diff --git a/CHANGES b/CHANGES
index fbbe87b56..fbc9d641a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2067,4 +2067,5 @@
 
 [5.6.0]
 * Update MongoDB to 4.2.8
+* Remove IP nginx configuration that redirects to dashboard after activation
 
diff --git a/src/cloudron.js b/src/cloudron.js
index 316a6684b..68ab8cf47 100644
--- a/src/cloudron.js
+++ b/src/cloudron.js
@@ -112,9 +112,6 @@ function runStartupTasks() {
     // stop all the systemd tasks
     platform.stopAllTasks(NOOP_CALLBACK);
 
-    // configure nginx to be reachable by IP
-    reverseProxy.writeDefaultConfig(NOOP_CALLBACK);
-
     // this configures collectd to collect backup storage metrics if filesystem is used. This is also triggerd when the settings change with the rest api
     settings.getBackupConfig(function (error, backupConfig) {
         if (error) return debug('runStartupTasks: failed to get backup config.', error);
@@ -127,7 +124,16 @@ function runStartupTasks() {
     // check activation state and start the platform
     users.isActivated(function (error, activated) {
         if (error) return debug(error);
-        if (!activated) return debug('initialize: not activated yet'); // not activated
+        // configure nginx to be reachable by IP when not activated. for the moment, the IP based redirect exists even after domain is setup
+        // just in case user forgot or some network error happenned in the middle (then browser refresh takes you to activation page)
+        // we remove the config as a simple security measure to not expose IP <-> domain
+        if (!activated) {
+            debug('runStartupTasks: generating IP based redirection config');
+            reverseProxy.writeDefaultConfig(NOOP_CALLBACK);
+        } else {
+            debug('runStartupTasks: removing IP based redirection config');
+            reverseProxy.removeDefaultConfig(NOOP_CALLBACK);
+        }
 
         onActivated(NOOP_CALLBACK);
     });
diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index bb775eeae..9758fa11d 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -1,30 +1,32 @@
 'use strict';
 
 exports = module.exports = {
-    setFallbackCertificate: setFallbackCertificate,
-    getFallbackCertificate: getFallbackCertificate,
+    setFallbackCertificate,
+    getFallbackCertificate,
 
-    generateFallbackCertificateSync: generateFallbackCertificateSync,
-    setAppCertificateSync: setAppCertificateSync,
+    generateFallbackCertificateSync,
+    setAppCertificateSync,
 
-    validateCertificate: validateCertificate,
+    validateCertificate,
 
-    getCertificate: getCertificate,
-    ensureCertificate: ensureCertificate,
+    getCertificate,
+    ensureCertificate,
 
-    renewCerts: renewCerts,
+    renewCerts,
 
     // the 'configure' ensure a certificate and generate nginx config
-    configureAdmin: configureAdmin,
-    configureApp: configureApp,
-    unconfigureApp: unconfigureApp,
+    configureAdmin,
+    configureApp,
+    unconfigureApp,
 
     // these only generate nginx config
-    writeDefaultConfig: writeDefaultConfig,
-    writeAdminConfig: writeAdminConfig,
-    writeAppConfig: writeAppConfig,
+    writeDefaultConfig,
+    removeDefaultConfig,
 
-    removeAppConfigs: removeAppConfigs,
+    writeAdminConfig,
+    writeAppConfig,
+
+    removeAppConfigs,
 
     // exported for testing
     _getAcmeApi: getAcmeApi
@@ -666,6 +668,14 @@ function writeDefaultConfig(callback) {
 
         debug('writeDefaultConfig: done');
 
-        callback(null);
+        reload(callback);
     });
 }
+
+function removeDefaultConfig(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    safe.fs.unlinkSync(path.join(paths.NGINX_APPCONFIG_DIR, constants.NGINX_DEFAULT_CONFIG_FILE_NAME));
+
+    reload(callback);
+}