diff --git a/config/tf_modules/k8s-base/ingress_nginx.tf b/config/tf_modules/k8s-base/ingress_nginx.tf
index cffe39300..d810b56f6 100644
--- a/config/tf_modules/k8s-base/ingress_nginx.tf
+++ b/config/tf_modules/k8s-base/ingress_nginx.tf
@@ -1,3 +1,4 @@
+// NOTE: following this solution for http -> https redirect: https://github.com/kubernetes/ingress-nginx/issues/2724#issuecomment-593769295
 resource "helm_release" "ingress-nginx" {
   chart = "ingress-nginx"
   name = "ingress-nginx"
@@ -9,9 +10,7 @@ resource "helm_release" "ingress-nginx" {
   values = [
     yamlencode({
       controller: {
-        config: {
-          "use-proxy-protocol": false  # TODO: set this to true and figure out how to play nicely w/ NLB
-        }
+        config: local.config
         podAnnotations: {
           "linkerd.io/inject": "enabled"
         }
@@ -56,12 +55,14 @@ resource "helm_release" "ingress-nginx" {
             ]
           }
         }
+        containerPort: local.container_ports
         service: {
           loadBalancerSourceRanges: ["0.0.0.0/0"]
           externalTrafficPolicy: "Local"
           enableHttps: var.cert_arn == "" ? false : true
           targetPorts: local.target_ports
           annotations: {
+            "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "tcp"
             "service.beta.kubernetes.io/aws-load-balancer-type": "nlb"
             "service.beta.kubernetes.io/aws-load-balancer-ssl-ports": var.cert_arn == "" ? "" : "https"
             "service.beta.kubernetes.io/aws-load-balancer-ssl-cert": var.cert_arn
diff --git a/config/tf_modules/k8s-base/variables.tf b/config/tf_modules/k8s-base/variables.tf
index b7a4dbd61..ec2e05ae9 100644
--- a/config/tf_modules/k8s-base/variables.tf
+++ b/config/tf_modules/k8s-base/variables.tf
@@ -1,5 +1,15 @@
 locals {
-  target_ports = var.cert_arn == "" ? { http: "http" } : { http: "http", https: "http" }
+  target_ports = var.cert_arn == "" ? { http: "http" } : { http: "http", https: "special" }
+  container_ports = var.cert_arn == "" ? { http: 80, https: 443 } : { http: 80, https: 443, special: 8000 }
+  config = var.cert_arn == "" ? { ssl-redirect: false } : {
+    ssl-redirect: false
+    server-snippet: <<EOF
+          listen 8000;
+          if ( $server_port = 80 ) {
+             return 308 https://$host$request_uri;
+          }
+          EOF
+  }
 }
 
 data "aws_eks_cluster" "main" {
diff --git a/opta/cli.py b/opta/cli.py
index ad2aaa72a..969b2199b 100755
--- a/opta/cli.py
+++ b/opta/cli.py
@@ -165,7 +165,7 @@ def _cleanup() -> None:
             logger.error(e.stderr.decode("utf-8"))
         sys.exit(1)
     except UserErrors as e:
-        logger.debug(e)
+        logger.error(e)
         sys.exit(1)
     except Exception as e:
         logger.exception(e)