diff --git a/stack.yml b/stack.yml
index ba6698a..9122c4a 100644
--- a/stack.yml
+++ b/stack.yml
@@ -140,6 +140,15 @@ services:
         - "traefik.http.routers.authelia.entrypoints=websecure"
         - "traefik.http.routers.authelia.tls=true"
         - "traefik.http.services.authelia.loadbalancer.server.port=9091"
+        - "traefik.http.middlewares.fix-reset-url.redirectregex.regex=^/login\\?token=([^&]+)$$"
+        - "traefik.http.middlewares.fix-reset-url.redirectregex.replacement=https://bc.a250.ca/login/reset-password/step2?token=$${1}"
+        - "traefik.http.middlewares.fix-reset-url.redirectregex.permanent=false"
+        - "traefik.http.routers.authelia-reset.rule=Host(`bc.a250.ca`) && Path(`/login`) && QueryRegexp(`token`, `.+`)"
+        - "traefik.http.routers.authelia-reset.priority=20"
+        - "traefik.http.routers.authelia-reset.entrypoints=websecure"
+        - "traefik.http.routers.authelia-reset.tls=true"
+        - "traefik.http.routers.authelia-reset.middlewares=fix-reset-url@swarm"
+        - "traefik.http.routers.authelia-reset.service=authelia"
         - "traefik.http.middlewares.authelia-auth.forwardauth.address=http://authelia:9091/login/api/authz/forward-auth?rd=https://bc.a250.ca/login/"
         - "traefik.http.middlewares.authelia-auth.forwardauth.trustForwardHeader=true"
         - "traefik.http.middlewares.authelia-auth.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"