diff --git a/puppet/modules/nginx/files/translatewiki.net b/puppet/modules/nginx/files/translatewiki.net
index eb5be6a0..38683b29 100644
--- a/puppet/modules/nginx/files/translatewiki.net
+++ b/puppet/modules/nginx/files/translatewiki.net
@@ -1,71 +1,75 @@
 # file managed by puppet
 
+map $cookie_env $env {
+	default w;
+	x       x;
+}
+
 server {
 	listen 80 default_server;
 	listen [2a03:4000:39:55d:5400:a2ff:fe21:b3ea]:80;
 	server_name translatewiki.net;
 	return 301 https://$host$request_uri;
 }
 
 server {
 	listen 443 ssl default_server deferred http2;
 	listen [2a03:4000:39:55d:5400:a2ff:fe21:b3ea]:443 default_server deferred ssl http2;
 
 	include includes/ssl-certbot.conf;
 
 	server_name translatewiki.net;
 	root /www/$host/docroot;
 
 	add_header Referrer-Policy no-referrer-when-downgrade;
 	add_header X-Xss-Protection "1; mode=block" always;
 
-	location = / {
-		rewrite ^ /w/index.php;
-	}
-
-	location ~ ^/wiki {
-		rewrite ^ /w/index.php;
-	}
+	rewrite ^/$ /$env/index.php;
+	rewrite ^/wiki /$env/index.php;
+	rewrite ^/sitemap$ "/$env/index.php?title=Special:RecentChanges&translations=&feed=atom";
+	# No-op if using the default environment, but required for the 'internal' rules to work
+	rewrite ^/w/(.*) /$env/$1;
 
-	location = /sitemap {
-		rewrite ^ "/w/index.php?title=Special:RecentChanges&translations=&feed=atom";
+	# Prevent direct access to /x. It can only be accessed through the above rewrites
+	location /x {
+		internal;
 	}
-
-	location ~ ^/w/(cache|mw-config|includes|maintenance|languages|docs)/ {
+	location ~ ^/[xw]/(cache|mw-config|includes|maintenance|languages|docs|vendor)/ {
 		deny all;
 	}
 
 	# Allowed php files, case sensitive
-	location ~ ^/w/(i|index|load|api|opensearch_desc|profileinfo|webfiles/jserror)\.php {
+	location ~ ^/[xw]/(i|index|load|api|opensearch_desc|webfiles/jserror)\.php {
 		fastcgi_pass php;
 		fastcgi_buffering off;
 		fastcgi_buffers 16 16k;
 		fastcgi_connect_timeout 1s;
 		fastcgi_send_timeout 2s;
 		fastcgi_read_timeout 15s;
 		include fastcgi.conf;
+		internal;
 	}
 
 	# Deny access to all php files except those above
 	location ~* \.php$ {
 		deny all;
 	}
 
 	location ~* ^/static/mainpage/.*\.jpg$ {
 		expires 2M;
 		if ($http_accept ~ "image/webp") {
 			add_header Vary Accept;
 			rewrite ^ $uri.webp;
 		}
 	}
 
 	location ~* \.(png|jpg|jpeg|gif|ico|svg|woff|woff2|eot|ttf|webp)$ {
 		expires 2M;
 	}
 
 	error_page 500 502 503 504 /error.html;
 	location = /error.html {
 		root /www/translatewiki.net/error;
 		internal;
 	}
 }