diff --git a/docs/conf.py b/docs/conf.py
index c36ddd4c334aff681437ba0d08737dcdd394e355..ad6133c985e24133f81574f85c5a35c61764925d 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -31,7 +31,8 @@ with open('../VERSION') as version_file:
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = [
-    'recommonmark'
+    'recommonmark',
+    'sphinx.ext.autosectionlabel'
 ]
 
 # Add any paths that contain templates here, relative to this directory.
diff --git a/docs/security.rst b/docs/security.rst
index d6d5b9cfb8c064d89817ab2b8e4b6b844cadbfdd..3dbb4ebf6d282248b54d81a5f5192ededf70d5a8 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -5,23 +5,29 @@ Security
 Access control
 ==============
 
-By default, the resources of your OAS cluster will be exposed to the whole
-internet (although they are password protected by the single-sign-on system).
+By default, the applications on your OAS cluster will be exposed to the whole
+internet (although they are password protected).
+
 If you like to limit who can access your cluster resources you can configure
 the OAS ingress (`ingress-nginx <https://kubernetes.github.io/ingress-nginx>`__)
 to only accept connections from a certain IP address or range.
-Add a file in the ``CLUSTER_DIR/group_vars/all/`` directory, i.e. named
-``ingress.yml`` with the following content:
 
-.. code-block:: yaml
+Follow the :ref:`Customize OAS applications` instructions, but use the following
+secret as ``install/overrides/oas-nginx-override.yml`` and apply the secret in
+the ``oas`` namespace instead of ``oas-apps``. Replace the source range with the
+IP address ranges you want to allow.
 
-  ingress_extra_values:
-    controller:
-      config:
-        # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
-        # comma separated list of CIDRs, e.g. 10.0.0.0/24,172.10.0.1.
-        whitelist-source-range: 1.2.3.4/24
+.. code-block:: yaml
 
-After this, run the
-`Openappstack installation procedure <installation_instructions.html#step-4-installation>`__
-again.
+   ---
+   apiVersion: v1
+   kind: secret
+   metadata:
+     name: oas-nginx-override
+   data:
+     values.yaml: |
+       controller:
+         config:
+           # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
+           # comma separated list of CIDRs, e.g. 10.0.0.0/24,172.10.0.1.
+           whitelist-source-range: 1.2.3.4/24