diff --git a/images/nginx-slim/Dockerfile b/images/nginx-slim/Dockerfile
index dbbffcc5f..4c1c08c82 100644
--- a/images/nginx-slim/Dockerfile
+++ b/images/nginx-slim/Dockerfile
@@ -26,6 +26,7 @@ RUN /tmp/build.sh
 RUN ln -sf /dev/stdout /var/log/nginx/access.log
 RUN ln -sf /dev/stderr /var/log/nginx/error.log
 
-EXPOSE 80 443
+EXPOSE 8080 8443
 
+USER nginx
 CMD ["nginx", "-g", "daemon off;"]
diff --git a/images/nginx-slim/Makefile b/images/nginx-slim/Makefile
index 6f66c1a4a..f1f4ce735 100644
--- a/images/nginx-slim/Makefile
+++ b/images/nginx-slim/Makefile
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # 0.0.0 shouldn't clobber any released builds
-TAG = 0.18
+TAG = 0.19
 REGISTRY = gcr.io/google_containers
 ARCH ?= $(shell go env GOARCH)
 ALL_ARCH = amd64 arm ppc64le
diff --git a/images/nginx-slim/build.sh b/images/nginx-slim/build.sh
index 916f0814e..d85c8b3ac 100755
--- a/images/nginx-slim/build.sh
+++ b/images/nginx-slim/build.sh
@@ -55,6 +55,9 @@ if [[ ${ARCH} == "ppc64le" ]]; then
   apt-get update && apt-get install --no-install-recommends -y lua5.1 lua5.1-dev
 fi
 
+# add user and group
+adduser --system --group nginx
+
 # install required packages to build
 apt-get update && apt-get install --no-install-recommends -y \
   bash \
@@ -161,7 +164,7 @@ fi
   --http-log-path=/var/log/nginx/access.log \
   --error-log-path=/var/log/nginx/error.log \
   --lock-path=/var/lock/nginx.lock \
-  --pid-path=/run/nginx.pid \
+  --pid-path=/run/nginx/nginx.pid \
   --http-client-body-temp-path=/var/lib/nginx/body \
   --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
   --http-proxy-temp-path=/var/lib/nginx/proxy \
@@ -240,7 +243,19 @@ apt-get remove -y --purge \
 
 apt-get autoremove -y
 
-mkdir -p /var/lib/nginx/body /usr/share/nginx/html
+# Download of GeoIP databases
+curl -sSL -o /etc/nginx/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz \
+  && curl -sSL -o /etc/nginx/GeoLiteCity.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz \
+  && gunzip /etc/nginx/GeoIP.dat.gz \
+  && gunzip /etc/nginx/GeoLiteCity.dat.gz
+
+# create runtime directories
+mkdir -p /var/lib/nginx/body /usr/share/nginx/html /run/nginx
+
+chown -R nginx:nginx /etc/nginx /var/lib/nginx /run/nginx
+
+# use non privileged port by default
+sed -i 's/listen       80;/listen       8080;/' /etc/nginx/nginx.conf
 
 mv /usr/share/nginx/sbin/nginx /usr/sbin
 
@@ -249,9 +264,3 @@ rm -Rf /usr/share/man /usr/share/doc
 rm -rf /tmp/* /var/tmp/*
 rm -rf /var/lib/apt/lists/*
 rm -rf /var/cache/apt/archives/*
-
-# Download of GeoIP databases
-curl -sSL -o /etc/nginx/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz \
-  && curl -sSL -o /etc/nginx/GeoLiteCity.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz \
-  && gunzip /etc/nginx/GeoIP.dat.gz \
-  && gunzip /etc/nginx/GeoLiteCity.dat.gz