diff --git a/go-services/nginx/go-location.conf b/go-services/nginx/go-location.conf
new file mode 100644
index 00000000..eec52819
--- /dev/null
+++ b/go-services/nginx/go-location.conf
@@ -0,0 +1,41 @@
+# Parallel-run nginx wiring for the Go tracker (dereth-tracker-go, 127.0.0.1:8770).
+#
+# Deploying needs root (the agent cannot sudo). Apply on the host:
+#
+#   1) Add the upstream to the http{} block of /etc/nginx/nginx.conf, next to the
+#      existing `tracker` and `grafana` upstreams (around line 55):
+#
+#         upstream tracker_go { server 127.0.0.1:8770; }
+#
+#   2) Insert the `location /go/` block below into the server{} block of
+#      /etc/nginx/sites-enabled/overlord (anywhere in server{}; nginx matches the
+#      longer /go/ prefix before /, so order doesn't matter). Mirror it into the
+#      repo copy nginx/overlord.conf too — but note the live file has DRIFTED from
+#      the repo copy, so reconcile by hand rather than cp-overwriting.
+#
+#   3) sudo nginx -t && sudo nginx -s reload
+#
+# After reload:
+#   https://overlord.snakedesert.se/go/health      -> 200 (public)
+#   https://overlord.snakedesert.se/go/api-version -> 200 (logged-in) / 401 (no cookie)
+#   https://overlord.snakedesert.se/go/live        -> matches /live (same login cookie)
+#
+# The Go service is auth-gated identically to Python (session cookie + internal
+# trust), and X-Forwarded-For below is REQUIRED — without it the Go service would
+# treat all internet traffic as internal-trust and skip auth (security invariant).
+
+location /go/ {
+    proxy_pass             http://tracker_go/;   # trailing slash strips the /go/ prefix
+    proxy_http_version     1.1;
+    proxy_set_header       Host              $host;
+    proxy_set_header       X-Real-IP         $remote_addr;
+    proxy_set_header       X-Forwarded-For   $proxy_add_x_forwarded_for;   # REQUIRED — security invariant
+    proxy_set_header       X-Forwarded-Proto $scheme;
+    proxy_set_header       Upgrade           $http_upgrade;
+    proxy_set_header       Connection        "upgrade";
+    proxy_cache_bypass     $http_upgrade;
+    # Go will serve long-lived browser WebSockets in a later phase; match the
+    # /websocket/ and / blocks so idle sockets aren't cut at nginx's default 60s.
+    proxy_read_timeout     1d;
+    proxy_send_timeout     1d;
+}