diff --git a/porthos/README.md b/porthos/README.md
index 32f5899..8a39bfa 100644
--- a/porthos/README.md
+++ b/porthos/README.md
@@ -68,11 +68,17 @@ repository mirrors for the given parameters.
   `true`
 - `arch` system architecture, like `x86_64`
 
-HTTP repository metadata query (HTTP Basic authentication required):
+HTTP repository metadata query (SSL + HTTP Basic authentication required):
 
     https://m1.nethserver.com/autoupdate/<repo_version>/<repo_name>/<repo_arch>/repodata/repomd.xml
     https://m1.nethserver.com/stable/<repo_version>/<repo_name>/<repo_arch>/repodata/repomd.xml
 
+HTTP repository metadata query (username as path token, SSL not required):
+
+    http://m1.nethserver.com/autoupdate/<username>/<repo_version>/<repo_name>/<repo_arch>/repodata/repomd.xml
+    http://m1.nethserver.com/stable/<username>/<repo_version>/<repo_name>/<repo_arch>/repodata/repomd.xml
+
+
 * `autoupdate` returns data from the tier associated to the credentials provided
 * `stable` always returns data from `t0`
 
@@ -80,22 +86,61 @@ HTTP repository metadata query (HTTP Basic authentication required):
 
 * 401 - authorization required
 * 404 - resource not found
-* 403 - bad credentials or `tier_id` is false (disabled)
+* 403 - bad credentials or access denied conditions
 * 503 - redis connection failed, see `/var/log/nginx/porthos-php-error.log`
 * 502 - php-fpm connection failed, see `/var/log/nginx/error.log`
 * 500 - generic PHP error, see `/var/log/nginx/porthos-php-error.log`
 
-## Redis DB format
+## Porthos repository access control
+
+Access permissions to Porthos repositories are checked by `auth.php`.
+
+A special `subscription.json` API endpoint used by the Software center clients
+is implemented by `subscription.php`.
 
-The `repomd.php` script expects the following storage format in redis DB:
+All HTTP requests to access YUM repositories must be authenticated with HTTP
+Basic Auth. If the special `$config['legacy_auth']` is enabled, the HTTP
+username is considered a valid access token, and can be set as password value too.
+
+The access token can be passed also as an URL path component, like:
+
+    http://m1.nethserver.com/stable/<username>/<repo_version>/<repo_name>/<repo_arch>/repodata/repomd.xml
+
+The `auth.php` and `subscription.php` scripts expects the following record
+format in redis DB:
 
     key: <system_id>
-    value: hash{ tier_id => <integer>, secret => <string> }
+    value: hash{ tier_id => <value>, secret => <value>, icat => <value> }
 
-If `tier_id` is not set, the access is denied (403 - forbidden). For instance to create a key on athos
+For instance to create a key on athos
 
     redis-cli -p PORT
-    redis-cli PORT> HMSET 0ILD29RH-D78A-C444-1F82-EE92-3211-FC47-43AD-DQFD tier_id 2 secret S3Cr3t
+    redis-cli PORT> HMSET 0ILD29RH-D78A-C444-1F82-EE92-3211-FC47-43AD-DQFD tier_id 2 secret S3Cr3t icat cat1,cat2,cat3
+
+### `tier_id` field
+
+The `tier_id` value should be a number. If the value is negative, the tier
+number is calculated by an hash function, based on the system identifier. 
+
+If `tier_id` is not a number, both `auth.php` and `subscription.php` reply with
+403 - forbidden.
+
+### `icat` field
+
+The `icat` field is a string of a comma separated list of YUM category
+identifiers (refer to the repository comps/groups for valid names). Its purpose
+is to show the products entitlement on the Software center page. It is used by
+`subscription.php` to return the included/excluded YUM categories list to the
+client. See also the `$config['categories']` parameter to configure it. This
+field is ignored by `auth.php`.
+
+If `icat` field is not set, the `subscription.php` replies with 403 - forbidden.
+
+### `secret` field
+
+If `secret` field is not set, both `auth.php` and `subscription.php` reply with
+403 - forbidden, unless `$config['legacy_auth']` is enabled.
+
 
 ## Repository management commands
 
@@ -104,10 +149,10 @@ from `/etc/porthos.conf`. Upstream YUM rsync URLs are defined there.
 
 - `repo-bulk-hinit` runs initial synchronization from upstream repositories (-f disables the check for already existing directories)
 - `repo-bulk-pull` creates a snapshot date-dir (e.g. `d20180301`) under
-  `dest_dir` with differences from upstream repositories. Set `t0` to point at
+  `dest_dir` with differences from upstream repositories. It sets `t0` to point at
   it.
 - `repo-bulk-shift [N]` updates `t1` ... `tN` links by shifting tiers of one position
-  the optional `N`
+  the optional `N` parameter creates missing links up to N - 1.
 - `repo-bulk-cleanup` erases stale tier snapshots
 
 The following commands should not be invoked directly. They are intended to be
diff --git a/porthos/root/etc/nginx/conf.d/mirrorlist.conf b/porthos/root/etc/nginx/conf.d/mirrorlist.conf
deleted file mode 100644
index 4545d87..0000000
--- a/porthos/root/etc/nginx/conf.d/mirrorlist.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-    
-    server_name mirrorlist.nethserver.com;
-
-    # Uncomment the following line when TLS certificate is available
-    # include porthos-certbot.conf;
-
-    access_log /var/log/nginx/mirrorlist.access.log main;
-    root /usr/share/nginx/html;
-
-    location /.well-known/acme-challenge {
-        root /srv/porthos/certbot;
-        allow all;
-    }
-
-    location / {
-        include fastcgi.conf;
-        fastcgi_pass unix:/var/run/porthos-fpm;
-        fastcgi_param SCRIPT_FILENAME /srv/porthos/script/mirrorlist.php;
-        fastcgi_param PORTHOS_REDIS /var/run/redis/athos.sock;
-    }
-
-}
diff --git a/porthos/root/etc/nginx/conf.d/porthos.conf b/porthos/root/etc/nginx/conf.d/porthos.conf
index aae0ca1..b3bb8bb 100644
--- a/porthos/root/etc/nginx/conf.d/porthos.conf
+++ b/porthos/root/etc/nginx/conf.d/porthos.conf
@@ -2,7 +2,7 @@ server {
     listen 80;
     listen [::]:80;
 
-    server_name ~^m[0-9]+.nethserver.com;
+    server_name porthos.nethserver.com;
 
     # Uncomment the following line when TLS certificate is available
     # include porthos-certbot.conf;
@@ -38,27 +38,29 @@ server {
         return 200 "pong\n";
     }
 
-    location ~ "^/t0/(.*)" {
+    location ~ "^/T0/(.*)" {
         internal;
-        try_files $uri /head/$1;
+        try_files /t0/$1 /head/$1;
     }
 
-    location ~ "^/t1/(.*)" {
+    location ~ "^/T1/(.*)" {
         internal;
-        try_files $uri /t0/$1;
+        try_files /t1/$1 /t0/$1 /head/$1;
     }
 
-    location ~ "^/t2/(.*)" {
+    location ~ "^/T2/(.*)" {
         internal;
-        try_files $uri /t1/$1;
+        try_files /t2/$1 /t1/$1 /t0/$1 /head/$1;
     }
 
-    location ~ "^/t3/(.*)" {
+    location ~ "^/T3/(.*)" {
         internal;
-        try_files $uri /t2/$1;
+        try_files /t3/$1 /t2/$1 /t1/$1 /t0/$1 /head/$1;
     }
 
-    location ~ "^/(d[0-9]{8}|head)(/.*)" {
+    # add another location for tier "Tx" here...
+
+    location ~ "^/(t[0-9]|d[0-9]{8}|head)(/.*)" {
         internal;
     }
 
@@ -66,8 +68,35 @@ server {
         include fastcgi.conf;
         fastcgi_pass unix:/var/run/porthos-fpm;
         fastcgi_param SCRIPT_FILENAME /srv/porthos/script/auth.php;
+        fastcgi_param PORTHOS_SITE porthos;
         fastcgi_param PORTHOS_REDIS /var/run/redis/athos.sock;
-        fastcgi_param DOCUMENT_URI /$2;
+        fastcgi_param DOCUMENT_URI $uri;
+    }
+
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name porthos-mirrorlist.nethserver.com;
+
+    # Uncomment the following line when TLS certificate is available
+    # include porthos-certbot.conf;
+
+    access_log /var/log/nginx/mirrorlist.access.log main;
+    root /usr/share/nginx/html;
+
+    location /.well-known/acme-challenge {
+        root /srv/porthos/certbot;
+        allow all;
     }
 
-}
\ No newline at end of file
+    location / {
+        include fastcgi.conf;
+        fastcgi_pass unix:/var/run/porthos-fpm;
+        fastcgi_param SCRIPT_FILENAME /srv/porthos/script/mirrorlist.php;
+        fastcgi_param PORTHOS_SITE porthos;
+        fastcgi_param PORTHOS_REDIS /var/run/redis/athos.sock;
+    }
+}
diff --git a/porthos/root/etc/redis-athos.conf b/porthos/root/etc/redis-athos.conf
index 171c224..28a8f57 100644
--- a/porthos/root/etc/redis-athos.conf
+++ b/porthos/root/etc/redis-athos.conf
@@ -5,7 +5,6 @@
 # do not listen on TCP sockets
 port 0
 
-unixsocket /var/run/redis/athos.sock
 unixsocketperm 660
 
 # connect athos from local stunnel endpoint
diff --git a/porthos/root/etc/systemd/system/redis@.service b/porthos/root/etc/systemd/system/redis@.service
index c86a4f1..288f7e2 100644
--- a/porthos/root/etc/systemd/system/redis@.service
+++ b/porthos/root/etc/systemd/system/redis@.service
@@ -6,12 +6,14 @@ ConditionPathExists=/etc/redis-%i.conf
 
 [Service]
 Type=notify
-ExecStart=/usr/bin/redis-server /etc/redis-%i.conf --daemonize no
-ExecStop=/usr/bin/redis-cli -s /var/run/redis/%i.sock shutdown
+Environment="UNIXSOCK=%t/redis-%i/server.sock"
+ExecStartPre=/usr/bin/chcon -L -u system_u -t redis_var_run_t %t/redis-%i
+ExecStart=/usr/bin/redis-server /etc/redis-%i.conf --unixsocket $UNIXSOCK --loglevel debug --daemonize no
+ExecStop=/usr/bin/redis-cli -s $UNIXSOCK shutdown
 User=redis
 Group=nginx
-RuntimeDirectory=redis
-RuntimeDirectoryMode=0755
+RuntimeDirectory=redis-%i
+RuntimeDirectoryMode=0750
 LimitNOFILE=10240
 
 [Install]
diff --git a/porthos/root/srv/porthos/script/auth.php b/porthos/root/srv/porthos/script/auth.php
index 11ab3c6..c35568f 100644
--- a/porthos/root/srv/porthos/script/auth.php
+++ b/porthos/root/srv/porthos/script/auth.php
@@ -1,27 +1,103 @@
 <?php
 
-include("lib.php");
+/*
+ * Copyright (C) 2019 Nethesis S.r.l.
+ * http://www.nethesis.it - nethserver@nethesis.it
+ *
+ * This script is part of Dartagnan.
+ *
+ * Dartagnan is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License,
+ * or any later version.
+ *
+ * Dartagnan is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with Dartagnan.  If not, see COPYING.
+ */
 
-if ( ! isset($_SERVER['PHP_AUTH_USER'])) {
-    header('WWW-Authenticate: Basic realm="subscription"');
-    header('HTTP/1.1 401 Unauthorized');
-    echo "Provide system subscription credentials\n";
-    exit;
+require_once("lib.php");
+require_once("config-" . $_SERVER['PORTHOS_SITE'] . ".php");
+
+$uri = parse_uri($_SERVER['DOCUMENT_URI']);
+
+if ( isset($_SERVER['HTTPS']) && ! $uri['system_id'] && ! isset($_SERVER['PHP_AUTH_USER'])) {
+    exit_basic_auth_required();
+} else {
+    if($uri['system_id']) {
+        // override PHP authentication with system_id token:
+        $_SERVER['PHP_AUTH_USER'] = $uri['system_id'];
+        $_SERVER['PHP_AUTH_PW'] = $uri['system_id'];
+    }
 }
 
 // Disable the Content-Type header in PHP, so that nginx x-accel can add its own
 ini_set('default_mimetype', FALSE);
 
-$access = get_access_descriptor($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
+// Mask any repo/version/arch that does not belong to the site:
+if(! in_array($uri['repo'], $config['repositories'])
+    || ! in_array($uri['version'], $config['versions'])
+    || ! in_array($uri['arch'], $config['arches'])) {
+    exit_http(404);
+}
 
-if($access['tier_id'] === FALSE) {
+if(! isset($_SERVER['PHP_AUTH_USER']) || ! isset($_SERVER['PHP_AUTH_PW'])) {
     exit_http(403);
-} elseif ($access['tier_id'] === '' || $access['secret'] != $_SERVER['PHP_AUTH_PW']) {
+}
+
+$access = get_access_descriptor($_SERVER['PHP_AUTH_USER']);
+$valid_credentials = $_SERVER['PHP_AUTH_PW'] === $access['secret'];
+if($config['legacy_auth']) {
+    $valid_credentials = $valid_credentials || $_SERVER['PHP_AUTH_USER'] ===  $_SERVER['PHP_AUTH_PW'];
+}
+$has_access_disabled = ! is_numeric($access['tier_id']);
+if ($has_access_disabled || ! $valid_credentials) {
     exit_http(403);
-} else {
-    if(basename($_SERVER['DOCUMENT_URI']) == 'repomd.xml') {
-        header('Cache-Control: private');
+}
+
+if($access['tier_id'] < 0) {
+    $hash = 0;
+    foreach(str_split($_SERVER['PHP_AUTH_USER']) as $c) {
+        $hash += ord($c);
     }
-    return_file('/t' . $access['tier_id'] . $_SERVER['DOCUMENT_URI']);
+    $hash = $hash % 256;
+    if($hash < 12) { // 5%
+        $tier_id = 0;
+    } elseif($hash < 38) { // 15%
+        $tier_id = 1;
+    } elseif($hash < 76) { // 30%
+        $tier_id = 2;
+    } else { // 50%
+        $tier_id = 3;
+    }
+    $tier_id += $config['tier_id_base'];
+} else {
+    $tier_id = intval($access['tier_id']);
 }
 
+if(basename($uri['rest']) == 'repomd.xml') {
+    header('Cache-Control: private');
+    application_log(json_encode(array(
+        'application' => 'porthos-' . $_SERVER['PORTHOS_SITE'],
+        'connection' => $_SERVER['CONNECTION'] ?: '',
+        'msg_type' => 'repomdxml-auth',
+        'msg_severity' => 'notice',
+        'server_id' => $_SERVER['PHP_AUTH_USER'],
+        'repo' => $uri['repo'],
+        'version' => $uri['version'],
+        'arch' => $uri['arch'],
+        'tier_id' => $uri['prefix'] == 'autoupdate' ? NULL : $tier_id,
+        'tier_auto' => isset($hash),
+        'tls' => isset($_SERVER['HTTPS']),
+    )));
+}
+
+if($uri['prefix'] == 'autoupdate') {
+    return_file('/T' . $tier_id . $uri['full_path']);
+} else {
+    return_file('/head' . $uri['full_path']);
+}
diff --git a/porthos/root/srv/porthos/script/config-porthos.php b/porthos/root/srv/porthos/script/config-porthos.php
new file mode 100644
index 0000000..abc6a17
--- /dev/null
+++ b/porthos/root/srv/porthos/script/config-porthos.php
@@ -0,0 +1,54 @@
+<?php
+
+/*
+ * Copyright (C) 2019 Nethesis S.r.l.
+ * http://www.nethesis.it - nethserver@nethesis.it
+ *
+ * This script is part of Dartagnan.
+ *
+ * Dartagnan is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License,
+ * or any later version.
+ *
+ * Dartagnan is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with Dartagnan.  If not, see COPYING.
+ */
+
+// this is just an example!
+
+// categories (array):
+//    this is the list of YUM comps categories that require an entitlement
+$config['categories'] = array();
+
+// base_urls (array):
+//    base URLs of other porthos instances for load balancing
+$config['base_urls'] = array("https://{$_SERVER['SERVER_NAME']}/");
+
+// repositories (array):
+//    list of valid repository names
+$config['repositories'] = array('base', 'updates');
+
+// versions (array):
+//    list of valid version numbers
+$config['versions'] = array('7.6.1810');
+
+// arches (array):
+//    list of valid architectures
+$config['arches'] = array('x86_64');
+
+// legacy_auth (boolean)
+//     if TRUE, authenticate by user name only. The password must be equal to the user name.
+//     if FALSE, check the user name and the password separately
+$config['legacy_auth'] = FALSE;
+
+// tier_id_base (int)
+//     this is the base/minimum tier_id value, when automatic tier_id (-1) is set.
+//     - be sure that (tier_id_base + 3) < "number of tiers"
+//     - run repo-bulk-shift N (with N = "number of tiers") to add more tier links
+$config['tier_id_base'] = 0;
diff --git a/porthos/root/srv/porthos/script/lib.php b/porthos/root/srv/porthos/script/lib.php
index 6c35e9f..ad83904 100644
--- a/porthos/root/srv/porthos/script/lib.php
+++ b/porthos/root/srv/porthos/script/lib.php
@@ -1,22 +1,78 @@
 <?php
 
+/*
+ * Copyright (C) 2019 Nethesis S.r.l.
+ * http://www.nethesis.it - nethserver@nethesis.it
+ *
+ * This script is part of Dartagnan.
+ *
+ * Dartagnan is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License,
+ * or any later version.
+ *
+ * Dartagnan is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with Dartagnan.  If not, see COPYING.
+ */
+
+function application_log($message, $priority = LOG_INFO) {
+    error_log($message);
+    openlog('porthos-' . $_SERVER['PORTHOS_SITE'], LOG_CONS | LOG_NDELAY, LOG_LOCAL3);
+    syslog($priority, $message);
+    closelog();
+}
+
 function return_file($file_path) {
     header('X-Accel-Redirect: ' . $file_path);
     exit(0);
 }
 
+function exit_basic_auth_required() {
+    header('WWW-Authenticate: Basic realm="subscription"');
+    header('HTTP/1.1 401 Unauthorized');
+    echo "Provide system subscription credentials\n";
+    exit(0);
+}
+
 function exit_http($code) {
     header('X-Accel-Redirect: /error/' . $code);
     exit(1);
 }
 
-function get_access_descriptor($system_id, $secret) {
+function get_access_descriptor($system_id) {
     $redis = new Redis();
     if( ! $redis->connect($_SERVER['PORTHOS_REDIS'])) {
-        error_log(sprintf('[ERROR] redis connect(%s) failed!', $_SERVER['PORTHOS_REDIS']));
+        application_log(json_encode(array(
+            'application' => 'porthos-' . $_SERVER['PORTHOS_SITE'],
+            'connection' => $_SERVER['CONNECTION'] ?: '',
+            'msg_type' => 'redis-connect',
+            'msg_severity' => 'alert',
+        )), LOG_ALERT);
         exit_http(503);
     };
-    $descriptor = $redis->hMGet($system_id, array('tier_id', 'secret'));
+    $descriptor = $redis->hMGet($system_id, array('tier_id', 'secret', 'icat'));
     $redis->close();
     return $descriptor;
 }
+
+function parse_uri($uri) {
+    $matches = array();
+    $parts = array(
+        'uri' => $uri,
+        'system_id' => NULL,
+        'full_path' => $uri,
+        'prefix' => NULL,
+        'version' => NULL,
+        'repo' => NULL,
+        'arch' => NULL,
+        'rest' => NULL,
+    );
+    preg_match('#^/(?P<prefix>autoupdate|stable)(?:/(?P<system_id>[\w-]{36,48}))?(?P<full_path>/(?P<version>[\d\.]+)/(?P<repo>[\w-]+)/(?P<arch>\w+)/(?P<rest>.*))$#', $uri, $matches);
+    $parts = array_merge($parts, $matches);
+    return $parts;
+}
diff --git a/porthos/root/srv/porthos/script/mirrorlist.php b/porthos/root/srv/porthos/script/mirrorlist.php
index 8d5a46b..95d36ea 100644
--- a/porthos/root/srv/porthos/script/mirrorlist.php
+++ b/porthos/root/srv/porthos/script/mirrorlist.php
@@ -1,54 +1,56 @@
 <?php
 
 /*
- * Copyright (C) 2018 Nethesis S.r.l.
+ * Copyright (C) 2019 Nethesis S.r.l.
  * http://www.nethesis.it - nethserver@nethesis.it
  *
- * This script is part of NethServer.
+ * This script is part of Dartagnan.
  *
- * NethServer is free software: you can redistribute it and/or modify
+ * Dartagnan is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as published by
  * the Free Software Foundation, either version 3 of the License,
  * or any later version.
  *
- * NethServer is distributed in the hope that it will be useful,
+ * Dartagnan is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU Affero General Public License for more details.
  *
  * You should have received a copy of the GNU Affero General Public License
- * along with NethServer.  If not, see COPYING.
+ * along with Dartagnan.  If not, see COPYING.
  */
 
+require_once("config-" . $_SERVER['PORTHOS_SITE'] . ".php");
+
 $version = $_GET['nsversion'];
 $arch = $_GET['arch'];
 $repo = $_GET['repo'];
+$system_id = isset($_GET['systemid']) ? $_GET['systemid'] : '';
 $use_tier = isset($_GET['usetier']) && ! in_array($_GET['usetier'], array('$YUM0', 'no', '0', ''));
 
-$valid_version = in_array($version, array('7.4.1708', '7.5.1804', '7.6.1810'));
-$valid_arch = in_array($arch, array('x86_64'));
-$valid_repo = in_array($repo, array(
-    'base',
-    'updates',
-    'extras',
-    'epel',
-    'centos-sclo-sclo',
-    'centos-sclo-rh',
-    'nethserver-base',
-    'nethserver-updates',
-));
+$valid_version = in_array($version, $config['versions']);
+$valid_arch = in_array($arch, $config['arches']);
+$valid_repo = in_array($repo, $config['repositories']);
+$valid_system_id = ! $system_id || preg_match('/^[\w-]+$/', $system_id);
 
 header('Content-type: text/plain; charset=UTF-8');
 
-if( ! $valid_arch || ! $valid_repo || ! $valid_version ) {
-    header("HTTP/1.0 400 Bad request");
-    error_log("[ERROR] invalid request: " . $_SERVER['REQUEST_URI']);
+if( ! $valid_arch || ! $valid_repo || ! $valid_version || ! $valid_system_id ) {
+    header("HTTP/1.0 400 Invalid request");
     echo "Invalid request\n";
     exit(1);
 }
 
 if($use_tier) {
-    echo "https://m1.nethserver.com/autoupdate/${version}/${repo}/${arch}\n";
+    $path = "autoupdate/";
 } else {
-    echo "https://m1.nethserver.com/stable/${version}/${repo}/${arch}\n";
+    $path = "stable/";
+}
+
+if($system_id) {
+    $path .= $system_id . '/';
+}
+
+foreach($config['base_urls'] as $baseurl) {
+    echo $baseurl . $path . "${version}/${repo}/${arch}\n";
 }
diff --git a/porthos/root/srv/porthos/script/subscription.php b/porthos/root/srv/porthos/script/subscription.php
new file mode 100644
index 0000000..4897352
--- /dev/null
+++ b/porthos/root/srv/porthos/script/subscription.php
@@ -0,0 +1,63 @@
+<?php
+
+/*
+ * Copyright (C) 2019 Nethesis S.r.l.
+ * http://www.nethesis.it - nethserver@nethesis.it
+ *
+ * This script is part of Dartagnan.
+ *
+ * Dartagnan is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License,
+ * or any later version.
+ *
+ * Dartagnan is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with Dartagnan.  If not, see COPYING.
+ */
+
+require_once("lib.php");
+require_once("config-" . $_SERVER['PORTHOS_SITE'] . ".php");
+
+$uri = parse_uri($_SERVER['DOCUMENT_URI']);
+
+if ( isset($_SERVER['HTTPS']) && ! $uri['system_id'] && ! isset($_SERVER['PHP_AUTH_USER'])) {
+    exit_basic_auth_required();
+} else {
+    if($uri['system_id']) {
+        // override PHP authentication with system_id token:
+        $_SERVER['PHP_AUTH_USER'] = $uri['system_id'];
+        $_SERVER['PHP_AUTH_PW'] = $uri['system_id'];
+    }
+}
+
+// Disable the Content-Type header in PHP, so that nginx x-accel can add its own
+ini_set('default_mimetype', FALSE);
+
+if(! isset($_SERVER['PHP_AUTH_USER']) || ! isset($_SERVER['PHP_AUTH_PW'])) {
+    exit_http(403);
+}
+
+$access = get_access_descriptor($_SERVER['PHP_AUTH_USER']);
+$valid_credentials = $_SERVER['PHP_AUTH_PW'] === $access['secret'];
+if($config['legacy_auth']) {
+    $valid_credentials = $valid_credentials || $_SERVER['PHP_AUTH_USER'] ===  $_SERVER['PHP_AUTH_PW'];
+}
+$has_access_disabled = ! is_numeric($access['tier_id']) || $access['icat'] === FALSE;
+if ($has_access_disabled || ! $valid_credentials) {
+    exit_http(403);
+}
+
+$include_categories = array_filter(explode(',', $access['icat']));
+$exclude_categories = array_values(array_diff($config['categories'], $include_categories));
+
+header('Content-type: application/json; charset=UTF-8');
+echo json_encode(array(
+    'fmt_version' => 1,
+    'include_categories' => $include_categories,
+    'exclude_categories' => $exclude_categories,
+));
diff --git a/porthos/root/usr/local/bin/repo-bulk-pull b/porthos/root/usr/local/bin/repo-bulk-pull
index fbe9c64..3137c03 100755
--- a/porthos/root/usr/local/bin/repo-bulk-pull
+++ b/porthos/root/usr/local/bin/repo-bulk-pull
@@ -24,8 +24,10 @@
 
 date_dir=d$(date +%Y%m%d)
 
+trap 'kill $(jobs -p)' INT HUP TERM
+
 for repo in ${!repos[@]}; do
-    /usr/local/bin/repo-tier-pull ${repo} ${date_dir} &
+    /usr/local/bin/repo-tier-pull $* ${repo} ${date_dir} &
 done
 
 wait
diff --git a/porthos/root/usr/local/bin/repo-head-init b/porthos/root/usr/local/bin/repo-head-init
index 9228596..1125739 100755
--- a/porthos/root/usr/local/bin/repo-head-init
+++ b/porthos/root/usr/local/bin/repo-head-init
@@ -57,4 +57,5 @@ if [[ -z ${force} && -d ${head_dir} ]]; then
 fi
 
 mkdir -p ${head_dir}
-exec /usr/local/bin/xrsync ${repos[$repo_id]}/ ${head_dir} --delete-after
+set -f
+exec /usr/local/bin/xrsync ${repos[$repo_id]}/ ${head_dir} --delete-after ${options[${repo_id}]}
diff --git a/porthos/root/usr/local/bin/repo-tier-pull b/porthos/root/usr/local/bin/repo-tier-pull
index 52896de..d7384f6 100755
--- a/porthos/root/usr/local/bin/repo-tier-pull
+++ b/porthos/root/usr/local/bin/repo-tier-pull
@@ -24,16 +24,35 @@ set -e
 
 . /etc/porthos/repos.conf
 
+function exit_help ()
+{
+    echo -e "Usage:\n  $(basename $0) [-f] REPO_ID DATE_DIR" 1>&2
+    exit 1
+}
+
+while getopts ":f" opt; do
+  case $opt in
+    f)
+      force=1
+      ;;
+    \?)
+      echo "Invalid option: -$OPTARG" >&2
+      exit_help
+      ;;
+  esac
+done
+
+shift "$((OPTIND-1))"
+
 repo_id=$1
 date_dir=$2
+
 if [[ -z ${repo_id} || -z "${repos[$repo_id]}" || -z ${date_dir} ]]; then
-    echo -e "Usage:\n  $(basename $0) REPO_ID DATE_DIR" 1>&2
-    exit 1
+    exit_help
 fi
 
-
 head_dir=${dest_dir}/head/${repo_id}
-backup_dir=${dest_dir}/${date_dir}/$repo_id
+backup_dir=${dest_dir}/${date_dir}/${repo_id}
 
 repomd_file=${head_dir}/repodata/repomd.xml
 if [[ ! -f "${repomd_file}" ]]; then
@@ -42,10 +61,16 @@ if [[ ! -f "${repomd_file}" ]]; then
 fi
 
 if [[ -d ${backup_dir} ]]; then
-    echo "[WARNING] the repository backup directory already exists. Quit now ${backup_dir}"
-    exit 0
+    if [[ -n ${force} ]]; then
+        echo "[WARNING] the already existing repository backup directory ${date_dir}/${repo_id} has been removed"
+        rm -rf ${backup_dir}
+    else
+        echo "[WARNING] the repository backup directory already exists. Quit now ${backup_dir}"
+        exit 0
+    fi
 fi
 
 mkdir -p ${backup_dir}
 touch ${dest_dir}/head
+set -f
 exec /usr/local/bin/xrsync ${repos[$repo_id]}/ ${head_dir} --delete-after --backup --backup-dir=${backup_dir} ${options[$repo_id]}
diff --git a/porthos/root/usr/local/bin/xrsync b/porthos/root/usr/local/bin/xrsync
index 8c3b7cd..7a51068 100755
--- a/porthos/root/usr/local/bin/xrsync
+++ b/porthos/root/usr/local/bin/xrsync
@@ -24,13 +24,20 @@
 attempts=3
 src=$1 ; shift
 dest=$1 ; shift
-    
+
 for ((I=1; I < attempts; I++)); do
     rsync -aqSH --no-super --no-g --no-o "${@}" "${src}" "${dest}"
-    if [[ $? == 0 ]]; then
+    ret_rsync=$?
+    if [[ $ret_rsync == 0 ]]; then
         exit 0
+    elif [[ $ret_rsync == 1 ]]; then
+        echo "[ERROR] rsync bad syntax"
+        exit 1
+    elif [[ $ret_rsync == 20 ]]; then
+        echo "[ERROR] rsync signal caught"
+        exit 2
     fi
-    echo "[WARNING] rsync from $src failed; attempt $I of ${attempts}..." 1>&2
+    echo "[WARNING] rsync from $src failed with code $ret_rsync; attempt $I of ${attempts}..." 1>&2
     ((I < attempts)) && sleep $(($RANDOM % 30))
 done