docs(login v2): update proxy examples (#10358)

# Which Problems Are Solved - The proxy examples are updated so a self-hosted login container is deployed. - The proxies are configured to direct traffic at /ui/v2/login to it. # How the Problems Are Solved The base compose file is extended by correctly configured login containers for all three scenarios - TLS disabled - External TLS - TLS Enabled The proxy always connects to the login via HTTP. # Additional Changes - All proxies have the TLS disabled mode outcommented, because the login container has state problems, maybe because it needs secure cookies. The need for this is unclear, so we avoid creating a follow-up issue. - The httpd external mode is incommented, as gRPC connections work with this configuration. - *ZITADEL* is replaced by *Zitadel* # Additional Context - Partially Closes #10016 --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-08-11 13:19:21 +00:00 · 2025-08-07 18:58:18 +02:00
parent 5f7851768b
commit 4930870504
32 changed files with 270 additions and 145 deletions
--- a/docs/docs/self-hosting/manage/.gitignore
+++ b/docs/docs/self-hosting/manage/.gitignore
@@ -0,0 +1,3 @@
 **/*.pat
 **/selfsigned.crt
 **/selfsigned.key
--- a/docs/docs/self-hosting/manage/reverseproxy/_caddy.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/_caddy.mdx
@@ -1,25 +0,0 @@
 ## TLS mode external
 ```
 https://localhost {
        reverse_proxy h2c://localhost:8080
        tls internal #only non production
 }
 ```
 ## TLS mode enabled
 ```
 https://localhost {
        reverse_proxy https://localhost:8080
        tls internal #only non production
 }
 ```
 ## TLS mode disabled
 ```
 http://localhost {
        reverse_proxy h2c://localhost:8080
 }
 ```
--- a/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_more.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_more.mdx
@@ -1,2 +1,2 @@
- [Read more about ZITADELs TLS Modes](/self-hosting/manage/tls_modes)
+- [Read more about Zitadel's TLS Modes](/self-hosting/manage/tls_modes)
- [Read more about how ZITADEL uses HTTP/2](/self-hosting/manage/http2)
+- [Read more about how Zitadel uses HTTP/2](/self-hosting/manage/http2)
--- a/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_overview.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_overview.mdx
@@ -1,8 +1,8 @@
 import CodeBlock from '@theme/CodeBlock';
 import ComposeYaml from "!!raw-loader!./docker-compose.yaml";
-<>With these examples, you create and run a minimal {props.link} configuration for ZITADEL with <a href="https://docs.docker.com/compose">Docker Compose</a>.
+<>With these examples, you create and run a minimal {props.link} configuration for Zitadel with <a href="https://docs.docker.com/compose">Docker Compose</a>.
-Whereas the guide focuses on the configuration for {props.name}, you can inspect the configurations for ZITADEL and the database in the base Docker Compose file.</>
+Whereas the guide focuses on the configuration for {props.name}, you can inspect the configurations for the Zitadel API, the Zitadel login and the database in the base Docker Compose file.</>
 <details>
    <summary>base docker-compose.yaml</summary>
    <CodeBlock language="yaml">{ComposeYaml}</CodeBlock>
--- a/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_tls_mode.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/_proxy_guide_tls_mode.mdx
@@ -4,27 +4,27 @@ export const Description = ({mode, name}) => {
    let desc
    switch (mode) {
        case "disabled":
-            desc = <>Neither {name} nor ZITADEL terminates TLS.
+            desc = <>Neither {name} nor Zitadel terminates TLS.
-                Nevertheless, {name} forwards unencrypted HTTP/2 traffic, aka h2c, to ZITADEL.</>;
+                Nevertheless, {name} forwards unencrypted HTTP/2 traffic, aka h2c, to Zitadel.</>;
            break;
        case "external":
-            desc = <>{name} terminates TLS and forwards the requests to ZITADEL via unencrypted h2c.
+            desc = <>{name} terminates TLS and forwards the requests to Zitadel via unencrypted h2c.
                This example uses an unsafe self-signed certificate for {name}</>;
            break;
        case "enabled":
-            desc = <>{name} terminates TLS and forwards the requests to ZITADEL via encrypted HTTP/2.
+            desc = <>{name} terminates TLS and forwards the requests to Zitadel via encrypted HTTP/2.
-                This example uses an unsafe self-signed certificate for {name} and the same for ZITADEL.</>;
+                This example uses an unsafe self-signed certificate for {name} and the same for Zitadel.</>;
            break;
    }
    return (
        <>
            {desc}
-            <>By executing the commands below, you will download the files necessary to run ZITADEL behind {name} with the following config:</>
+            <>By executing the commands below, you will download the files necessary to run Zitadel behind {name} with the following config:</>
        </>)
 }
 export const Commands = ({mode, name, lower, configfilename}) => {
-    let genCert = '# Generate a self signed certificate and key.\nopenssl req -x509 -batch -subj "/CN=127.0.0.1.sslip.io/O=ZITADEL Demo" -nodes -newkey rsa:2048 -keyout ./selfsigned.key -out ./selfsigned.crt 2>/dev/null\n\n';
+    let genCert = '# Generate a self signed certificate and key.\nopenssl req -x509 -batch -subj "/CN=127.0.0.1.sslip.io/O=Zitadel Demo" -nodes -newkey rsa:2048 -keyout ./selfsigned.key -out ./selfsigned.crt 2>/dev/null\n\n';
    let connPort = "443"
    let connInsecureFlag = "--insecure "
    let connScheme = "https"
@@ -47,8 +47,8 @@ export const Commands = ({mode, name, lower, configfilename}) => {
                {'wget $\{ZITADEL_CONFIG_FILES\}/'}{lower}{'/'}{configfilename}{' -O '}{configfilename}{' --quiet \n'}
                {'\n'}
                {genCert}
-                {'# Run the database, ZITADEL and '}{name}{'.'}{'\n'}
+                {'# Run the database,  and '}{name}{'.'}{'\n'}
-                {'docker compose --file docker-compose-base.yaml --file docker-compose-'}{lower}{'.yaml up --detach --wait db zitadel-init zitadel-'}{mode}{'-tls proxy-'}{mode}{'-tls'}{'\n'}
+                {'docker compose --file docker-compose-base.yaml --file docker-compose-'}{lower}{'.yaml up --detach --wait db zitadel-init zitadel-'}{mode}{'-tls login-'}{mode}{'-tls proxy-'}{mode}{'-tls'}{'\n'}
                {'\n'}
                {'# Test that gRPC and HTTP APIs work. Empty brackets like {} means success.\n'}
                {'# Make sure you have the grpcurl cli installed on your machine https://github.com/fullstorydev/grpcurl?tab=readme-ov-file#installation\n'}
@@ -85,6 +85,6 @@ export const LoginURL = ({mode}) => {
 If the console loads normally, you know that the HTTP and gRPC-Web and gRPC APIs are working correctly.
 <CodeBlock language="bash">
-    {'# You can now stop the database, ZITADEL and '}{props.providername}{'.'}{'\n'}
+    {'# You can now stop the database, the Zitadel API, the Zitadel login and '}{props.providername}{'.'}{'\n'}
    {'docker compose --file docker-compose-base.yaml --file docker-compose-'}{props.lower}{'.yaml down'}{'\n'}
 </CodeBlock>
--- a/docs/docs/self-hosting/manage/reverseproxy/caddy/caddy.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/caddy/caddy.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure ZITADEL with Caddy
+title: Configure Zitadel with Caddy
 sidebar_label: Caddy
 ---
@@ -19,7 +19,7 @@ export const link = <a href="https://caddyserver.com/">{providername}</a>
 You can either setup your environment for <a href={'#tls-mode-external'}>TLS mode external</a> or <a href={'#tls-mode-enabled'}>TLS mode enabled</a>.
-<!-- grpc NOT WORKING
+<!-- login NOT WORKING
 ## TLS mode disabled
 <ProxyGuideTLSMode mode="disabled" configfilename="disabled-tls.Caddyfile" configfilecontent={ConfigDisabled} providername={providername} link={link} lower={lower}></ProxyGuideTLSMode>
--- a/docs/docs/self-hosting/manage/reverseproxy/caddy/disabled-tls.Caddyfile
+++ b/docs/docs/self-hosting/manage/reverseproxy/caddy/disabled-tls.Caddyfile
@@ -1,3 +1,4 @@
 http://127.0.0.1.sslip.io {
 	reverse_proxy /ui/v2/login/* http://login-disabled-tls:3000
 	reverse_proxy h2c://zitadel-disabled-tls:8080
 }
--- a/docs/docs/self-hosting/manage/reverseproxy/caddy/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/caddy/docker-compose.yaml
@@ -7,7 +7,7 @@ services:
    ports:
      - "80:80"
    networks:
-      - 'zitadel'
+      - app
    depends_on:
      zitadel-disabled-tls:
        condition: 'service_healthy'
@@ -21,7 +21,7 @@ services:
    ports:
      - "443:443"
    networks:
-      - 'zitadel'
+      - app
    depends_on:
      zitadel-external-tls:
        condition: 'service_healthy'
@@ -35,10 +35,7 @@ services:
    ports:
      - "443:443"
    networks:
-      - 'zitadel'
+      - app
    depends_on:
      zitadel-enabled-tls:
        condition: 'service_healthy'
 networks:
  zitadel:
--- a/docs/docs/self-hosting/manage/reverseproxy/caddy/enabled-tls.Caddyfile
+++ b/docs/docs/self-hosting/manage/reverseproxy/caddy/enabled-tls.Caddyfile
@@ -1,5 +1,6 @@
 https://127.0.0.1.sslip.io {
 	tls /etc/certs/selfsigned.crt /etc/certs/selfsigned.key
 	reverse_proxy /ui/v2/login/* http://login-enabled-tls:3000
 	reverse_proxy https://zitadel-enabled-tls:8080 {
 		transport http {
 			tls_insecure_skip_verify
--- a/docs/docs/self-hosting/manage/reverseproxy/caddy/external-tls.Caddyfile
+++ b/docs/docs/self-hosting/manage/reverseproxy/caddy/external-tls.Caddyfile
@@ -1,4 +1,5 @@
 https://127.0.0.1.sslip.io {
 	tls /etc/certs/selfsigned.crt /etc/certs/selfsigned.key
 	reverse_proxy /ui/v2/login/* http://login-external-tls:3000
 	reverse_proxy h2c://zitadel-external-tls:8080
 }
--- a/docs/docs/self-hosting/manage/reverseproxy/cloudflare/cloudflare.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/cloudflare/cloudflare.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure ZITADEL with Cloudflare
+title: Configure Zitadel with Cloudflare
 sidebar_label: Cloudflare
 ---
@@ -8,7 +8,7 @@ sidebar_label: Cloudflare
 - [Make sure HTTP/2 is enabled](https://support.cloudflare.com/hc/en-us/articles/200168076-Understanding-Cloudflare-HTTP-2-and-HTTP-3-Support)
 - [Verify that gRPC is enabled](https://support.cloudflare.com/hc/en-us/articles/360050483011-Understanding-Cloudflare-gRPC-support)
 - [Verify that traffic is proxied through cloudflare](https://developers.cloudflare.com/dns/manage-dns-records/reference/proxied-dns-records/)
- [Configure ZITADEL to use the TLS Mode enabled](/self-hosting/manage/tls_modes#enabled)
+- [Configure Zitadel to use the TLS Mode enabled](/self-hosting/manage/tls_modes#enabled)
 :::info
 [Cloudflare does only support gRPC with TLS!](https://support.cloudflare.com/hc/en-us/articles/360050483011-Understanding-Cloudflare-gRPC-support)
--- a/docs/docs/self-hosting/manage/reverseproxy/cloudflare_tunnel/cloudflare_tunnel.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/cloudflare_tunnel/cloudflare_tunnel.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure ZITADEL with Cloudflare Tunnel
+title: Configure Zitadel with Cloudflare Tunnel
 sidebar_label: Cloudflare Tunnel
 ---
--- a/docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/docker-compose.yaml
@@ -3,23 +3,14 @@ services:
  zitadel-disabled-tls:
    extends:
      service: zitadel-init
-    command: 'start-from-setup --init-projections --masterkey "MasterkeyNeedsToHave32Characters" --config /zitadel.yaml --steps /zitadel.yaml'
+    command: 'start-from-setup --masterkey "MasterkeyNeedsToHave32Characters"'
    environment:
      ZITADEL_EXTERNALPORT: 80
      ZITADEL_EXTERNALSECURE: false
      ZITADEL_TLS_ENABLED: false
      # database configuration
      ZITADEL_DATABASE_POSTGRES_HOST: db
      ZITADEL_DATABASE_POSTGRES_PORT: 5432
      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user
      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw
      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
    networks:
-      - 'zitadel'
+      - app
      - db
    depends_on:
      zitadel-init:
        condition: 'service_completed_successfully'
@@ -29,23 +20,14 @@ services:
  zitadel-external-tls:
    extends:
      service: zitadel-init
-    command: 'start-from-setup --init-projections --masterkey "MasterkeyNeedsToHave32Characters" --config /zitadel.yaml --steps /zitadel.yaml'
+    command: 'start-from-setup --masterkey "MasterkeyNeedsToHave32Characters"'
    environment:
      ZITADEL_EXTERNALPORT: 443
      ZITADEL_EXTERNALSECURE: true
      ZITADEL_TLS_ENABLED: false
      # database configuration
      ZITADEL_DATABASE_POSTGRES_HOST: db
      ZITADEL_DATABASE_POSTGRES_PORT: 5432
      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user
      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw
      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
    networks:
-      - 'zitadel'
+      - app
      - db
    depends_on:
      db:
        condition: 'service_healthy'
@@ -55,28 +37,19 @@ services:
  zitadel-enabled-tls:
    extends:
      service: zitadel-init
-    command: 'start-from-setup --init-projections --masterkey "MasterkeyNeedsToHave32Characters" --config /zitadel.yaml --steps /zitadel.yaml'
+    command: 'start-from-setup --masterkey "MasterkeyNeedsToHave32Characters"'
    environment:
      ZITADEL_EXTERNALPORT: 443
      ZITADEL_EXTERNALSECURE: true
      ZITADEL_TLS_ENABLED: true
      ZITADEL_TLS_CERTPATH: /etc/certs/selfsigned.crt
      ZITADEL_TLS_KEYPATH: /etc/certs/selfsigned.key
      # database configuration
      ZITADEL_DATABASE_POSTGRES_HOST: db
      ZITADEL_DATABASE_POSTGRES_PORT: 5432
      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user
      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw
      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
    volumes:
      - ./selfsigned.crt:/etc/certs/selfsigned.crt
      - ./selfsigned.key:/etc/certs/selfsigned.key
    networks:
-      - 'zitadel'
+      - app
      - db
    depends_on:
      zitadel-init:
        condition: 'service_completed_successfully'
@@ -84,15 +57,14 @@ services:
        condition: 'service_healthy'
  zitadel-init:
    user: '$UID'
    image: '${ZITADEL_IMAGE:-ghcr.io/zitadel/zitadel:latest}'
-    command: 'init --config /zitadel.yaml'
+    command: 'init'
    depends_on:
      db:
        condition: 'service_healthy'
    environment:
      # Using an external domain other than localhost proofs, that the proxy configuration works.
-      # If ZITADEL can't resolve a requests original host to this domain,
+      # If Zitadel can't resolve a requests original host to this domain,
      # it will return a 404 Instance not found error.
      ZITADEL_EXTERNALDOMAIN: 127.0.0.1.sslip.io
      # In case something doesn't work as expected,
@@ -102,22 +74,23 @@ services:
      ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORDCHANGEREQUIRED: false
      # database configuration
      ZITADEL_DATABASE_POSTGRES_HOST: db
      ZITADEL_DATABASE_POSTGRES_PORT: 5432
      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel_user
      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pw
-      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
+      # Set up a service account with IAM_LOGIN_CLIENT role and write the PAT to the file ./login-client.pat
-      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
+      ZITADEL_FIRSTINSTANCE_LOGINCLIENTPATPATH: /current-dir/login-client.pat
-      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
+      ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_MACHINE_USERNAME: login-client
-      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
+      ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_MACHINE_NAME: Automatically Initialized IAM Login Client
      ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_PAT_EXPIRATIONDATE: '2029-01-01T00:00:00Z'
      # The master key is used to
    networks:
-      - 'zitadel'
+      - db
    healthcheck:
      test: [ "CMD", "/app/zitadel", "ready" ]
      interval: '10s'
      timeout: '5s'
      retries: 5
      start_period: '10s'
    volumes:
      - '.:/current-dir:rw'
  db:
    restart: 'always'
@@ -131,12 +104,63 @@ services:
      retries: 10
      start_period: 5s
    networks:
-      - 'zitadel'
+      - db
    volumes:
      - 'data:/var/lib/postgresql/data:rw'
  login-disabled-tls:
    restart: 'unless-stopped'
    image: 'ghcr.io/zitadel/zitadel-login:latest'
    environment:
      - ZITADEL_API_URL=http://zitadel-disabled-tls:8080
      - NEXT_PUBLIC_BASE_PATH=/ui/v2/login
      - ZITADEL_SERVICE_USER_TOKEN_FILE=/current-dir/login-client.pat
      - CUSTOM_REQUEST_HEADERS=Host:127.0.0.1.sslip.io
      - NODE_ENV=test
    volumes:
      - '.:/current-dir:ro'
    networks:
-  zitadel:
+      - app      
    depends_on:
      zitadel-disabled-tls:
        condition: 'service_healthy'
  login-external-tls:
    restart: 'unless-stopped'
    image: 'ghcr.io/zitadel/zitadel-login:latest'
    environment:
      - ZITADEL_API_URL=http://zitadel-external-tls:8080
      - NEXT_PUBLIC_BASE_PATH=/ui/v2/login
      - ZITADEL_SERVICE_USER_TOKEN_FILE=/current-dir/login-client.pat
      - CUSTOM_REQUEST_HEADERS=Host:127.0.0.1.sslip.io
    volumes:
      - '.:/current-dir:ro'
    networks:
      - app      
    depends_on:
      zitadel-external-tls:
        condition: 'service_healthy'
  login-enabled-tls:
    restart: 'unless-stopped'
    image: 'ghcr.io/zitadel/zitadel-login:latest'
    environment:
      - ZITADEL_API_URL=https://zitadel-enabled-tls:8080
      - NEXT_PUBLIC_BASE_PATH=/ui/v2/login
      - ZITADEL_SERVICE_USER_TOKEN_FILE=/current-dir/login-client.pat
      - CUSTOM_REQUEST_HEADERS=Host:127.0.0.1.sslip.io
      - NODE_TLS_REJECT_UNAUTHORIZED=0
    volumes:
      - '.:/current-dir:ro'
    networks:
      - app
    depends_on:
      zitadel-enabled-tls:
        condition: 'service_healthy'
 networks:
  app:
  db:
 volumes:
  data:
--- a/docs/docs/self-hosting/manage/reverseproxy/httpd/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/httpd/docker-compose.yaml
@@ -1,35 +1,41 @@
 services:
  proxy-disabled-tls:
-    image: "httpd:2.4.58-alpine"
+    image: "httpd:latest"
    volumes:
      - "./httpd-disabled-tls.conf:/usr/local/apache2/conf/httpd.conf"
    ports:
      - "80:80"
    networks:
      - app      
    depends_on:
      zitadel-disabled-tls:
        condition: 'service_healthy'
  proxy-external-tls:
-    image: "httpd:2.4.58-alpine"
+    image: "httpd:latest"
    volumes:
      - "./httpd-external-tls.conf:/usr/local/apache2/conf/httpd.conf"
      - "./selfsigned.crt:/etc/certs/selfsigned.crt:ro"
      - "./selfsigned.key:/etc/certs/selfsigned.key:ro"
    ports:
      - "443:443"
    networks:
      - app      
    depends_on:
      zitadel-external-tls:
        condition: 'service_healthy'
  proxy-enabled-tls:
-    image: "httpd:2.4.58-alpine"
+    image: "httpd:latest"
    volumes:
      - "./httpd-enabled-tls.conf:/usr/local/apache2/conf/httpd.conf"
      - "./selfsigned.crt:/etc/certs/selfsigned.crt:ro"
      - "./selfsigned.key:/etc/certs/selfsigned.key:ro"
    ports:
      - "443:443"
    networks:
      - app
    depends_on:
      zitadel-enabled-tls:
        condition: 'service_healthy'
--- a/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-disabled-tls.conf
+++ b/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-disabled-tls.conf
@@ -34,6 +34,19 @@ CustomLog /proc/self/fd/1 "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Ag
 Listen 80
 <VirtualHost *:80>
-    ProxyPass / h2c://zitadel-disabled-tls:8080/
+    # Enable HTTP/2 for gRPC support (cleartext)
    Protocols h2c http/1.1
    # Proxy settings
    ProxyPreserveHost on
    ProxyAddHeaders on
    RequestHeader set X-Forwarded-Proto "http"
    # Route login UI first (more specific path)
    ProxyPass /ui/v2/login http://login-disabled-tls:3000/ui/v2/login
    ProxyPassReverse /ui/v2/login http://login-disabled-tls:3000/ui/v2/login
    # Route everything else to Zitadel
    ProxyPass / h2c://zitadel-disabled-tls:8080/
    ProxyPassReverse / h2c://zitadel-disabled-tls:8080/
 </VirtualHost>
--- a/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-enabled-tls.conf
+++ b/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-enabled-tls.conf
@@ -38,10 +38,40 @@ SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 <VirtualHost *:443>
-    ProxyPass / h2://zitadel-enabled-tls:8080/
+    # Enable HTTP/2 and configure ALPN for gRPC
-    ProxyPreserveHost on
+    Protocols h2 http/1.1
    H2Direct on
    # SSL Configuration
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile /etc/certs/selfsigned.crt
    SSLCertificateKeyFile /etc/certs/selfsigned.key
    # Modern SSL settings for gRPC compatibility
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
    SSLHonorCipherOrder off
    # Relax SSL Proxy Configuration to debug
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    # Add timeouts to prevent hanging
    ProxyTimeout 60
    # Proxy settings
    ProxyPreserveHost on
    ProxyAddHeaders on
    RequestHeader set X-Forwarded-Proto "https"
    # Route login UI
    ProxyPass /ui/v2/login http://login-enabled-tls:3000/ui/v2/login
    ProxyPassReverse /ui/v2/login http://login-enabled-tls:3000/ui/v2/login
    # Route to Zitadel with TLS
    ProxyPass / https://zitadel-enabled-tls:8080/
    ProxyPassReverse / https://zitadel-enabled-tls:8080/
 </VirtualHost>
--- a/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-external-tls.conf
+++ b/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd-external-tls.conf
@@ -34,10 +34,30 @@ CustomLog /proc/self/fd/1 "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Ag
 Listen 443
 <VirtualHost *:443>
-    ProxyPass / h2c://zitadel-external-tls:8080/
+    # Enable HTTP/2 and configure ALPN
-    ProxyPassReverse / h2c://zitadel-external-tls:8080/
+    Protocols h2 http/1.1
-    ProxyPreserveHost on
+    H2Direct on
    # Configure SSL for gRPC
    SSLEngine on
    SSLCertificateFile /etc/certs/selfsigned.crt
    SSLCertificateKeyFile /etc/certs/selfsigned.key
    # Enable ALPN protocols for gRPC
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
    SSLHonorCipherOrder off
    SSLSessionTickets off
    ProxyPreserveHost on
    ProxyAddHeaders on
    RequestHeader set X-Forwarded-Proto "https"
    # Route login requests    
    ProxyPass /ui/v2/login http://login-external-tls:3000/ui/v2/login
    ProxyPassReverse /ui/v2/login http://login-external-tls:3000/ui/v2/login
    # Route gRPC/API requests with HTTP/2 support
    ProxyPass / h2c://zitadel-external-tls:8080/
    ProxyPassReverse / h2c://zitadel-external-tls:8080/
 </VirtualHost>
--- a/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/httpd/httpd.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure ZITADEL with Apache httpd
+title: Configure Zitadel with Apache httpd
 sidebar_label: Apache httpd
 ---
@@ -19,20 +19,21 @@ export const link = <a href="https://httpd.apache.org//">{providername}</a>
 You can either setup your environment for <a href={'#tls-mode-disabled'}>TLS mode disabled</a>, <a href={'#tls-mode-external'}>TLS mode external</a> or <a href={'#tls-mode-enabled'}>TLS mode enabled</a>.
 <!-- login NOT WORKING
 ## TLS mode disabled
 <!-- grpc NOT WORKING -->
 <ProxyGuideTLSMode mode="disabled" configfilename="httpd-disabled-tls.conf" configfilecontent={ConfigDisabled} providername={providername} link={link} lower={lower}></ProxyGuideTLSMode>
 -->
 ## TLS mode external
 <!-- grpc NOT WORKING -->
 <ProxyGuideTLSMode mode="external" configfilename="httpd-external-tls.conf" configfilecontent={ConfigExternal} providername={providername} link={link} lower={lower}></ProxyGuideTLSMode>
 <!-- grpc NOT WORKING
 ## TLS mode enabled
 <!-- grpc NOT WORKING -->
 <ProxyGuideTLSMode mode="enabled" configfilename="httpd-enabled-tls.conf" configfilecontent={ConfigEnabled} providername={providername} link={link} lower={lower}></ProxyGuideTLSMode>
 -->
 ## More Information
--- a/docs/docs/self-hosting/manage/reverseproxy/nginx/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/nginx/docker-compose.yaml
@@ -7,7 +7,7 @@ services:
    ports:
      - "80:80"
    networks:
-      - 'zitadel'
+      - app
    depends_on:
      zitadel-disabled-tls:
        condition: 'service_healthy'
@@ -21,7 +21,7 @@ services:
    ports:
      - "443:443"
    networks:
-      - 'zitadel'
+      - app
    depends_on:
      zitadel-external-tls:
        condition: 'service_healthy'
@@ -35,10 +35,7 @@ services:
    ports:
      - "443:443"
    networks:
-      - 'zitadel'
+      - app
    depends_on:
      zitadel-enabled-tls:
        condition: 'service_healthy'
 networks:
  zitadel:
--- a/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-disabled-tls.conf
+++ b/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-disabled-tls.conf
@@ -5,6 +5,10 @@ http {
    server {
        listen 80;
        http2 on;
        location /ui/v2/login {
            proxy_pass http://login-disabled-tls:3000;
            proxy_set_header Host $host;
        }
        location / {
            grpc_pass grpc://zitadel-disabled-tls:8080;
            grpc_set_header Host $host;
--- a/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-enabled-tls.conf
+++ b/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-enabled-tls.conf
@@ -7,6 +7,11 @@ http {
        http2 on;
        ssl_certificate     /etc/certs/selfsigned.crt;
        ssl_certificate_key /etc/certs/selfsigned.key;
        location /ui/v2/login {
            proxy_pass http://login-enabled-tls:3000;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-Proto https;
        }
        location / {
            grpc_pass grpcs://zitadel-enabled-tls:8080;
            grpc_set_header Host $host;
--- a/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-external-tls.conf
+++ b/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx-external-tls.conf
@@ -7,9 +7,15 @@ http {
        http2 on;
        ssl_certificate     /etc/certs/selfsigned.crt;
        ssl_certificate_key /etc/certs/selfsigned.key;
        location /ui/v2/login {
            proxy_pass http://login-external-tls:3000;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-Proto https;
        }        
        location / {
            grpc_pass grpc://zitadel-external-tls:8080;
            grpc_set_header Host $host;
            grpc_set_header X-Forwarded-Proto https;
        }
    }
 }
--- a/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/nginx/nginx.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure ZITADEL with NGINX
+title: Configure Zitadel with NGINX
 sidebar_label: NGINX
 ---
@@ -19,9 +19,11 @@ export const link = <a href="https://nginx.com/">{providername}</a>;
 You can either setup your environment for <a href={'#tls-mode-disabled'}>TLS mode disabled</a>, <a href={'#tls-mode-external'}>TLS mode external</a> or <a href={'#tls-mode-enabled'}>TLS mode enabled</a>.
 <!-- login NOT WORKING
 ## TLS mode disabled
 <ProxyGuideTLSMode mode="disabled" configfilename="nginx-disabled-tls.conf" configfilecontent={ConfigDisabled} providername={providername} link={link} lower={lower}></ProxyGuideTLSMode>
 -->
 ## TLS mode external
--- a/docs/docs/self-hosting/manage/reverseproxy/reverse_proxy.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/reverse_proxy.mdx
@@ -7,8 +7,9 @@ Check out one of the following guides to configure your favorite reverse proxy:
 - [Traefik](/self-hosting/manage/reverseproxy/traefik)
 - [NGINX](/self-hosting/manage/reverseproxy/nginx)
 - [Caddy](/self-hosting/manage/reverseproxy/caddy)
-<!-- grpc NOT WORKING - [Apache httpd](/self-hosting/manage/reverseproxy/httpd) -->
+- [Apache httpd](/self-hosting/manage/reverseproxy/httpd)
 - [Cloudflare](/self-hosting/manage/reverseproxy/cloudflare)
 - [Cloudflare Tunnel](/self-hosting/manage/reverseproxy/cloudflare_tunnel)
- [Fronting ZITADEL Cloud](/self-hosting/manage/reverseproxy/zitadel_cloud)
+- [Fronting Zitadel Cloud](/self-hosting/manage/reverseproxy/zitadel_cloud)
--- a/docs/docs/self-hosting/manage/reverseproxy/traefik/docker-compose.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/traefik/docker-compose.yaml
@@ -7,7 +7,7 @@ services:
    ports:
      - "80:80"
    networks:
-      - 'zitadel'
+      - app
    depends_on:
      zitadel-disabled-tls:
        condition: 'service_healthy'
@@ -21,7 +21,7 @@ services:
    ports:
      - "443:443"
    networks:
-      - 'zitadel'
+      - app
    depends_on:
      zitadel-external-tls:
        condition: 'service_healthy'
@@ -35,10 +35,7 @@ services:
    ports:
      - "443:443"
    networks:
-      - 'zitadel'
+      - app
    depends_on:
      zitadel-enabled-tls:
        condition: 'service_healthy'
 networks:
  zitadel:
--- a/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-disabled-tls.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-disabled-tls.yaml
@@ -8,13 +8,24 @@ entrypoints:
    address: ":80"
 http:
  routers:
-    router:
+    zitadel:
      entryPoints:
        - "web"
      service: "zitadel"
-      rule: 'PathPrefix(`/`)'
+      rule: '!PathPrefix(`/ui/v2/login`)'
    login:
      entryPoints:
        - "web"
      service: "login"
      rule: 'PathPrefix(`/ui/v2/login`)'
  services:
    zitadel:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: "h2c://zitadel-disabled-tls:8080"
    login:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: "http://login-disabled-tls:3000"
--- a/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-enabled-tls.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-enabled-tls.yaml
@@ -8,21 +8,36 @@ entrypoints:
    address: ":443"
 http:
  routers:
-    router:
+    zitadel:
      entryPoints:
        - "web"
      service: "zitadel"
-      rule: 'PathPrefix(`/`)'
+      rule: '!PathPrefix(`/ui/v2/login`)'
      tls: {}
    login:
      entryPoints:
        - "web"
      service: "login"
      rule: 'PathPrefix(`/ui/v2/login`)'
      tls: {}
  services:
    zitadel:
      loadBalancer:
        serversTransport: "zitadel"
        passHostHeader: true
        servers:
          - url: "https://zitadel-enabled-tls:8080"
    login:
      loadBalancer:
        serversTransport: "login"
        passHostHeader: true
        servers:
          - url: "http://login-enabled-tls:3000"
  serversTransports:
    zitadel:
      insecureSkipVerify: true
    login:
      insecureSkipVerify: true
 tls:
  stores:
    default:
--- a/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-external-tls.yaml
+++ b/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik-external-tls.yaml
@@ -8,17 +8,29 @@ entrypoints:
    address: ":443"
 http:
  routers:
-    router:
+    zitadel:
      entryPoints:
        - "web"
      service: "zitadel"
-      rule: 'PathPrefix(`/`)'
+      rule: '!PathPrefix(`/ui/v2/login`)'
      tls: {}
    login:
      entryPoints:
        - "web"
      service: "login"
      rule: 'PathPrefix(`/ui/v2/login`)'
      tls: {}
  services:
    zitadel:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: "h2c://zitadel-external-tls:8080"
    login:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: "http://login-external-tls:3000"
 tls:
  stores:
    default:
--- a/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/traefik/traefik.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure ZITADEL with Traefik
+title: Configure Zitadel with Traefik
 sidebar_label: Traefik
 ---
@@ -19,9 +19,11 @@ export const link = <a href="https://doc.traefik.io/traefik/">{providername}</a>
 You can either setup your environment for <a href={'#tls-mode-disabled'}>TLS mode disabled</a>, <a href={'#tls-mode-external'}>TLS mode external</a> or <a href={'#tls-mode-enabled'}>TLS mode enabled</a>.
 <!-- login NOT WORKING
 ## TLS mode disabled
 <ProxyGuideTLSMode mode="disabled" configfilename="traefik-disabled-tls.yaml" configfilecontent={ConfigDisabled} providername={providername} link={link} lower={lower}></ProxyGuideTLSMode>
 -->
 ## TLS mode external
--- a/docs/docs/self-hosting/manage/reverseproxy/zitadel_cloud/zitadel_cloud.mdx
+++ b/docs/docs/self-hosting/manage/reverseproxy/zitadel_cloud/zitadel_cloud.mdx
@@ -1,16 +1,16 @@
 ---
-title: Front ZITADEL Cloud with a CDN, WAF or Reverse Proxy
+title: Front Zitadel Cloud with a CDN, WAF or Reverse Proxy
-sidebar_label: Fronting ZITADEL Cloud
+sidebar_label: Fronting Zitadel Cloud
 ---
-## Fronting ZITADEL Cloud
+## Fronting Zitadel Cloud
-You can use your reverseproxy, content delivery network (CDN) or web application firewall (WAF) to front ZITADEL Cloud.
+You can use your reverseproxy, content delivery network (CDN) or web application firewall (WAF) to front Zitadel Cloud.
 However we currently do not recommend this for production settings.
-To configure your service that fronts ZITADEL please have a look at the vendors in this page.
+To configure your service that fronts Zitadel please have a look at the vendors in this page.
-## Things to look out for when fronting ZITADEL Cloud
+## Things to look out for when fronting Zitadel Cloud
- Cache-control - ZITADEL Cloud uses a CDN to globally distribute data. Please try to avoid overriding this header as it may lead to sideeffects
+- Cache-control - Zitadel Cloud uses a CDN to globally distribute data. Please try to avoid overriding this header as it may lead to sideeffects
- Rate Limits - ZITADEL Cloud uses a combination of static and dynamic rate limits. If you recieve occasional 429 headers you are rate limited.
+- Rate Limits - Zitadel Cloud uses a combination of static and dynamic rate limits. If you recieve occasional 429 headers you are rate limited.
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@@ -1107,6 +1107,7 @@ module.exports = {
            "self-hosting/manage/reverseproxy/traefik/traefik",
            "self-hosting/manage/reverseproxy/nginx/nginx",
            "self-hosting/manage/reverseproxy/caddy/caddy",
            "self-hosting/manage/reverseproxy/httpd/httpd",
            "self-hosting/manage/reverseproxy/cloudflare/cloudflare",
            "self-hosting/manage/reverseproxy/cloudflare_tunnel/cloudflare_tunnel",
            "self-hosting/manage/reverseproxy/zitadel_cloud/zitadel_cloud",
`@@ -1,2 +1,2 @@`
	`- [Read more about ZITADELs TLS Modes](/self-hosting/manage/tls_modes)`	`- [Read more about Zitadel's TLS Modes](/self-hosting/manage/tls_modes)`
	`- [Read more about how ZITADEL uses HTTP/2](/self-hosting/manage/http2)`	`- [Read more about how Zitadel uses HTTP/2](/self-hosting/manage/http2)`