASS=${POSTGRES_PASSWORD}
+      - OWNER_UID=${OWNER_UID}
+      - OWNER_GID=${OWNER_GID}
       - SELF_URL_PATH=http://localhost:8280/tt-rss
     volumes:
       - html:/var/www/html
@@ -34,7 +41,7 @@ services:
     ports:
       - 8280:80
     volumes:
-      - html:/var/www/html
+      - html:/var/www/html:ro
     depends_on:
       - app
 
diff --git a/web/nginx.conf b/web/nginx.conf
index 0476125..efe2eea 100644
--- a/web/nginx.conf
+++ b/web/nginx.conf
@@ -14,6 +14,8 @@ http {
 
 	sendfile on;
 
+	index index.php;
+
 	upstream app {
 		server app:9000;
 	}
@@ -22,14 +24,9 @@ http {
 		listen 80;
 		root /var/www/html;
 
-		location / {
-			try_files $uri $uri =404;
-		}
-
 		location /tt-rss/cache {
 			aio threads;
 			internal;
-			access_log /var/log/nginx/fakecake_debug.log;
 		}
 
 		location ~ \.php$ {
@@ -49,5 +46,10 @@ http {
 
 			fastcgi_pass app;
 		}
+
+		location / {
+			try_files $uri $uri/ =404;
+		}
+
 	}
 }