diff --git a/certidude/templates/certidude-server.conf b/certidude/templates/certidude-server.conf
index 45ea78e..7a63095 100644
--- a/certidude/templates/certidude-server.conf
+++ b/certidude/templates/certidude-server.conf
@@ -87,15 +87,20 @@ renewal allowed = false
 ;renewal allowed = true
 
 [push]
+# This should occasionally be regenerated
 event source token = {{ push_token }}
-event source subscribe =
-;event source subscribe = {{ push_server }}/ev/sub/%s
-event source publish =
-;event source publish = {{ push_server }}/ev/pub/%s
-long poll subscribe =
-;long poll subscribe = {{ push_server }}/lp/sub/%s
-long poll publish =
-;long poll publish = {{ push_server }}/lp/pub/%s
+
+# For local nchan
+event source publish = http://localhost/ev/pub/%s
+long poll publish = http://localhost/lp/pub/%s
+event source subscribe = /ev/sub/%s
+long poll subscribe = /lp/sub/%s
+
+# For remote nchan
+;event source publish = //push.example.com/ev/pub/%s
+;long poll publish = http://push.example.com/lp/pub/%s
+;event source subscribe = //push.example.com/ev/sub/%s
+;long poll subscribe = http://push.example.com/lp/sub/%s
 
 [authority]
 # Present form for CSR submission for logged in users
diff --git a/certidude/templates/nginx.conf b/certidude/templates/nginx.conf
index 7c97df1..54224ab 100644
--- a/certidude/templates/nginx.conf
+++ b/certidude/templates/nginx.conf
@@ -41,19 +41,6 @@ server {
 {% if not push_server %}
     # This only works with nchan, for Debian 9 just apt install libnginx-mod-nchan
     # For Ubuntu and older Debian releases install nchan from https://nchan.io/
-    location ~ "^/lp/pub/(.*)" {
-        allow 127.0.0.1;
-        nchan_publisher;
-        nchan_channel_id $1;
-        nchan_message_buffer_length 0;
-    }
-
-    location ~ "^/ev/pub/(.*)" {
-        allow 127.0.0.1;
-        nchan_publisher;
-        nchan_channel_id $1;
-        nchan_message_buffer_length 0;
-    }
 
     location ~ "^/lp/sub/(.*)" {
         nchan_channel_id $1;
@@ -68,3 +55,23 @@ server {
 
 }
 
+{% if not push_server %}
+server {
+    # Allow publishing only from localhost to prevent abuse
+    server_name localhost;
+    listen 127.0.0.1:80;
+
+    location ~ "^/lp/pub/(.*)" {
+        nchan_publisher;
+        nchan_channel_id $1;
+        nchan_message_buffer_length 0;
+    }
+
+    location ~ "^/ev/pub/(.*)" {
+        nchan_publisher;
+        nchan_channel_id $1;
+        nchan_message_buffer_length 0;
+    }
+}
+{% endif %}
+