diff --git a/docker-compose.yml b/docker-compose.yml
index 642deb8..cee38df 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,16 +8,15 @@ services:
     environment:
       OPTIONS: --no-auth
 
-  caddy:
-    image: caddy:alpine
-    container_name: caddy
+  envoy:
+    image: envoyproxy/envoy:v1.33-latest
+    user: root
+    container_name: envoy
     restart: unless-stopped
     ports:
-      - "443:443"
+      - "443:10000"
     volumes:
-      - ./Caddyfile:/etc/caddy/Caddyfile:ro
-      - ./certs/soteria.crt:/certs/soteria.crt:ro
-      - ./certs/soteria.key:/certs/soteria.key:ro
-      - ${HOME}/.step/certs/root_ca.crt:/certs/root_ca.crt:ro
+      - ./envoy.yaml:/etc/envoy/envoy.yaml:ro
+      - /var/lib/tls:/certs
     depends_on:
-      - rest-server
\ No newline at end of file
+      - rest-server
diff --git a/envoy.yaml b/envoy.yaml
new file mode 100644
index 0000000..91e39eb
--- /dev/null
+++ b/envoy.yaml
@@ -0,0 +1,62 @@
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 10000
+    filter_chains:
+    - transport_socket:
+        name: envoy.transport_sockets.tls
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+          require_client_certificate: true
+          common_tls_context:
+            tls_params:
+              tls_minimum_protocol_version: TLSv1_3
+            validation_context:
+              trusted_ca:
+                filename: /certs/root_ca.crt
+              match_typed_subject_alt_names:
+              - san_type: URI
+                matcher:
+                  # exact: proxy-postgres-frontend.example.com
+                  exact: spiffe://john-stream.com/ubuntu
+            tls_certificates:
+            - certificate_chain:
+                filename: /certs/cert.pem
+              private_key:
+                filename: /certs/envoy.pem
+      filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          stat_prefix: ingress_http
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains: ["*"]
+              routes:
+              - match:
+                  prefix: "/"
+                route:
+                  cluster: rest_server
+          http_filters:
+          - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+  clusters:
+  - name: rest_server
+    connect_timeout: 0.25s
+    type: STRICT_DNS
+    lb_policy: ROUND_ROBIN
+    load_assignment:
+      cluster_name: rest_server
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: rest-server
+                port_value: 8000