diff --git a/src/nginxconfig.ejs b/src/nginxconfig.ejs
index a297f83e9..40602957a 100644
--- a/src/nginxconfig.ejs
+++ b/src/nginxconfig.ejs
@@ -92,6 +92,14 @@ server {
     add_header Referrer-Policy "no-referrer-when-downgrade";
     proxy_hide_header Referrer-Policy;
 
+    # workaround caching issue after /logout. if max-age is set, browser uses cache and user thinks they have not logged out
+    # have to keep all the add_header here to avoid repeating all add_header in location block
+    <% if (proxyAuth.enabled) { %>
+    proxy_hide_header Cache-Control;
+    add_header Cache-Control no-cache;
+    add_header Set-Cookie $auth_cookie;
+    <% } %>
+
     # gzip responses that are > 50k and not images
     gzip on;
     gzip_min_length 50k;
@@ -250,7 +258,6 @@ server {
     location "<%= proxyAuth.path %>" {
         auth_request /proxy-auth;
         auth_request_set $auth_cookie $upstream_http_set_cookie;
-        add_header Set-Cookie $auth_cookie;
         error_page 401 = @proxy-auth-login;
 
         proxy_pass http://<%= ip %>:<%= port %>;