diff --git a/doc/docker-compose.yml b/doc/docker-compose.yml
index e29df6e..06cbeba 100644
--- a/doc/docker-compose.yml
+++ b/doc/docker-compose.yml
@@ -3,9 +3,25 @@
 version: '3'
 
 services:
+  traefik:
+    image: traefik:v2.2.11
+    restart: always
+    ports:
+      - 443:443
+      - 80:80
+      - 1935:1935
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./traefik/traefik.yml:/etc/traefik/traefik.yml
+      - ./traefik_data:/data
+    labels:
+      # middleware hsts
+      - "traefik.http.middlewares.security_header.headers.stsPreload=true"
+
   # RTMP to WebRTC server
   ovenmediaengine:
     image: airensoft/ovenmediaengine:0.10.7
+    restart: always
     ports:
       # WebRTC ICE
       - 10000-10005:10000-10005/udp
@@ -15,21 +31,29 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.ovenmediaengine.rule=Host(`stream.example.com`) && PathPrefix(`/app/`)"
       - "traefik.http.routers.ovenmediaengine.priority=101"
+      - "traefik.http.routers.ovenmediaengine.entrypoints=websecure"
+      - "traefik.http.routers.ovenmediaengine.tls.certresolver=mytlschallenge"
       - "traefik.http.services.ovenmediaengine.loadbalancer.server.port=3333"
 
   # RTMP server that authenticate stream against ghostream
   rtmp_server:
-    image: nginx:1.19.2
+    # FIXME: nginx image does not have RTMP module
+    # this image should be build from this repo
+    image: tiangolo/nginx-rtmp:latest-2020-08-16
+    restart: always
     volumes:
       - ./nginx/nginx-docker.conf:/etc/nginx/nginx.conf:ro
     labels:
       - "traefik.enable=true"
       - "traefik.tcp.routers.rtmp.rule=Host(`stream.example.com`)"
+      - "traefik.tcp.routers.rtmp.entrypoints=rtmpsecure"
+      - "traefik.tcp.routers.rtmp.tls.certresolver=mytlschallenge"
       - "traefik.tcp.services.rtmp.loadbalancer.server.port=1925"
 
   # Ghostream is the web frontend to OvenMediaEngine
   ghostream:
     build: ../
+    restart: always
     environment:
       - FLASK_CONFIG=production
       - LDAP_URI=ldap://127.0.0.1:389
@@ -41,4 +65,6 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.ghostream.rule=Host(`stream.example.com`)"
       - "traefik.http.routers.ghostream.priority=100"
+      - "traefik.http.routers.ghostream.entrypoints=websecure"
+      - "traefik.http.routers.ghostream.tls.certresolver=mytlschallenge"
       - "traefik.http.services.ghostream.loadbalancer.server.port=8080"
diff --git a/doc/traefik/traefik.yml b/doc/traefik/traefik.yml
new file mode 100644
index 0000000..9c836a2
--- /dev/null
+++ b/doc/traefik/traefik.yml
@@ -0,0 +1,26 @@
+providers:
+  docker:
+    # Do not expose containers by default
+    exposedbydefault: False
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: web-secure
+          scheme: https
+  websecure:
+    address: ":443"
+  rtmpsecure:
+    address: ":1935"
+
+certificatesResolvers:
+  le:
+    acme:
+      email: root@example.com
+      storage: /data/acme.json
+      httpChallenge:
+        entryPoint: web
+