diff --git a/base/rootfs/etc/cont-init.d/00-load-secrets.sh b/base/rootfs/etc/cont-init.d/00-load-secrets.sh
new file mode 100644
index 00000000..efe3245c
--- /dev/null
+++ b/base/rootfs/etc/cont-init.d/00-load-secrets.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/with-contenv bash
+set -e
+
+# Read any secret files specified in environment variables.
+echo "$(env | grep '=secret:')" | while read line
+do
+    # Skip empty lines
+    [[ -z $line ]] && continue
+
+    # Hack out the path to the secret.
+    environment_variable=$(echo $line | cut -d= -f1)
+    secret=$(echo $line | cut -d= -f2 | cut -d: -f2)
+
+    # Load the secret's value into the environment variable
+    if [ -f ${secret} ]; then
+        s6-env -i ${environment_variable}="$(cat ${secret})" s6-dumpenv -- /var/run/s6/container_environment
+    fi
+done
diff --git a/crayfish/Dockerfile b/crayfish/Dockerfile
index 1e69bfe7..b568b30c 100644
--- a/crayfish/Dockerfile
+++ b/crayfish/Dockerfile
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:experimental
 FROM local/nginx:latest
 
-ARG COMMIT=1.1.1
+ARG COMMIT=85a8206a9ed1db302fdeb123f9d5391ef8aae001
 
 RUN --mount=id=downloads,type=cache,target=/opt/downloads \
     DOWNLOAD_CACHE_DIRECTORY="/opt/downloads" && \
diff --git a/crayfits/Dockerfile b/crayfits/Dockerfile
index 87ed82be..aea122b3 100644
--- a/crayfits/Dockerfile
+++ b/crayfits/Dockerfile
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:experimental
 FROM local/nginx:latest
 
-ARG COMMIT=4e0faeb31f84e74e7cecc083b2f096d55e425fbb
+ARG COMMIT=6e95f2f325c910b254a2b7bd1cedf25b17874d30
 
 RUN --mount=type=cache,target=/root/.composer/cache \
     --mount=id=downloads,type=cache,target=/opt/downloads \
diff --git a/demo/Dockerfile b/demo/Dockerfile
index 0fc62ab9..70f36f6d 100644
--- a/demo/Dockerfile
+++ b/demo/Dockerfile
@@ -5,7 +5,7 @@ FROM local/nginx:latest as composer
 RUN --mount=type=cache,target=/root/.composer/cache \
     --mount=id=downloads,type=cache,target=/opt/downloads \
     DOWNLOAD_CACHE_DIRECTORY="/opt/downloads" && \
-    composer create-project islandora/drupal-project:8.8.1 \
+    composer create-project drupal/recommended-project:^8.9 \
         --prefer-dist \
         --no-interaction \
         --stability stable \
@@ -16,7 +16,6 @@ RUN --mount=type=cache,target=/root/.composer/cache \
     cd /var/www/drupal && \
     composer require --update-no-dev -- \
         drupal/admin_toolbar:^2.0 \
-        drupal/console:~1.0 \
         drupal/content_browser:^1.0@alpha \
         drupal/devel:^2.0 \
         drupal/facets:^1.3 \
@@ -27,11 +26,11 @@ RUN --mount=type=cache,target=/root/.composer/cache \
         drupal/restui:^1.16 \
         drupal/search_api_solr:^3.8 \
         drupal/transliterate_filenames:^1.3 \
-        drush/drush:^9.7.1 \
-        islandora-rdm/islandora_fits:dev-master \
+        drush/drush:^10.3 \
+        islandora-rdm/islandora_fits:dev-8.x-1.x \
         islandora/carapace:dev-8.x-3.x \
         islandora/islandora_defaults:dev-8.x-1.x \
-        zaporylie/composer-drupal-optimizations:^1.0 \
+        zaporylie/composer-drupal-optimizations:^1.1 \
     && \
     mkdir -p /var/www/drupal/web/libraries && \
     MASONRY_VERSION="3.3.2" && \
diff --git a/drupal/rootfs/etc/confd/templates/setup-environment.sh.tmpl b/drupal/rootfs/etc/confd/templates/setup-environment.sh.tmpl
index 486e6834..48f3aab7 100644
--- a/drupal/rootfs/etc/confd/templates/setup-environment.sh.tmpl
+++ b/drupal/rootfs/etc/confd/templates/setup-environment.sh.tmpl
@@ -2,8 +2,22 @@
 # -*- mode: sh -*-
 # vi: set ft=sh:
 with-contenv
+# If traefik is not found allow any IP address.
+backtick -D 0.0.0.0 -n TRAEFIK_IP {
+  redirfd -w 2 /dev/null
+  backtick -i -n CAPTURE {
+    getent hosts traefik
+  }
+  importas CAPTURE CAPTURE 
+  pipeline {
+    echo ${CAPTURE}
+  }
+  awk "{ print $1 }"
+}
 multisubstitute
 {
+  # Non-site specific variables
+  importas REVERSE_PROXY_IPS TRAEFIK_IP
   # Default settings to apply if none given.
   define ACCOUNT_EMAIL "webmaster@localhost.com"
   define ACCOUNT_NAME "admin"
@@ -49,6 +63,9 @@ foreground {
   # environment as seen by linked containers.
   # Variables can only be seen when using '#!/usr/bin/with-contenv'
   s6-env -i
+  # Non-site specific variables.
+  DRUPAL_REVERSE_PROXY_IPS="{{ getv "/reverse/proxy/ips" "${REVERSE_PROXY_IPS}" }}"
+  # Default site.
   DRUPAL_DEFAULT_ACCOUNT_EMAIL="{{ getv "/default/account/email" "${ACCOUNT_EMAIL}" }}"
   DRUPAL_DEFAULT_ACCOUNT_NAME="{{ getv "/default/account/name" "${ACCOUNT_NAME}" }}"
   DRUPAL_DEFAULT_ACCOUNT_PASSWORD="{{ getv "/default/account/password" "${ACCOUNT_PASSWORD}" }}"
diff --git a/drupal/rootfs/etc/islandora/utilities.sh b/drupal/rootfs/etc/islandora/utilities.sh
index d788fab8..9cde5e31 100755
--- a/drupal/rootfs/etc/islandora/utilities.sh
+++ b/drupal/rootfs/etc/islandora/utilities.sh
@@ -321,6 +321,7 @@ function update_settings_php {
     drush -l "${site_url}" islandora:settings:create-settings-if-missing
     drush -l "${site_url}" islandora:settings:set-hash-salt "${salt}"
     drush -l "${site_url}" islandora:settings:set-flystem-fedora-url "${fedora_url}"
+    drush -l "${site_url}" islandora:settings:set-reverse-proxy "${DRUPAL_REVERSE_PROXY_IPS}"
     drush -l "${site_url}" islandora:settings:set-database-settings \
         "${db_name}" \
         "${user}" \
diff --git a/drupal/rootfs/usr/local/bin/drush b/drupal/rootfs/usr/local/bin/drush
index 8598f6ae..28ee536f 100755
--- a/drupal/rootfs/usr/local/bin/drush
+++ b/drupal/rootfs/usr/local/bin/drush
@@ -4,4 +4,11 @@ set -e
 # Ensures drush runs as the correct user, and does not run out of memory.
 # Takes precedence due to order of $PATH. Preferred to an alias as it will apply
 # regardless of which shell is used or how it is started (login, interactive, etc)
-s6-setuidgid nginx php -d memory_limit=-1 /usr/bin/drush "${@}"
+if test $(id -u) -eq 0; then
+    # If root run as nginx.
+    s6-setuidgid nginx php -d memory_limit=-1 /usr/bin/drush "${@}"
+else
+    # If non-root user, then run as current user
+    # as we do not have permissions to switch user.
+    php -d memory_limit=-1 /usr/bin/drush "${@}"
+fi
diff --git a/drupal/rootfs/usr/share/drush/Commands/UpdateSettingsCommands.php b/drupal/rootfs/usr/share/drush/Commands/UpdateSettingsCommands.php
index 1b4acbe5..93442ba6 100644
--- a/drupal/rootfs/usr/share/drush/Commands/UpdateSettingsCommands.php
+++ b/drupal/rootfs/usr/share/drush/Commands/UpdateSettingsCommands.php
@@ -175,6 +175,32 @@ public function setTrustedHostPatterns($patterns)
     $this->writeSettings($settings);
   }
 
+  /**
+   * Set `reverse_proxy` in settings.php
+   *
+   * @command islandora:settings:set-reverse-proxy
+   * @bootstrap site
+   * @param $reverse_proxy_ips List of comma separated ip adresses for the reverse proxy.
+   * @usage drush islandora:settings:set-reverse-proxy
+   *   Sets `reverse_proxy` in settings.php.
+   *   Be aware that shell escaping can have an affect on the arguments.
+   */
+  public function setReverseProxySettings($reverse_proxy_ips) {
+    $settings['settings']['reverse_proxy'] = (object) [
+      'value' => TRUE,
+      'required' => TRUE,
+    ];
+    $settings['settings']['reverse_proxy_addresses'] = (object) [
+      'value' => explode(',', $reverse_proxy_ips),
+      'required' => TRUE,
+    ];
+    $settings['settings']['reverse_proxy_trusted_headers'] = (object) [
+      'value' => \Symfony\Component\HttpFoundation\Request::HEADER_X_FORWARDED_ALL | \Symfony\Component\HttpFoundation\Request::HEADER_FORWARDED, 
+      'required' => TRUE,
+    ];
+    $this->writeSettings($settings);
+  }
+
   /**
    * Determine which settings file to update.
    */
diff --git a/fcrepo/rootfs/etc/confd/templates/setup-environment.sh.tmpl b/fcrepo/rootfs/etc/confd/templates/setup-environment.sh.tmpl
index 96a3e781..8af54b04 100644
--- a/fcrepo/rootfs/etc/confd/templates/setup-environment.sh.tmpl
+++ b/fcrepo/rootfs/etc/confd/templates/setup-environment.sh.tmpl
@@ -14,7 +14,7 @@ foreground {
   FCREPO_DB_NAME="{{ getv "/db/name" "fcrepo" }}"
   FCREPO_DB_PASSWORD="{{ getv "/db/password" "password" }}"
   FCREPO_DB_PORT="{{ getv "/db/port" "3306" }}"
-  FCREPO_DB_ROOT_PASSWORD="{{ getv "/db/root/password" "passwod" }}"
+  FCREPO_DB_ROOT_PASSWORD="{{ getv "/db/root/password" "password" }}"
   FCREPO_DB_ROOT_USER="{{ getv "/db/root/user" "root" }}"
   FCREPO_DB_USER="{{ getv "/db/user" "fcrepo" }}"
   FCREPO_PERSISTENCE_TYPE="{{ getv "/persistence/type" "file" }}"
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
index b395d84d..8759e599 100644
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -4,19 +4,24 @@ FROM local/base:latest
 RUN --mount=type=cache,target=/var/cache/apk \ 
     --mount=type=cache,target=/etc/cache/apk \ 
     apk-install.sh \
-        composer \
         nginx \
+        php7 \
         php7-ctype \
         php7-curl \
         php7-dom \
         php7-fileinfo \
         php7-fpm \
         php7-gd \
+        php7-iconv \
+        php7-json \
+        php7-mbstring \
+        php7-mysqli \
         php7-opcache \
+        php7-openssl \
         php7-pdo \
         php7-pdo_mysql \ 
         php7-pdo_pgsql \ 
-        php7-mysqli \
+        php7-phar \
         php7-session \
         php7-simplexml \
         php7-tokenizer \
@@ -26,4 +31,15 @@ RUN --mount=type=cache,target=/var/cache/apk \
     && \
     cleanup.sh
 
+# https://getcomposer.org/download/
+RUN --mount=id=downloads,type=cache,target=/opt/downloads \
+    DOWNLOAD_CACHE_DIRECTORY="/opt/downloads" && \
+    COMPOSER_VERSION="2.0.4" && \
+    COMPOSER_FILE="composer.phar" && \
+    COMPOSER_URL="https://getcomposer.org/download/${COMPOSER_VERSION}/${COMPOSER_FILE}" && \
+    COMPOSER_SHA256="c3b2bc477429c923c69f7f9b137e06b2a93c6a1e192d40ffad1741ee5d54760d" && \
+    download.sh --url "${COMPOSER_URL}" --sha256 "${COMPOSER_SHA256}" "${DOWNLOAD_CACHE_DIRECTORY}" && \
+    cp "${DOWNLOAD_CACHE_DIRECTORY}/${COMPOSER_FILE}" /usr/bin/composer && \
+    chmod a+x /usr/bin/composer
+
 COPY rootfs /
diff --git a/nginx/rootfs/etc/confd/templates/php-fpm.conf.tmpl b/nginx/rootfs/etc/confd/templates/php-fpm.conf.tmpl
index ab149386..bd19a303 100644
--- a/nginx/rootfs/etc/confd/templates/php-fpm.conf.tmpl
+++ b/nginx/rootfs/etc/confd/templates/php-fpm.conf.tmpl
@@ -14,7 +14,7 @@
 ; Pid file
 ; Note: the default prefix is /var
 ; Default Value: none
-pid = run/php-fpm7.pid
+;pid = run/php-fpm7.pid
 
 ; Error log file
 ; If it's set to "syslog", log is sent to syslogd instead of being written
diff --git a/nginx/rootfs/etc/confd/templates/www.conf.tmpl b/nginx/rootfs/etc/confd/templates/www.conf.tmpl
index 751aaaf4..4eacf01c 100644
--- a/nginx/rootfs/etc/confd/templates/www.conf.tmpl
+++ b/nginx/rootfs/etc/confd/templates/www.conf.tmpl
@@ -33,7 +33,7 @@ group = nginx
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
-listen = /var/run/php-fpm7/php-fpm7.sock
+listen = php-fpm7.sock
 
 ; Set listen(2) backlog.
 ; Default Value: 511 (-1 on FreeBSD and OpenBSD)
diff --git a/nginx/rootfs/etc/services.d/fpm/run b/nginx/rootfs/etc/services.d/fpm/run
index 3d5b066c..a3805cfa 100644
--- a/nginx/rootfs/etc/services.d/fpm/run
+++ b/nginx/rootfs/etc/services.d/fpm/run
@@ -1,4 +1,4 @@
 #!/usr/bin/execlineb -P
 # -*- mode: sh -*-
 # vi: set ft=sh:
-/usr/sbin/php-fpm7
+/usr/sbin/php-fpm7 --pid /var/run/php-fpm7/php-fpm7.pid --prefix /var/run/php-fpm7 --fpm-config /etc/php7/php-fpm.conf