diff --git a/Caddyfile b/Caddyfile
new file mode 100644
index 0000000..7845153
--- /dev/null
+++ b/Caddyfile
@@ -0,0 +1,19 @@
+{
+    debug
+}
+
+:8443 {
+    tls /certs/foo.crt /certs/foo.key {
+        client_auth {
+            mode require_and_verify
+            trusted_ca_cert_file /certs/root_ca.crt
+        }
+    }
+
+    reverse_proxy rest-server:8000 {
+        header_up Host {host}
+        header_up X-Real-IP {remote}
+        header_up X-Forwarded-For {remote}
+        header_up X-Forwarded-Proto {scheme}
+    }
+}
diff --git a/docker-compose.yml b/docker-compose.yml
index a245c02..c195003 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,10 +2,18 @@ services:
   rest-server:
     image: restic/rest-server
     restart: unless-stopped
-    ports:
-      - "8000:8000"
     volumes:
       - /mnt/restic:/data
-      - ./certs:/certs:ro
     environment:
-      - OPTIONS=--tls --tls-cert /certs/foo.crt --tls-key /certs/foo.key
+      - OPTIONS=--no-auth
+
+  caddy:
+    image: caddy:alpine
+    restart: unless-stopped
+    ports:
+      - "8443:8443"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - ./certs:/certs:ro
+    depends_on:
+      - rest-server