diff --git a/docker-compose.yml b/docker-compose.yml
index f4d353b..65e5a6d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,3 +1,5 @@
+version: "3.8"
+
 services:
   db:
     image: mariadb:10.11
@@ -27,8 +29,10 @@ services:
       APACHE_RUN_GROUP: www-data
       APACHE_RUN_GROUP_ID: 33
 
-      # Critical: enable proxy support in FileRun!
+      # Behind reverse proxy
       FR_USE_PROXY: "true"
+      # (OPTIONAL but recommended)
+      FR_BASEURL: "https://filerun.rozic-dev.com"
 
     volumes:
       - ./filerun_html:/var/www/html
@@ -43,27 +47,37 @@ services:
       - "traefik.enable=true"
       - "traefik.docker.network=traefik_default"
 
-      # Create redirect middleware to HTTPS
-      - "traefik.http.middlewares.filerun-redirect.redirectscheme.scheme=https"
-      - "traefik.http.middlewares.filerun-redirect.redirectscheme.permanent=true"
-
-      # FileRun headers (required behind proxy)
-      - "traefik.http.middlewares.filerun-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
-      - "traefik.http.middlewares.filerun-headers.headers.customrequestheaders.X-Forwarded-Host=filerun.rozic-dev.com"
-
-      # HTTP Router → redirect to HTTPS
+      # -------------------------------
+      # HTTP router → uses GLOBAL redirect-to-https
+      # -------------------------------
       - "traefik.http.routers.filerun-http.entrypoints=web"
       - "traefik.http.routers.filerun-http.rule=Host(`filerun.rozic-dev.com`)"
-      - "traefik.http.routers.filerun-http.middlewares=filerun-redirect@docker"
+      - "traefik.http.routers.filerun-http.middlewares=redirect-to-https"
 
-      # HTTPS Router
+      # -------------------------------
+      # HTTPS router (real traffic)
+      # -------------------------------
       - "traefik.http.routers.filerun-https.entrypoints=websecure"
       - "traefik.http.routers.filerun-https.rule=Host(`filerun.rozic-dev.com`)"
       - "traefik.http.routers.filerun-https.tls=true"
       - "traefik.http.routers.filerun-https.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.filerun-https.middlewares=filerun-headers@docker"
+      - "traefik.http.routers.filerun-https.service=filerun"
+      - "traefik.http.routers.filerun-https.middlewares=filerun-headers,filerun-oauth-header"
 
-      # Backend service
+      # -------------------------------
+      # Middleware: proxy headers for FileRun
+      # -------------------------------
+      - "traefik.http.middlewares.filerun-headers.headers.customRequestHeaders.X-Forwarded-Proto=https"
+      - "traefik.http.middlewares.filerun-headers.headers.customRequestHeaders.X-Forwarded-Host=filerun.rozic-dev.com"
+
+      # -------------------------------
+      # Middleware: Nextcloud OAuth redirect header (if you need it)
+      # -------------------------------
+      - "traefik.http.middlewares.filerun-oauth-header.headers.customResponseHeaders.X-Nextcloud-Redirect-Url=nc://auth-finished"
+
+      # -------------------------------
+      # Service (internal port in container)
+      # -------------------------------
       - "traefik.http.services.filerun.loadbalancer.server.port=80"
 
 networks: