diff --git a/CHANGELOG.md b/CHANGELOG.md
index 45f2e46ce..14d099c34 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Fixed
 - `.teresaignore` behavior (to work like `.gitignore`)
+- Protect nginx vars from being interpreted as env vars
 
 ## [0.17.0] - 2018-03-20
 ### Changed
diff --git a/pkg/server/spec/container.go b/pkg/server/spec/container.go
index f4caa6369..188328bb0 100644
--- a/pkg/server/spec/container.go
+++ b/pkg/server/spec/container.go
@@ -3,6 +3,7 @@ package spec
 import (
 	"fmt"
 	"strconv"
+	"strings"
 
 	"github.com/luizalabs/teresa/pkg/server/app"
 	"github.com/luizalabs/teresa/pkg/server/storage"
@@ -12,7 +13,7 @@ const (
 	nginxConfTmplDir = "/etc/nginx/template/"
 	nginxConfDir     = "/etc/nginx/"
 	nginxConfFile    = "nginx.conf"
-	nginxArgTmpl     = "envsubst < %s%s > %s%s && nginx -g 'daemon off;'"
+	nginxArgTmpl     = "envsubst '%s' < %s%s > %s%s && nginx -g 'daemon off;'"
 	nginxBackendTmpl = "http://localhost:%d"
 )
 
@@ -88,9 +89,13 @@ func newNginxVolumeMount() *VolumeMounts {
 }
 
 func newNginxContainer(image string) *Container {
-	args := fmt.Sprintf(nginxArgTmpl, nginxConfTmplDir, nginxConfFile, nginxConfDir, nginxConfFile)
 	port := strconv.Itoa(DefaultPort)
 	backend := fmt.Sprintf(nginxBackendTmpl, secondaryPort)
+	env := map[string]string{
+		"NGINX_PORT":    port,
+		"NGINX_BACKEND": backend,
+	}
+	args := newNginxContainerArgs(env)
 
 	return &Container{
 		Name:    "nginx",
@@ -101,16 +106,31 @@ func newNginxContainer(image string) *Container {
 			Name:          "nginx",
 			ContainerPort: int32(DefaultPort),
 		}},
-		Env: map[string]string{
-			"NGINX_PORT":    port,
-			"NGINX_BACKEND": backend,
-		},
+		Env: env,
 		VolumeMounts: []*VolumeMounts{
 			newNginxVolumeMount(),
 		},
 	}
 }
 
+func newNginxContainerArgs(env map[string]string) string {
+	tmp := make([]string, len(env))
+	var i int
+	for key, _ := range env {
+		tmp[i] = fmt.Sprintf("$%s", key)
+		i++
+	}
+	args := fmt.Sprintf(
+		nginxArgTmpl,
+		strings.Join(tmp, " "),
+		nginxConfTmplDir,
+		nginxConfFile,
+		nginxConfDir,
+		nginxConfFile,
+	)
+	return args
+}
+
 func newAppContainer(name, image string, envVars map[string]string, port int, secrets []string) *Container {
 	return &Container{
 		Name:    name,
diff --git a/pkg/server/spec/container_test.go b/pkg/server/spec/container_test.go
new file mode 100644
index 000000000..9b3cb18d7
--- /dev/null
+++ b/pkg/server/spec/container_test.go
@@ -0,0 +1,25 @@
+package spec
+
+import (
+	"fmt"
+	"testing"
+)
+
+func TestNewNginxContainerArgs(t *testing.T) {
+	env := map[string]string{"key1": "value1", "key2": "value2"}
+	keys := "$key1 $key2"
+	want := fmt.Sprintf(
+		nginxArgTmpl,
+		keys,
+		nginxConfTmplDir,
+		nginxConfFile,
+		nginxConfDir,
+		nginxConfFile,
+	)
+
+	got := newNginxContainerArgs(env)
+
+	if got != want {
+		t.Errorf("got %s; want %s", got, want)
+	}
+}