diff --git a/app/models/user.rb b/app/models/user.rb
index 1695b2c7e..e0e7299dd 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -472,6 +472,7 @@ class User < ActiveRecord::Base
       url.gsub! "{color}", letter_avatar_color(username.downcase)
       url.gsub! "{username}", username
       url.gsub! "{first_letter}", username[0].downcase
+      url.gsub! "{hostname}", Discourse.current_hostname
       url
     else
       "#{Discourse.base_uri}/letter_avatar/#{username.downcase}/{size}/#{LetterAvatar.version}.png"
diff --git a/config/nginx.sample.conf b/config/nginx.sample.conf
index e9d815fc9..930b2c161 100644
--- a/config/nginx.sample.conf
+++ b/config/nginx.sample.conf
@@ -180,7 +180,7 @@ server {
     # This big block is needed so we can selectively enable
     # acceleration for backups and avatars
     # see note about repetition above
-    location ~ ^/(letter_avatar|user_avatar|highlight-js|stylesheets|favicon/proxied) {
+    location ~ ^/(letter_avatar/|user_avatar|highlight-js|stylesheets|favicon/proxied) {
       proxy_set_header Host $http_host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -199,6 +199,25 @@ server {
       break;
     }
 
+    location /letter_avatar_proxy/ {
+      # Don't send any client headers to the avatars service
+      proxy_method GET;
+      proxy_pass_request_headers off;
+      proxy_pass_request_body off;
+
+      # Don't let cookies interrupt caching, and don't pass them to the
+      # client
+      proxy_ignore_headers "Set-Cookie";
+      proxy_hide_header "Set-Cookie";
+
+      proxy_cache one;
+      proxy_cache_key $uri;
+      proxy_cache_valid 200 7d;
+      proxy_cache_valid 404 1m;
+
+      proxy_pass https://avatars.discourse.org/;
+    }
+
     # this means every file in public is tried first
     try_files $uri @discourse;
   }
diff --git a/config/site_settings.yml b/config/site_settings.yml
index e5583b231..d7e8ab67c 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -595,9 +595,9 @@ files:
     client: true
     shadowed_by_global: true
   external_system_avatars_url:
-    default: "https://avatars.discourse.org/v2/letter/{first_letter}/{color}/{size}.png"
+    default: "/letter_avatar_proxy/v2/letter/{first_letter}/{color}/{size}.png"
     client: true
-    regex: '^https?:\/\/.+[^\/]'
+    regex: '^((https?:)?\/)?\/.+[^\/]'
   default_opengraph_image_url: ''
 
 trust:
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index aabf7150e..9b06d76c7 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -912,7 +912,7 @@ describe User do
       expect(user.small_avatar_url).to eq("//test.localhost/letter_avatar/sam/45/#{LetterAvatar.version}.png")
 
       SiteSetting.external_system_avatars_enabled = true
-      expect(user.small_avatar_url).to eq("https://avatars.discourse.org/v2/letter/s/5f9b8f/45.png")
+      expect(user.small_avatar_url).to eq("//test.localhost/letter_avatar_proxy/v2/letter/s/5f9b8f/45.png")
     end
 
   end