diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -754,6 +754,7 @@
 swh::deploy::reverse_proxy::services:
   - deposit
   - webapp
+  - objstorage
 
 letsencrypt::account_email: sysop+letsencrypt@softwareheritage.org
 letsencrypt::server: https://acme-v02.api.letsencrypt.org/directory
@@ -801,6 +802,10 @@
   hedgedoc:
     domains:
       - hedgedoc.softwareheritage.org
+  objstorage_production:
+    domains:
+      - objstorage.softwareheritage.org
+      - objstorage.internal.softwareheritage.org
   objstorage_staging:
     domains:
       - objstorage.staging.swh.network
@@ -1894,6 +1899,11 @@
   - 127.0.0.1
   - localhost
   - "::1"
+swh::deploy::objstorage::reverse_proxy::backend_http_port: "%{lookup('swh::remote_service::objstorage::port')}"
+swh::deploy::objstorage::reverse_proxy::basic_auth: true
+swh::deploy::objstorage::reverse_proxy::basic_auth::users:
+  - swh-prod
+  - enea-prod
 
 swh::deploy::deposit::reverse_proxy::backend_http_port: "%{alias('varnish::backend_http_port')}"
 
diff --git a/data/deployments/staging/common.yaml b/data/deployments/staging/common.yaml
--- a/data/deployments/staging/common.yaml
+++ b/data/deployments/staging/common.yaml
@@ -143,7 +143,9 @@
 
 swh::deploy::objstorage::vhost::letsencrypt_cert: objstorage_staging
 swh::deploy::objstorage::reverse_proxy::backend_http_host: objstorage0.internal.staging.swh.network
-swh::deploy::objstorage::reverse_proxy::backend_http_port: "%{lookup('swh::remote_service::objstorage::port')}"
+swh::deploy::objstorage::reverse_proxy::basic_auth::users:
+  - swh-stg
+  - enea-stg
 
 swh::deploy::objstorage::backend::public_server_name:
   objstorage.staging.swh.network
diff --git a/data/hostname/moma.softwareheritage.org.yaml b/data/hostname/moma.softwareheritage.org.yaml
--- a/data/hostname/moma.softwareheritage.org.yaml
+++ b/data/hostname/moma.softwareheritage.org.yaml
@@ -19,6 +19,31 @@
 swh::deploy::storage::db::user: guest
 swh::deploy::storage::db::password: guest
 
+swh::deploy::objstorage::backend::listen::host: moma.internal.softwareheritage.org
+swh::deploy::objstorage::vhost::letsencrypt_cert: objstorage_production
+swh::deploy::objstorage::reverse_proxy::backend_http_host: "%{alias('swh::deploy::objstorage::backend::listen::host')}"
+
+swh::deploy::objstorage::backend::public_server_name:
+  objstorage.softwarehritage.org
+  objstorage.internal.softwareheritage.org
+
+swh::deploy::objstorage::backend::server_names:
+  - "%{alias('swh::deploy::objstorage::backend::public_server_name')}"
+  - "%{::swh_hostname.internal_fqdn}"
+  - "%{::hostname}"
+  - 127.0.0.1
+  - localhost
+  - "::1"
+
+swh::deploy::objstorage::config:
+  objstorage: 
+    cls: multiplexer
+    args:
+      objstorages:
+        - "%{alias('swh::remote_service::objstorage::config::banco::readonly')}"
+        - "%{alias('swh::remote_service::objstorage::config::saam::readonly')}"
+  
+
 hitch::frontend: "[*]:443"
 hitch::proxy_support: true
 
diff --git a/data/subnets/vagrant.yaml b/data/subnets/vagrant.yaml
--- a/data/subnets/vagrant.yaml
+++ b/data/subnets/vagrant.yaml
@@ -101,6 +101,8 @@
     aliases:
       - archive.internal.softwareheritage.org
       - deposit.internal.softwareheritage.org
+      - objstorage.softwareheritage.org
+      - objstorage.internal.softwareheritage.org
   10.168.100.32:
     host: beaubourg.internal.softwareheritage.org
   10.168.100.34:
diff --git a/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp b/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp
--- a/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp
+++ b/site-modules/profile/manifests/swh/deploy/reverse_proxy.pp
@@ -16,6 +16,21 @@
       'name'          => "swh::deploy::${service_name}::reverse_proxy::websocket_support",
       'default_value' => false,
     })
+    $basic_auth = lookup( {
+      'name'          => "swh::deploy::${service_name}::reverse_proxy::basic_auth",
+      'default_value' => false,
+    })
+    if $basic_auth {
+      $basic_auth_users = lookup( {
+        'name'          => "swh::deploy::${service_name}::reverse_proxy::basic_auth::users",
+        'default_value' => [],
+      })
+
+      $basic_auth_strings = $basic_auth_users.map | $user | {
+        $password = lookup("swh::deploy::${service_name}::reverse_proxy::basic_auth::${user}")
+        base64('encode', "${user}:${password}", 'strict') # strict to avoid CR at the end of the line
+      }
+    }
 
     # Retrieve the list of vhosts
     $vhosts = lookup('letsencrypt::certificates')[$cert_name]['domains']
@@ -28,13 +43,16 @@
     $vhost_aliases = delete($vhosts, $vhost_name)
 
     realize(::Profile::Hitch::Ssl_cert[$cert_name])
+
     ::profile::varnish::vhost {$vhost_name:
-      aliases           => $vhost_aliases,
-      backend_name      => $service_name,
-      backend_http_host => $backend_http_host,
-      backend_http_port => $backend_http_port,
-      hsts_max_age      => lookup('strict_transport_security::max_age'),
-      websocket_support => $websocket_support,
+      aliases            => $vhost_aliases,
+      backend_name       => $service_name,
+      backend_http_host  => $backend_http_host,
+      backend_http_port  => $backend_http_port,
+      hsts_max_age       => lookup('strict_transport_security::max_age'),
+      websocket_support  => $websocket_support,
+      basic_auth         => $basic_auth,
+      basic_auth_strings => $basic_auth_strings,
     }
 
     $icinga_checks_file = lookup('icinga2::exported_checks::filename')
diff --git a/site-modules/profile/manifests/varnish/vhost.pp b/site-modules/profile/manifests/varnish/vhost.pp
--- a/site-modules/profile/manifests/varnish/vhost.pp
+++ b/site-modules/profile/manifests/varnish/vhost.pp
@@ -11,6 +11,8 @@
   Optional[String] $vcl_recv_extra = undef,
   Optional[String] $vcl_deliver_extra = undef,
   Variant[Undef, String, Integer[1]] $hsts_max_age = undef,
+  Boolean $basic_auth = false,
+  Optional[Array[String]] $basic_auth_strings = undef,
 ) {
 
   ::profile::varnish::vcl_include {$backend_name:
diff --git a/site-modules/profile/templates/varnish/vhost.vcl.erb b/site-modules/profile/templates/varnish/vhost.vcl.erb
--- a/site-modules/profile/templates/varnish/vhost.vcl.erb
+++ b/site-modules/profile/templates/varnish/vhost.vcl.erb
@@ -16,6 +16,15 @@
             set req.http.x-redir = "https://" + req.http.host + req.url;
             return(synth(850, "Moved permanently"));
         } else {
+<%- if @basic_auth -%>
+            if ( 1 == 1  # noop expression to be syntactically correct with the following &&
+    <%- @basic_auth_strings.each do | basic_auth_string | -%>
+                    && ! req.http.Authorization ~ "Basic <%= basic_auth_string %>"
+    <%- end -%>
+            ) {
+                return(synth(401, "Restricted"));
+            }
+<%- end -%>
 <% if @websocket_support -%>
             if (req.http.upgrade ~ "(?i)websocket") {
                 return (pipe);
diff --git a/site-modules/role/manifests/swh_rp_webapps.pp b/site-modules/role/manifests/swh_rp_webapps.pp
--- a/site-modules/role/manifests/swh_rp_webapps.pp
+++ b/site-modules/role/manifests/swh_rp_webapps.pp
@@ -5,4 +5,6 @@
 # - deposit
 class role::swh_rp_webapps inherits role::swh_rp_webapp {
   include profile::swh::deploy::deposit
+  include profile::swh::deploy::objstorage_cloud
+  include profile::swh::deploy::objstorage
 }