diff --git a/docs/docs/self-hosting/deploy/.gitignore b/docs/docs/self-hosting/deploy/.gitignore
index aba9338c1f..96d990ab84 100644
--- a/docs/docs/self-hosting/deploy/.gitignore
+++ b/docs/docs/self-hosting/deploy/.gitignore
@@ -1 +1 @@
-*.pat
\ No newline at end of file
+*.pat
diff --git a/docs/docs/self-hosting/manage/.gitignore b/docs/docs/self-hosting/manage/.gitignore
new file mode 100644
index 0000000000..468fc82648
--- /dev/null
+++ b/docs/docs/self-hosting/manage/.gitignore
@@ -0,0 +1,3 @@
+**/*.pat
+**/selfsigned.crt
+**/selfsigned.key
diff --git a/docs/docs/self-hosting/manage/reverseproxy/_caddy.mdx b/docs/docs/self-hosting/manage/reverseproxy/_caddy.mdx
deleted file mode 100644
index 5b0b32b6ad..0000000000
--- a/docs/docs/self-hosting/manage/reverseproxy/_caddy.mdx
+++ /dev/null
@@ -1,25 +0,0 @@
-## TLS mode external
-
-```
-https://localhost {
-        reverse_proxy h2c://localhost:8080
-        tls internal #only non production
-}
-```
-
-## TLS mode enabled
-
-```
-https://localhost {
-        reverse_proxy https://localhost:8080
-        tls internal #only non production
-}
-```
-
-## TLS mode disabled
-
-```
-http://localhost {
-        reverse_proxy h2c://localhost:8080
-}
-```
diff --git a/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_more.mdx b/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_more.mdx
index e3e2a99400..9ab0d6c6f8 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_more.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_more.mdx
@@ -1,2 +1,2 @@
-- [Read more about ZITADELs TLS Modes](/self-hosting/manage/tls_modes)
-- [Read more about how ZITADEL uses HTTP/2](/self-hosting/manage/http2)
+- [Read more about Zitadel's TLS Modes](/self-hosting/manage/tls_modes)
+- [Read more about how Zitadel uses HTTP/2](/self-hosting/manage/http2)
diff --git a/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_overview.mdx b/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_overview.mdx
index f72eb6eec5..edb77e1a05 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_overview.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_overview.mdx
@@ -1,8 +1,8 @@
 import CodeBlock from '@theme/CodeBlock';
 import ComposeYaml from "!!raw-loader!./docker-compose.yaml";
 
-<>With these examples, you create and run a minimal {props.link} configuration for ZITADEL with <a href="https://docs.docker.com/compose">Docker Compose</a>.
-Whereas the guide focuses on the configuration for {props.name}, you can inspect the configurations for ZITADEL and the database in the base Docker Compose file.</>
+<>With these examples, you create and run a minimal {props.link} configuration for Zitadel with <a href="https://docs.docker.com/compose">Docker Compose</a>.
+Whereas the guide focuses on the configuration for {props.name}, you can inspect the configurations for the Zitadel API, the Zitadel login and the database in the base Docker Compose file.</>
 <details>
     <summary>base docker-compose.yaml</summary>
     <CodeBlock language="yaml">{ComposeYaml}</CodeBlock>
diff --git a/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_tls_mode.mdx b/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_tls_mode.mdx
index 43663af486..491175a172 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_tls_mode.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_tls_mode.mdx
@@ -4,27 +4,27 @@ export const Description = ({mode, name}) => {
     let desc
     switch (mode) {
         case "disabled":
-            desc = <>Neither {name} nor ZITADEL terminates TLS.
-                Nevertheless, {name} forwards unencrypted HTTP/2 traffic, aka h2c, to ZITADEL.</>;
+            desc = <>Neither {name} nor Zitadel terminates TLS.
+                Nevertheless, {name} forwards unencrypted HTTP/2 traffic, aka h2c, to Zitadel.</>;
             break;
         case "external":
-            desc = <>{name} terminates TLS and forwards the requests to ZITADEL via unencrypted h2c.
+            desc = <>{name} terminates TLS and forwards the requests to Zitadel via unencrypted h2c.
                 This example uses an unsafe self-signed certificate for {name}</>;
             break;
         case "enabled":
-            desc = <>{name} terminates TLS and forwards the requests to ZITADEL via encrypted HTTP/2.
-                This example uses an unsafe self-signed certificate for {name} and the same for ZITADEL.</>;
+            desc = <>{name} terminates TLS and forwards the requests to Zitadel via encrypted HTTP/2.
+                This example uses an unsafe self-signed certificate for {name} and the same for Zitadel.</>;
             break;
     }
     return (
         <>
             {desc}
-            <>By executing the commands below, you will download the files necessary to run ZITADEL behind {name} with the following config:</>
+            <>By executing the commands below, you will download the files necessary to run Zitadel behind {name} with the following config:</>
         </>)
 }
 
 export const Commands = ({mode, name, lower, configfilename}) => {
-    let genCert = '# Generate a self signed certificate and key.\nopenssl req -x509 -batch -subj "/CN=127.0.0.1.sslip.io/O=ZITADEL Demo" -nodes -newkey rsa:2048 -keyout ./selfsigned.key -out ./selfsigned.crt 2>/dev/null\n\n';
+    let genCert = '# Generate a self signed certificate and key.\nopenssl req -x509 -batch -subj "/CN=127.0.0.1.sslip.io/O=Zitadel Demo" -nodes -newkey rsa:2048 -keyout ./selfsigned.key -out ./selfsigned.crt 2>/dev/null\n\n';
     let connPort = "443"
     let connInsecureFlag = "--insecure "
     let connScheme = "https"
@@ -47,8 +47,8 @@ export const Commands = ({mode, name, lower, configfilename}) => {
                 {'wget $\{ZITADEL_CONFIG_FILES\}/'}{lower}{'/'}{configfilename}{' -O '}{configfilename}{' --quiet \n'}
                 {'\n'}
                 {genCert}
-                {'# Run the database, ZITADEL and '}{name}{'.'}{'\n'}
-                {'docker compose --file docker-compose-base.yaml --file docker-compose-'}{lower}{'.yaml up --detach --wait db zitadel-init zitadel-'}{mode}{'-tls proxy-'}{mode}{'-tls'}{'\n'}
+                {'# Run the database,  and '}{name}{'.'}{'\n'}
+                {'docker compose --file docker-compose-base.yaml --file docker-compose-'}{lower}{'.yaml up --detach --wait db zitadel-init zitadel-'}{mode}{'-tls login-'}{mode}{'-tls proxy-'}{mode}{'-tls'}{'\n'}
                 {'\n'}
                 {'# Test that gRPC and HTTP APIs work. Empty brackets like {} means success.\n'}
                 {'# Make sure you have the grpcurl cli installed on your machine https://github.com/fullstorydev/grpcurl?tab=readme-ov-file#installation\n'}
@@ -85,6 +85,6 @@ export const LoginURL = ({mode}) => {
 If the console loads normally, you know that the HTTP and gRPC-Web and gRPC APIs are working correctly.
 
 <CodeBlock language="bash">
-    {'# You can now stop the database, ZITADEL and '}{props.providername}{'.'}{'\n'}
+    {'# You can now stop the database, the Zitadel API, the Zitadel login and '}{props.providername}{'.'}{'\n'}
     {'docker compose --file docker-compose-base.yaml --file docker-compose-'}{props.lower}{'.yaml down'}{'\n'}
 </CodeBlock>
diff --git a/docs/docs/self-hosting/manage/reverseproxy/caddy/caddy.mdx b/docs/docs/self-hosting/manage/reverseproxy/caddy/caddy.mdx
index 5fb9ea4014..ee3b2935ed 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/caddy/caddy.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/caddy/caddy.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure ZITADEL with Caddy
+title: Configure Zitadel with Caddy
 sidebar_label: Caddy
 ---
 
@@ -19,7 +19,7 @@ export const link = <a href="https://caddyserver.com/">{providername}</a>
 
 You can either setup your environment for <a href={'#tls-mode-external'}>TLS mode external</a> or <a href={'#tls-mode-enabled'}>TLS mode enabled</a>.
 
-<!-- grpc NOT WORKING
+<!-- login NOT WORKING
 ## TLS mode disabled
 
 <ProxyGuideTLSMode mode="disabled" configfilename="disabled-tls.Caddyfile" configfilecontent={ConfigDisabled} providername={providername} link={link} lower={lower}></ProxyGuideTLSMode>
diff --git a/docs/docs/self-hosting/manage/reverseproxy/caddy/disabled-tls.Caddyfile b/docs/docs/self-hosting/manage/reverseproxy/caddy/disabled-tls.Caddyfile
index db5b3eb943..92a52fb30e 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/caddy/disabled-tls.Caddyfile
+++ b/docs/docs/self-hosting/manage/reverseproxy/caddy/disabled-tls.Caddyfile
@@ -1,3 +1,4 @@
 http://127.0.0.1.sslip.io {
+	reverse_proxy /ui/v2/login/* http://login-disabled-tls:3000
 	reverse_proxy h2c://zitadel-disabled-tls:8080
 }
diff --git a/docs/docs/self-hosting/manage/reverseproxy/caddy/docker-compose.yaml b/docs/docs/self-hosting/manage/reverseproxy/caddy/docker-compose.yaml
index c5fad6ab7b..9f095113e8 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/caddy/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/caddy/docker-compose.yaml
@@ -7,7 +7,7 @@ services:
     ports:
       - "80:80"
     networks:
-      - 'zitadel'
+      - app
     depends_on:
       zitadel-disabled-tls:
         condition: 'service_healthy'
@@ -21,7 +21,7 @@ services:
     ports:
       - "443:443"
     networks:
-      - 'zitadel'
+      - app
     depends_on:
       zitadel-external-tls:
         condition: 'service_healthy'
@@ -35,10 +35,7 @@ services:
     ports:
       - "443:443"
     networks:
-      - 'zitadel'
+      - app
     depends_on:
       zitadel-enabled-tls:
         condition: 'service_healthy'
-
-networks:
-  zitadel:
diff --git a/docs/docs/self-hosting/manage/reverseproxy/caddy/enabled-tls.Caddyfile b/docs/docs/self-hosting/manage/reverseproxy/caddy/enabled-tls.Caddyfile
index 5040b1daaa..5bf41e8027 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/caddy/enabled-tls.Caddyfile
+++ b/docs/docs/self-hosting/manage/reverseproxy/caddy/enabled-tls.Caddyfile
@@ -1,5 +1,6 @@
 https://127.0.0.1.sslip.io {
 	tls /etc/certs/selfsigned.crt /etc/certs/selfsigned.key
+	reverse_proxy /ui/v2/login/* http://login-enabled-tls:3000
 	reverse_proxy https://zitadel-enabled-tls:8080 {
 		transport http {
 			tls_insecure_skip_verify
diff --git a/docs/docs/self-hosting/manage/reverseproxy/caddy/external-tls.Caddyfile b/docs/docs/self-hosting/manage/reverseproxy/caddy/external-tls.Caddyfile
index 867b9f95b6..594c65efb7 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/caddy/external-tls.Caddyfile
+++ b/docs/docs/self-hosting/manage/reverseproxy/caddy/external-tls.Caddyfile
@@ -1,4 +1,5 @@
 https://127.0.0.1.sslip.io {
 	tls /etc/certs/selfsigned.crt /etc/certs/selfsigned.key
+	reverse_proxy /ui/v2/login/* http://login-external-tls:3000
 	reverse_proxy h2c://zitadel-external-tls:8080
 }
diff --git a/docs/docs/self-hosting/manage/reverseproxy/cloudflare/cloudflare.mdx b/docs/docs/self-hosting/manage/reverseproxy/cloudflare/cloudflare.mdx
index 7810b909c4..55f834efbd 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/cloudflare/cloudflare.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/cloudflare/cloudflare.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure ZITADEL with Cloudflare
+title: Configure Zitadel with Cloudflare
 sidebar_label: Cloudflare
 ---
 
@@ -8,7 +8,7 @@ sidebar_label: Cloudflare
 - [Make sure HTTP/2 is enabled](https://support.cloudflare.com/hc/en-us/articles/200168076-Understanding-Cloudflare-HTTP-2-and-HTTP-3-Support)
 - [Verify that gRPC is enabled](https://support.cloudflare.com/hc/en-us/articles/360050483011-Understanding-Cloudflare-gRPC-support)
 - [Verify that traffic is proxied through cloudflare](https://developers.cloudflare.com/dns/manage-dns-records/reference/proxied-dns-records/)
-- [Configure ZITADEL to use the TLS Mode enabled](/self-hosting/manage/tls_modes#enabled)
+- [Configure Zitadel to use the TLS Mode enabled](/self-hosting/manage/tls_modes#enabled)
 
 :::info
 [Cloudflare does only support gRPC with TLS!](https://support.cloudflare.com/hc/en-us/articles/360050483011-Understanding-Cloudflare-gRPC-support)
diff --git a/docs/docs/self-hosting/manage/reverseproxy/cloudflare_tunnel/cloudflare_tunnel.mdx b/docs/docs/self-hosting/manage/reverseproxy/cloudflare_tunnel/cloudflare_tunnel.mdx
index 829123637b..32be4cafec 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/cloudflare_tunnel/cloudflare_tunnel.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/cloudflare_tunnel/cloudflare_tunnel.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure ZITADEL with Cloudflare Tunnel
+title: Configure Zitadel with Cloudflare Tunnel
 sidebar_label: Cloudflare Tunnel
 ---
 
diff --git a/docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml b/docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml
index c4a4f93fb2..8bb3ff844b 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml
@@ -3,23 +3,14 @@ services:
   zitadel-disabled-tls:
     extends:
       service: zitadel-init
-    command: 'start-from-setup --init-projections --masterkey "MasterkeyNeedsToHave32Characters" --config /zitadel.yaml --steps /zitadel.yaml'
+    command: 'start-from-setup --masterkey "MasterkeyNeedsToHave32Characters"'
     environment:
       ZITADEL_EXTERNALPORT: 80
       ZITADEL_EXTERNALSECURE: false
       ZITADEL_TLS_ENABLED: false
-      # database configuration
-      ZITADEL_DATABASE_POSTGRES_HOST: db
-      ZITADEL_DATABASE_POSTGRES_PORT: 5432
-      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
-      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user
-      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw
-      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
-      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
-      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
-      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
     networks:
-      - 'zitadel'
+      - app
+      - db
     depends_on:
       zitadel-init:
         condition: 'service_completed_successfully'
@@ -29,23 +20,14 @@ services:
   zitadel-external-tls:
     extends:
       service: zitadel-init
-    command: 'start-from-setup --init-projections --masterkey "MasterkeyNeedsToHave32Characters" --config /zitadel.yaml --steps /zitadel.yaml'
+    command: 'start-from-setup --masterkey "MasterkeyNeedsToHave32Characters"'
     environment:
       ZITADEL_EXTERNALPORT: 443
       ZITADEL_EXTERNALSECURE: true
       ZITADEL_TLS_ENABLED: false
-      # database configuration
-      ZITADEL_DATABASE_POSTGRES_HOST: db
-      ZITADEL_DATABASE_POSTGRES_PORT: 5432
-      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
-      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user
-      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw
-      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
-      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
-      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
-      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
     networks:
-      - 'zitadel'
+      - app
+      - db
     depends_on:
       db:
         condition: 'service_healthy'
@@ -55,28 +37,19 @@ services:
   zitadel-enabled-tls:
     extends:
       service: zitadel-init
-    command: 'start-from-setup --init-projections --masterkey "MasterkeyNeedsToHave32Characters" --config /zitadel.yaml --steps /zitadel.yaml'
+    command: 'start-from-setup --masterkey "MasterkeyNeedsToHave32Characters"'
     environment:
       ZITADEL_EXTERNALPORT: 443
       ZITADEL_EXTERNALSECURE: true
       ZITADEL_TLS_ENABLED: true
       ZITADEL_TLS_CERTPATH: /etc/certs/selfsigned.crt
       ZITADEL_TLS_KEYPATH: /etc/certs/selfsigned.key
-      # database configuration
-      ZITADEL_DATABASE_POSTGRES_HOST: db
-      ZITADEL_DATABASE_POSTGRES_PORT: 5432
-      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
-      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user
-      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw
-      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
-      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
-      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
-      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
     volumes:
       - ./selfsigned.crt:/etc/certs/selfsigned.crt
       - ./selfsigned.key:/etc/certs/selfsigned.key
     networks:
-      - 'zitadel'
+      - app
+      - db
     depends_on:
       zitadel-init:
         condition: 'service_completed_successfully'
@@ -84,15 +57,14 @@ services:
         condition: 'service_healthy'
 
   zitadel-init:
-    user: '$UID'
     image: '${ZITADEL_IMAGE:-ghcr.io/zitadel/zitadel:latest}'
-    command: 'init --config /zitadel.yaml'
+    command: 'init'
     depends_on:
       db:
         condition: 'service_healthy'
     environment:
       # Using an external domain other than localhost proofs, that the proxy configuration works.
-      # If ZITADEL can't resolve a requests original host to this domain,
+      # If Zitadel can't resolve a requests original host to this domain,
       # it will return a 404 Instance not found error.
       ZITADEL_EXTERNALDOMAIN: 127.0.0.1.sslip.io
       # In case something doesn't work as expected,
@@ -102,22 +74,23 @@ services:
       ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORDCHANGEREQUIRED: false
       # database configuration
       ZITADEL_DATABASE_POSTGRES_HOST: db
-      ZITADEL_DATABASE_POSTGRES_PORT: 5432
-      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
-      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user
       ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw
-      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
-      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
-      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
-      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
+      # Set up a service account with IAM_LOGIN_CLIENT role and write the PAT to the file ./login-client.pat
+      ZITADEL_FIRSTINSTANCE_LOGINCLIENTPATPATH: /current-dir/login-client.pat
+      ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_MACHINE_USERNAME: login-client
+      ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_MACHINE_NAME: Automatically Initialized IAM Login Client
+      ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_PAT_EXPIRATIONDATE: '2029-01-01T00:00:00Z'
+      # The master key is used to
     networks:
-      - 'zitadel'
+      - db
     healthcheck:
-      test: ["CMD", "/app/zitadel", "ready"]
+      test: [ "CMD", "/app/zitadel", "ready" ]
       interval: '10s'
       timeout: '5s'
       retries: 5
       start_period: '10s'
+    volumes:
+      - '.:/current-dir:rw'
 
   db:
     restart: 'always'
@@ -125,18 +98,69 @@ services:
     environment:
       POSTGRES_PASSWORD: postgres
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready"]
+      test: [ "CMD-SHELL", "pg_isready" ]
       interval: 5s
       timeout: 60s
       retries: 10
       start_period: 5s
     networks:
-      - 'zitadel'
+      - db
     volumes:
       - 'data:/var/lib/postgresql/data:rw'
 
+  login-disabled-tls:
+    restart: 'unless-stopped'
+    image: 'ghcr.io/zitadel/zitadel-login:latest'
+    environment:
+      - ZITADEL_API_URL=http://zitadel-disabled-tls:8080
+      - NEXT_PUBLIC_BASE_PATH=/ui/v2/login
+      - ZITADEL_SERVICE_USER_TOKEN_FILE=/current-dir/login-client.pat
+      - CUSTOM_REQUEST_HEADERS=Host:127.0.0.1.sslip.io
+      - NODE_ENV=test
+    volumes:
+      - '.:/current-dir:ro'
+    networks:
+      - app      
+    depends_on:
+      zitadel-disabled-tls:
+        condition: 'service_healthy'
+
+  login-external-tls:
+    restart: 'unless-stopped'
+    image: 'ghcr.io/zitadel/zitadel-login:latest'
+    environment:
+      - ZITADEL_API_URL=http://zitadel-external-tls:8080
+      - NEXT_PUBLIC_BASE_PATH=/ui/v2/login
+      - ZITADEL_SERVICE_USER_TOKEN_FILE=/current-dir/login-client.pat
+      - CUSTOM_REQUEST_HEADERS=Host:127.0.0.1.sslip.io
+    volumes:
+      - '.:/current-dir:ro'
+    networks:
+      - app      
+    depends_on:
+      zitadel-external-tls:
+        condition: 'service_healthy'
+
+  login-enabled-tls:
+    restart: 'unless-stopped'
+    image: 'ghcr.io/zitadel/zitadel-login:latest'
+    environment:
+      - ZITADEL_API_URL=https://zitadel-enabled-tls:8080
+      - NEXT_PUBLIC_BASE_PATH=/ui/v2/login
+      - ZITADEL_SERVICE_USER_TOKEN_FILE=/current-dir/login-client.pat
+      - CUSTOM_REQUEST_HEADERS=Host:127.0.0.1.sslip.io
+      - NODE_TLS_REJECT_UNAUTHORIZED=0
+    volumes:
+      - '.:/current-dir:ro'
+    networks:
+      - app
+    depends_on:
+      zitadel-enabled-tls:
+        condition: 'service_healthy'
+
 networks:
-  zitadel:
+  app:
+  db:
 
 volumes:
   data:
diff --git a/docs/docs/self-hosting/manage/reverseproxy/httpd/docker-compose.yaml b/docs/docs/self-hosting/manage/reverseproxy/httpd/docker-compose.yaml
index 8757758dc3..190c3e4410 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/httpd/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/httpd/docker-compose.yaml
@@ -1,35 +1,41 @@
 services:
 
   proxy-disabled-tls:
-    image: "httpd:2.4.58-alpine"
+    image: "httpd:latest"
     volumes:
       - "./httpd-disabled-tls.conf:/usr/local/apache2/conf/httpd.conf"
     ports:
       - "80:80"
+    networks:
+      - app      
     depends_on:
       zitadel-disabled-tls:
         condition: 'service_healthy'
 
   proxy-external-tls:
-    image: "httpd:2.4.58-alpine"
+    image: "httpd:latest"
     volumes:
       - "./httpd-external-tls.conf:/usr/local/apache2/conf/httpd.conf"
       - "./selfsigned.crt:/etc/certs/selfsigned.crt:ro"
       - "./selfsigned.key:/etc/certs/selfsigned.key:ro"
     ports:
       - "443:443"
+    networks:
+      - app      
     depends_on:
       zitadel-external-tls:
         condition: 'service_healthy'
 
   proxy-enabled-tls:
-    image: "httpd:2.4.58-alpine"
+    image: "httpd:latest"
     volumes:
       - "./httpd-enabled-tls.conf:/usr/local/apache2/conf/httpd.conf"
       - "./selfsigned.crt:/etc/certs/selfsigned.crt:ro"
       - "./selfsigned.key:/etc/certs/selfsigned.key:ro"
     ports:
       - "443:443"
+    networks:
+      - app
     depends_on:
       zitadel-enabled-tls:
         condition: 'service_healthy'
diff --git a/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-disabled-tls.conf b/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-disabled-tls.conf
index 6d745f34e7..e5d981082e 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-disabled-tls.conf
+++ b/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-disabled-tls.conf
@@ -34,6 +34,19 @@ CustomLog /proc/self/fd/1 "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Ag
 Listen 80
 
 <VirtualHost *:80>
-    ProxyPass / h2c://zitadel-disabled-tls:8080/
+    # Enable HTTP/2 for gRPC support (cleartext)
+    Protocols h2c http/1.1
+    
+    # Proxy settings
     ProxyPreserveHost on
+    ProxyAddHeaders on
+    RequestHeader set X-Forwarded-Proto "http"
+    
+    # Route login UI first (more specific path)
+    ProxyPass /ui/v2/login http://login-disabled-tls:3000/ui/v2/login
+    ProxyPassReverse /ui/v2/login http://login-disabled-tls:3000/ui/v2/login
+    
+    # Route everything else to Zitadel
+    ProxyPass / h2c://zitadel-disabled-tls:8080/
+    ProxyPassReverse / h2c://zitadel-disabled-tls:8080/
 </VirtualHost>
diff --git a/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-enabled-tls.conf b/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-enabled-tls.conf
index c398d52f4b..a93385cd3b 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-enabled-tls.conf
+++ b/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-enabled-tls.conf
@@ -38,10 +38,40 @@ SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 
 <VirtualHost *:443>
-    ProxyPass / h2://zitadel-enabled-tls:8080/
-    ProxyPreserveHost on
+    # Enable HTTP/2 and configure ALPN for gRPC
+    Protocols h2 http/1.1
+    H2Direct on
+    
+    # SSL Configuration
     SSLEngine on
     SSLProxyEngine on
     SSLCertificateFile /etc/certs/selfsigned.crt
     SSLCertificateKeyFile /etc/certs/selfsigned.key
+    
+    # Modern SSL settings for gRPC compatibility
+    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
+    SSLHonorCipherOrder off
+    
+    # Relax SSL Proxy Configuration to debug
+    SSLProxyVerify none
+    SSLProxyCheckPeerCN off
+    SSLProxyCheckPeerName off
+    SSLProxyCheckPeerExpire off
+    
+    # Add timeouts to prevent hanging
+    ProxyTimeout 60
+
+    # Proxy settings
+    ProxyPreserveHost on
+    ProxyAddHeaders on
+    RequestHeader set X-Forwarded-Proto "https"
+    
+    # Route login UI
+    ProxyPass /ui/v2/login http://login-enabled-tls:3000/ui/v2/login
+    ProxyPassReverse /ui/v2/login http://login-enabled-tls:3000/ui/v2/login
+    
+    # Route to Zitadel with TLS
+    ProxyPass / https://zitadel-enabled-tls:8080/
+    ProxyPassReverse / https://zitadel-enabled-tls:8080/
 </VirtualHost>
diff --git a/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-external-tls.conf b/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-external-tls.conf
index 7bcd6c3d92..f83b9609d5 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-external-tls.conf
+++ b/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-external-tls.conf
@@ -34,10 +34,30 @@ CustomLog /proc/self/fd/1 "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Ag
 Listen 443
 
 <VirtualHost *:443>
-    ProxyPass / h2c://zitadel-external-tls:8080/
-    ProxyPassReverse / h2c://zitadel-external-tls:8080/
-    ProxyPreserveHost on
+    # Enable HTTP/2 and configure ALPN
+    Protocols h2 http/1.1
+    H2Direct on
+    
+    # Configure SSL for gRPC
     SSLEngine on
     SSLCertificateFile /etc/certs/selfsigned.crt
     SSLCertificateKeyFile /etc/certs/selfsigned.key
+
+    # Enable ALPN protocols for gRPC
+    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
+    SSLHonorCipherOrder off
+    SSLSessionTickets off
+
+    ProxyPreserveHost on
+    ProxyAddHeaders on
+    RequestHeader set X-Forwarded-Proto "https"
+
+    # Route login requests    
+    ProxyPass /ui/v2/login http://login-external-tls:3000/ui/v2/login
+    ProxyPassReverse /ui/v2/login http://login-external-tls:3000/ui/v2/login
+    
+    # Route gRPC/API requests with HTTP/2 support
+    ProxyPass / h2c://zitadel-external-tls:8080/
+    ProxyPassReverse / h2c://zitadel-external-tls:8080/
 </VirtualHost>
diff --git a/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd.mdx b/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd.mdx
index c869155d05..05e708ea95 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure ZITADEL with Apache httpd
+title: Configure Zitadel with Apache httpd
 sidebar_label: Apache httpd
 ---
 
@@ -19,20 +19,21 @@ export const link = <a href="https://httpd.apache.org//">{providername}</a>
 
 You can either setup your environment for <a href={'#tls-mode-disabled'}>TLS mode disabled</a>, <a href={'#tls-mode-external'}>TLS mode external</a> or <a href={'#tls-mode-enabled'}>TLS mode enabled</a>.
 
+<!-- login NOT WORKING
 ## TLS mode disabled
 
-<!-- grpc NOT WORKING -->
 <ProxyGuideTLSMode mode="disabled" configfilename="httpd-disabled-tls.conf" configfilecontent={ConfigDisabled} providername={providername} link={link} lower={lower}></ProxyGuideTLSMode>
+ -->
 
 ## TLS mode external
 
-<!-- grpc NOT WORKING -->
 <ProxyGuideTLSMode mode="external" configfilename="httpd-external-tls.conf" configfilecontent={ConfigExternal} providername={providername} link={link} lower={lower}></ProxyGuideTLSMode>
 
+<!-- grpc NOT WORKING
 ## TLS mode enabled
 
-<!-- grpc NOT WORKING -->
 <ProxyGuideTLSMode mode="enabled" configfilename="httpd-enabled-tls.conf" configfilecontent={ConfigEnabled} providername={providername} link={link} lower={lower}></ProxyGuideTLSMode>
+ -->
 
 ## More Information
 
diff --git a/docs/docs/self-hosting/manage/reverseproxy/nginx/docker-compose.yaml b/docs/docs/self-hosting/manage/reverseproxy/nginx/docker-compose.yaml
index 524d50fc30..1ff9d9d39d 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/nginx/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/nginx/docker-compose.yaml
@@ -7,7 +7,7 @@ services:
     ports:
       - "80:80"
     networks:
-      - 'zitadel'
+      - app
     depends_on:
       zitadel-disabled-tls:
         condition: 'service_healthy'
@@ -21,7 +21,7 @@ services:
     ports:
       - "443:443"
     networks:
-      - 'zitadel'
+      - app
     depends_on:
       zitadel-external-tls:
         condition: 'service_healthy'
@@ -35,10 +35,7 @@ services:
     ports:
       - "443:443"
     networks:
-      - 'zitadel'
+      - app
     depends_on:
       zitadel-enabled-tls:
         condition: 'service_healthy'
-
-networks:
-  zitadel:
\ No newline at end of file
diff --git a/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-disabled-tls.conf b/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-disabled-tls.conf
index 613d97ca64..5edeb75273 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-disabled-tls.conf
+++ b/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-disabled-tls.conf
@@ -5,6 +5,10 @@ http {
     server {
         listen 80;
         http2 on;
+        location /ui/v2/login {
+            proxy_pass http://login-disabled-tls:3000;
+            proxy_set_header Host $host;
+        }
         location / {
             grpc_pass grpc://zitadel-disabled-tls:8080;
             grpc_set_header Host $host;
diff --git a/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-enabled-tls.conf b/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-enabled-tls.conf
index 397f1db728..26e5d7edf5 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-enabled-tls.conf
+++ b/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-enabled-tls.conf
@@ -7,6 +7,11 @@ http {
         http2 on;
         ssl_certificate     /etc/certs/selfsigned.crt;
         ssl_certificate_key /etc/certs/selfsigned.key;
+        location /ui/v2/login {
+            proxy_pass http://login-enabled-tls:3000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-Proto https;
+        }
         location / {
             grpc_pass grpcs://zitadel-enabled-tls:8080;
             grpc_set_header Host $host;
diff --git a/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-external-tls.conf b/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-external-tls.conf
index 4c1eddb664..16bf993b77 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-external-tls.conf
+++ b/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-external-tls.conf
@@ -7,9 +7,15 @@ http {
         http2 on;
         ssl_certificate     /etc/certs/selfsigned.crt;
         ssl_certificate_key /etc/certs/selfsigned.key;
+        location /ui/v2/login {
+            proxy_pass http://login-external-tls:3000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Forwarded-Proto https;
+        }        
         location / {
             grpc_pass grpc://zitadel-external-tls:8080;
             grpc_set_header Host $host;
+            grpc_set_header X-Forwarded-Proto https;
         }
     }
 }
diff --git a/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx.mdx b/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx.mdx
index fa3a9e75de..d6d6847ceb 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure ZITADEL with NGINX
+title: Configure Zitadel with NGINX
 sidebar_label: NGINX
 ---
 
@@ -19,9 +19,11 @@ export const link = <a href="https://nginx.com/">{providername}</a>;
 
 You can either setup your environment for <a href={'#tls-mode-disabled'}>TLS mode disabled</a>, <a href={'#tls-mode-external'}>TLS mode external</a> or <a href={'#tls-mode-enabled'}>TLS mode enabled</a>.
 
+<!-- login NOT WORKING
 ## TLS mode disabled
 
 <ProxyGuideTLSMode mode="disabled" configfilename="nginx-disabled-tls.conf" configfilecontent={ConfigDisabled} providername={providername} link={link} lower={lower}></ProxyGuideTLSMode>
+-->
 
 ## TLS mode external
 
diff --git a/docs/docs/self-hosting/manage/reverseproxy/reverse_proxy.mdx b/docs/docs/self-hosting/manage/reverseproxy/reverse_proxy.mdx
index b37ef31231..85a724aae0 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/reverse_proxy.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/reverse_proxy.mdx
@@ -7,8 +7,9 @@ Check out one of the following guides to configure your favorite reverse proxy:
 - [Traefik](/self-hosting/manage/reverseproxy/traefik)
 - [NGINX](/self-hosting/manage/reverseproxy/nginx)
 - [Caddy](/self-hosting/manage/reverseproxy/caddy)
-<!-- grpc NOT WORKING - [Apache httpd](/self-hosting/manage/reverseproxy/httpd) -->
+- [Apache httpd](/self-hosting/manage/reverseproxy/httpd)
 - [Cloudflare](/self-hosting/manage/reverseproxy/cloudflare)
 - [Cloudflare Tunnel](/self-hosting/manage/reverseproxy/cloudflare_tunnel)
-- [Fronting ZITADEL Cloud](/self-hosting/manage/reverseproxy/zitadel_cloud)
+- [Fronting Zitadel Cloud](/self-hosting/manage/reverseproxy/zitadel_cloud)
 
+ 
\ No newline at end of file
diff --git a/docs/docs/self-hosting/manage/reverseproxy/traefik/docker-compose.yaml b/docs/docs/self-hosting/manage/reverseproxy/traefik/docker-compose.yaml
index a2dfab075b..f56512d58a 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/traefik/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/traefik/docker-compose.yaml
@@ -7,7 +7,7 @@ services:
     ports:
       - "80:80"
     networks:
-      - 'zitadel'
+      - app
     depends_on:
       zitadel-disabled-tls:
         condition: 'service_healthy'
@@ -21,7 +21,7 @@ services:
     ports:
       - "443:443"
     networks:
-      - 'zitadel'
+      - app
     depends_on:
       zitadel-external-tls:
         condition: 'service_healthy'
@@ -35,10 +35,7 @@ services:
     ports:
       - "443:443"
     networks:
-      - 'zitadel'
+      - app
     depends_on:
       zitadel-enabled-tls:
         condition: 'service_healthy'
-
-networks:
-  zitadel:
\ No newline at end of file
diff --git a/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-disabled-tls.yaml b/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-disabled-tls.yaml
index 0dbf906fab..842b47738e 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-disabled-tls.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-disabled-tls.yaml
@@ -8,13 +8,24 @@ entrypoints:
     address: ":80"
 http:
   routers:
-    router:
+    zitadel:
       entryPoints:
         - "web"
       service: "zitadel"
-      rule: 'PathPrefix(`/`)'
+      rule: '!PathPrefix(`/ui/v2/login`)'
+    login:
+      entryPoints:
+        - "web"
+      service: "login"
+      rule: 'PathPrefix(`/ui/v2/login`)'
   services:
     zitadel:
       loadBalancer:
+        passHostHeader: true
         servers:
           - url: "h2c://zitadel-disabled-tls:8080"
+    login:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://login-disabled-tls:3000"
\ No newline at end of file
diff --git a/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-enabled-tls.yaml b/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-enabled-tls.yaml
index b175d53a8e..1b70b4332c 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-enabled-tls.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-enabled-tls.yaml
@@ -8,21 +8,36 @@ entrypoints:
     address: ":443"
 http:
   routers:
-    router:
+    zitadel:
       entryPoints:
         - "web"
       service: "zitadel"
-      rule: 'PathPrefix(`/`)'
+      rule: '!PathPrefix(`/ui/v2/login`)'
+      tls: {}
+    login:
+      entryPoints:
+        - "web"
+      service: "login"
+      rule: 'PathPrefix(`/ui/v2/login`)'
       tls: {}
   services:
     zitadel:
       loadBalancer:
         serversTransport: "zitadel"
+        passHostHeader: true
         servers:
           - url: "https://zitadel-enabled-tls:8080"
+    login:
+      loadBalancer:
+        serversTransport: "login"
+        passHostHeader: true
+        servers:
+          - url: "http://login-enabled-tls:3000"
   serversTransports:
     zitadel:
       insecureSkipVerify: true
+    login:
+      insecureSkipVerify: true
 tls:
   stores:
     default:
diff --git a/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-external-tls.yaml b/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-external-tls.yaml
index e910590364..43f202e4fa 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-external-tls.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-external-tls.yaml
@@ -8,17 +8,29 @@ entrypoints:
     address: ":443"
 http:
   routers:
-    router:
+    zitadel:
       entryPoints:
         - "web"
       service: "zitadel"
-      rule: 'PathPrefix(`/`)'
+      rule: '!PathPrefix(`/ui/v2/login`)'
+      tls: {}
+    login:
+      entryPoints:
+        - "web"
+      service: "login"
+      rule: 'PathPrefix(`/ui/v2/login`)'
       tls: {}
   services:
     zitadel:
       loadBalancer:
+        passHostHeader: true
         servers:
           - url: "h2c://zitadel-external-tls:8080"
+    login:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+          - url: "http://login-external-tls:3000"
 tls:
   stores:
     default:
diff --git a/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik.mdx b/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik.mdx
index 39769b229b..cf7ecacdc3 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure ZITADEL with Traefik
+title: Configure Zitadel with Traefik
 sidebar_label: Traefik
 ---
 
@@ -19,9 +19,11 @@ export const link = <a href="https://doc.traefik.io/traefik/">{providername}</a>
 
 You can either setup your environment for <a href={'#tls-mode-disabled'}>TLS mode disabled</a>, <a href={'#tls-mode-external'}>TLS mode external</a> or <a href={'#tls-mode-enabled'}>TLS mode enabled</a>.
 
+<!-- login NOT WORKING
 ## TLS mode disabled
 
 <ProxyGuideTLSMode mode="disabled" configfilename="traefik-disabled-tls.yaml" configfilecontent={ConfigDisabled} providername={providername} link={link} lower={lower}></ProxyGuideTLSMode>
+-->
 
 ## TLS mode external
 
diff --git a/docs/docs/self-hosting/manage/reverseproxy/zitadel_cloud/zitadel_cloud.mdx b/docs/docs/self-hosting/manage/reverseproxy/zitadel_cloud/zitadel_cloud.mdx
index 1cbba5b3bd..ed074373b8 100644
--- a/docs/docs/self-hosting/manage/reverseproxy/zitadel_cloud/zitadel_cloud.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/zitadel_cloud/zitadel_cloud.mdx
@@ -1,16 +1,16 @@
 ---
-title: Front ZITADEL Cloud with a CDN, WAF or Reverse Proxy
-sidebar_label: Fronting ZITADEL Cloud
+title: Front Zitadel Cloud with a CDN, WAF or Reverse Proxy
+sidebar_label: Fronting Zitadel Cloud
 ---
 
-## Fronting ZITADEL Cloud
+## Fronting Zitadel Cloud
 
-You can use your reverseproxy, content delivery network (CDN) or web application firewall (WAF) to front ZITADEL Cloud.
+You can use your reverseproxy, content delivery network (CDN) or web application firewall (WAF) to front Zitadel Cloud.
 However we currently do not recommend this for production settings.
 
-To configure your service that fronts ZITADEL please have a look at the vendors in this page.
+To configure your service that fronts Zitadel please have a look at the vendors in this page.
 
-## Things to look out for when fronting ZITADEL Cloud
+## Things to look out for when fronting Zitadel Cloud
 
-- Cache-control - ZITADEL Cloud uses a CDN to globally distribute data. Please try to avoid overriding this header as it may lead to sideeffects
-- Rate Limits - ZITADEL Cloud uses a combination of static and dynamic rate limits. If you recieve occasional 429 headers you are rate limited.
+- Cache-control - Zitadel Cloud uses a CDN to globally distribute data. Please try to avoid overriding this header as it may lead to sideeffects
+- Rate Limits - Zitadel Cloud uses a combination of static and dynamic rate limits. If you recieve occasional 429 headers you are rate limited.
diff --git a/docs/sidebars.js b/docs/sidebars.js
index 11f905db8b..fc07e5be9f 100644
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@@ -1107,6 +1107,7 @@ module.exports = {
             "self-hosting/manage/reverseproxy/traefik/traefik",
             "self-hosting/manage/reverseproxy/nginx/nginx",
             "self-hosting/manage/reverseproxy/caddy/caddy",
+            "self-hosting/manage/reverseproxy/httpd/httpd",
             "self-hosting/manage/reverseproxy/cloudflare/cloudflare",
             "self-hosting/manage/reverseproxy/cloudflare_tunnel/cloudflare_tunnel",
             "self-hosting/manage/reverseproxy/zitadel_cloud/zitadel_cloud",