diff --git a/cmd/security-bootstrapper/entrypoint-scripts/nginx_wait_install.sh b/cmd/security-bootstrapper/entrypoint-scripts/nginx_wait_install.sh
index befde35f45..d588e9e3ed 100755
--- a/cmd/security-bootstrapper/entrypoint-scripts/nginx_wait_install.sh
+++ b/cmd/security-bootstrapper/entrypoint-scripts/nginx_wait_install.sh
@@ -32,6 +32,11 @@ echo "$(date) Executing waitFor with waiting on tcp://${STAGEGATE_BOOTSTRAPPER_H
 
 echo "$(date) Generating default config ..."
 
+# Ensure this file exists since reference below; proxy-setup will regenerate it
+touch /etc/nginx/templates/generated-routes.inc.template
+
+# This file can be modified by the user; deleted when docker volumes are pruned;
+# but preserved across start/up and stop/down actions
 if test -f /etc/nginx/templates/edgex-custom-rewrites.inc.template; then
   echo "Using existing custom-rewrites."
 else
@@ -197,6 +202,7 @@ server {
       proxy_set_header   Host $host;
     }
 
+    include /etc/nginx/conf.d/generated-routes.inc;
     include /etc/nginx/conf.d/edgex-custom-rewrites.inc;
 
 }
diff --git a/cmd/security-proxy-setup/entrypoint.sh b/cmd/security-proxy-setup/entrypoint.sh
index 7df83c838e..5d9a2e2b35 100644
--- a/cmd/security-proxy-setup/entrypoint.sh
+++ b/cmd/security-proxy-setup/entrypoint.sh
@@ -29,7 +29,7 @@ certfile=nginx.crt
 
 # Check for default TLS certificate for reverse proxy, create if missing
 # Normally we would run the below command in the nginx container itself,
-# but nginx:alpine-slim does not container openssl, thus run it here instead.
+# but nginx:alpine-slim does not include openssl, thus run it here instead.
 if test -d /etc/ssl/nginx ; then
     cd /etc/ssl/nginx
     if test ! -f "${keyfile}" ; then
@@ -44,6 +44,39 @@ if test -d /etc/ssl/nginx ; then
     fi
 fi
 
+#
+# Generate custom forwarders based on ADD_PROXY_ROUTE
+#
+
+# Truncate the template file before we start appending
+: >/etc/nginx/templates/generated-routes.inc.template
+
+IFS=', '
+for service in ${ADD_PROXY_ROUTE}; do
+	prefix=$(echo -n "${service}" | sed -n -e 's/\([-0-9a-zA-Z]*\)\..*/\1/p')
+	host=$(echo -n "${service}" | sed -n -e 's/.*\/\/\([-0-9a-zA-Z]*\):.*/\1/p')
+	port=$(echo -n "${service}" | sed -n -e 's/.*:\(\d*\)/\1/p')
+	varname=$(echo -n "${prefix}" | tr '-' '_')
+	echo $service $prefix $host $port
+  cat >> /etc/nginx/templates/generated-routes.inc.template <<EOH
+
+set \$upstream_$varname $host;
+location /$prefix {
+  rewrite            /$prefix/(.*) /\$1 break;
+  resolver           127.0.0.11 valid=30s;
+  proxy_pass         http://\$upstream_$varname:$port;
+  proxy_redirect     off;
+  proxy_set_header   Host \$host;
+  auth_request       /auth;
+  auth_request_set   \$auth_status \$upstream_status;
+}
+EOH
+
+done
+unset IFS
+
+
+
 # Hang the container now that initialization is done.
 cd /
 exec su nobody -s /bin/sh -c "exec tail -f /dev/null"