diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index 67bc3c5029c290676a777115179b273b2e8851ef..c9424785ba94d9c6c16f5e5e636706240b316b2d 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -254,6 +254,17 @@ in {
           # we pass less scanning spam on to our backend
           # Want a regex instead? try locations."~ /v\d+/"
           proxyPass = "http://127.0.0.1:${internalHttpPort}";
+
+          # The redemption endpoint can intentionally delay its response for
+          # up to 600 seconds for a cheap kind of server-push when payment
+          # completes.  Let that timeout control how long the connection stays
+          # open.  PaymentServer does not accept configuration for that
+          # duration so we also hard-code it here.
+          #
+          # http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout
+          extraConfig = ''
+            proxy_read_timeout 660;
+          '';
         };
         locations."/metrics" = {
           # Only allow our monitoringvpn subnet