diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md
index d95e067328d943ac5c0d94eb651f108b3bfdb1b0..54d6d5ae87729a3fc42095cada1de572d4f99845 100644
--- a/docs/src/SUMMARY.md
+++ b/docs/src/SUMMARY.md
@@ -11,6 +11,7 @@
 - [Concepts](concepts/README.md)
   - [GitOps](concepts/gitops.md)
   - [SRE](concepts/sre.md)
+  - [Ingress Termination](concepts/ingress-termination.md)
 - [Infrastructure Components](components/README.md)
   - [calico](components/calico.md)
   - [cert-manager](components/cert-manager.md)
diff --git a/docs/src/concepts/images/ingress-termination-proxy-protocol.excalidraw.png b/docs/src/concepts/images/ingress-termination-proxy-protocol.excalidraw.png
new file mode 100644
index 0000000000000000000000000000000000000000..6bb830db490e169cec5db7f88093a50f23d1cd29
Binary files /dev/null and b/docs/src/concepts/images/ingress-termination-proxy-protocol.excalidraw.png differ
diff --git a/docs/src/concepts/images/ingress-termination-rewrite.excalidraw.png b/docs/src/concepts/images/ingress-termination-rewrite.excalidraw.png
new file mode 100644
index 0000000000000000000000000000000000000000..0994015a51e6a568b60f078a959fb336ff7c1296
Binary files /dev/null and b/docs/src/concepts/images/ingress-termination-rewrite.excalidraw.png differ
diff --git a/docs/src/concepts/ingress-termination.md b/docs/src/concepts/ingress-termination.md
new file mode 100644
index 0000000000000000000000000000000000000000..36b033cdebb37450e580e59499cabbcfa47afac6
--- /dev/null
+++ b/docs/src/concepts/ingress-termination.md
@@ -0,0 +1,27 @@
+# Ingress Termination
+
+The Shivering-Isles Infrastructure, given it's a local-first infrastructure has challenges in order to optimise traffic flow for local devices, without breaking external access.
+
+## TCP Forwarding
+
+A intentional design decision was to avoid split DNS. Given that all DNS is hosted on Cloudflare with full DNSSEC integration, as well as running devices with active DoT always connecting external DNS Server, made split-DNS a bad implementation.
+
+At the same time, a simple rerouting of all traffic to the external IP would also be problementatic, as it would require either a dedicated IP address or complex source-based routing in order to only route traffic for client networks while allowing VPN traffic to continue to flow to the VPS.
+
+The solution most elegant solution found was to reroute traffic on TCP level. Allow high volume traffic on port 443 to be rerouted using a firewall rule, while keeping the remote IP identical and not touching any VPN or SSH traffic in the process.
+
+A request for the same website looks like this:
+
+![](images/ingress-termination-rewrite.excalidraw.png)
+
+In both cases the connections are terminated on the Kubernetes Cluster. The external user reaches the VPS and is then rerouted over VPN. The local user is rerouted before the connection reaches the internet, resulting in keeping all traffic locally.
+
+Since only TCP connections are forward at any point all TLS termination takes place on the Kubernetes cluster regardless.
+
+## Keeping IP addresses
+
+On the VPS, the TCP connection is handled by an HAProxy instance that speaks proxy-protocol with the Kubernetes ingress service.
+
+On the Unifi Dream Machine it's a simple iptables rule, which redirects the traffic. In order to also use proxy-protocol with the ingress service, it's actually redirected to an HAProxy running in the Kubernetes cluster besides the ingress-nginx. This is mainly due to the limitation in ingress-nginx that doesn't allow mixed proxy-protocol and non-proxy-protocol ports without using custom config templates.
+
+![](images/ingress-termination-proxy-protocol.excalidraw.png)
\ No newline at end of file