diff --git a/docker-compose.yml b/docker-compose.yml
index 705a148..990f076 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,23 +8,33 @@ services:
     environment:
       - HOSTNAME=0.0.0.0
       - HOST=0.0.0.0
+
+  betterbahn-proxy:
+    image: alpine/socat:latest
+    depends_on: [betterbahn]
+    # Share the app's network namespace so we can reach 127.0.0.1:3000
+    network_mode: "service:betterbahn"
+    command: ["sh", "-c", "socat TCP-LISTEN:8080,fork,reuseaddr TCP:127.0.0.1:3000"]
     labels:
-      - "traefik.enable=true"
-      - "traefik.docker.network=dokploy-network"
-      - "traefik.http.services.betterbahn-app.loadbalancer.server.port=3000" # set port the container listenes to
-      - "traefik.http.services.betterbahn-app.loadbalancer.server.scheme=http"
-      - "traefik.http.routers.betterbahn-app-web.rule=Host(`${PUBLIC_DOMAIN}`)"
-      - "traefik.http.routers.betterbahn-app-web.service=betterbahn-app"
-      - "traefik.http.routers.betterbahn-app-web.entrypoints=web"
-      - "traefik.http.routers.betterbahn-app-web.middlewares=redirect-to-https@file"
-      - "traefik.http.routers.betterbahn-app-websecure.rule=Host(`${PUBLIC_DOMAIN}`)"
-      - "traefik.http.routers.betterbahn-app-websecure.service=betterbahn-app"
-      - "traefik.http.routers.betterbahn-app-websecure.entrypoints=websecure"
-      - "traefik.http.routers.betterbahn-app-websecure.tls=true"
-      - "traefik.http.routers.betterbahn-app-websecure.tls.certresolver=hetzner"
-      - "traefik.http.routers.betterbahn-app-websecure.tls.domains[0].main=${TLS_DOMAIN}"
-      - "traefik.http.middlewares.betterbahn-app-hostheader.headers.customrequestheaders.Host=betterbahn"
-      - "traefik.http.routers.betterbahn-app-websecure.middlewares=secHeaders@file, autodetectContenttype@file, authentikProd@file, betterbahn-app-hostheader"
+    - "traefik.enable=true"
+    - "traefik.docker.network=dokploy-network"
+
+    - "traefik.http.services.betterbahn-app.loadbalancer.server.port=3000" # set port the container listenes to
+    - "traefik.http.services.betterbahn-app.loadbalancer.server.scheme=http"
+
+    - "traefik.http.routers.betterbahn-app-web.rule=Host(`${PUBLIC_DOMAIN}`)"
+    - "traefik.http.routers.betterbahn-app-web.service=betterbahn-app"
+    - "traefik.http.routers.betterbahn-app-web.entrypoints=web"
+    - "traefik.http.routers.betterbahn-app-web.middlewares=redirect-to-https@file"
+
+    - "traefik.http.routers.betterbahn-app-websecure.rule=Host(`${PUBLIC_DOMAIN}`)"
+    - "traefik.http.routers.betterbahn-app-websecure.service=betterbahn-app"
+    - "traefik.http.routers.betterbahn-app-websecure.entrypoints=websecure"
+    - "traefik.http.routers.betterbahn-app-websecure.tls=true"
+    - "traefik.http.routers.betterbahn-app-websecure.tls.certresolver=hetzner"
+    - "traefik.http.routers.betterbahn-app-websecure.tls.domains[0].main=${TLS_DOMAIN}"
+    - "traefik.http.routers.betterbahn-app-websecure.middlewares=secHeaders@file, autodetectContenttype@file, authentikProd@file"
+
   # whoami:
   #   image: traefik/whoami
   #   networks: