diff --git a/.env.template b/.env.template
index 120aad36df7f40771e3e3a117113d21e1c38971c..475f031ad80ba309d13a68c4e5f7b3dc37c5f1ce 100644
--- a/.env.template
+++ b/.env.template
@@ -1,5 +1,10 @@
-# docker-compose components replace by devserver.yml to run the dev server (default is prod) or append ':devserver.yml' to run both
-COMPOSE_FILE=docker-compose.yml
+# COMPOSE_FILE :
+#   + docker-compose.yml = production service, no port exposed
+#   + docker-compose.yml:dev.yml = production service + devserver, front services ports are exposed
+#   + docker-compose.yml:traefik.yml = production services + traefik mapping (see README)
+COMPOSE_FILE=docker-compose.yml:dev.yml
+#COMPOSE_FILE=docker-compose.yml
+#COMPOSE_FILE=docker-compose.yml:traefik.yml
 # prod server host port
 PORT=8080
 # prod container restart policy
@@ -14,3 +19,5 @@ HTTP_FOLDER=./www
 # hosts allowed to access ressources from $HTTP_FOLDER
 # * to allow all, http://localhost:$DEV_PORT to allow only devserver
 CORS_ALLOWED_HOSTS=http://localhost:$DEV_PORT
+NAME=IIIF
+HOST=IIIF.tetras-lab.io
diff --git a/README.md b/README.md
index 155805fdda8c92e25798633f9a57127e847efe09..0b30510d1027227b41456235eca198d766f5453b 100644
--- a/README.md
+++ b/README.md
@@ -1,15 +1,25 @@
 ## Mirador Video Annotation POC
 
-Copy `.env.template` to `.env` and change variables to suit your need (you can skip the edit step)  
 
-Run `docker-compose up -d`, which will serve a mirador instance at `http://localhost:$PORT` (default port is 8080).
+### Install
+
+Copy `.env.template` to `.env` and change variables to suit your need.
+
 
 The `$HTTP_FOLDER` (`./www` by default) directory will be accessible via HTTP at `http://localhost:$PORT/data` and can be used to store manifests and theirs ressources and see them in Mirador.  
 
 If sources files are modified, run `docker-compose up -d --build` to update Mirador  
 
+#### Traefik
+
+We provide a `traefik.yml` file to use behind [traefik](https://traefik.io/https://traefik.io/) this file does the following assumptions :
+
++ A traefik container exists and is running in an external docker network called `traefik`
++ Traefik has a tls resolver called `myresolver`
++ Traefik has a middleware called `hardening@docker` that adds the usual security headers
+
 
-#### Use the development server
+#### Developpement
 
 Follow the previous instructions if you want to access ressources from `$HTTP_FOLDER` via HTTP in the devserver.  
 
diff --git a/devserver.yml b/dev.yml
similarity index 89%
rename from devserver.yml
rename to dev.yml
index 5aded5dc6e859c7a3bee4e0f495b7b6fd331816e..b84bb5ec53e316d25d23286262cc4b2107df07b8 100644
--- a/devserver.yml
+++ b/dev.yml
@@ -14,3 +14,7 @@ services:
       - DEV_PORT
     volumes:
       - ./:/opt
+
+  httpd:
+    ports:
+      - $PORT:80
diff --git a/docker-compose.yml b/docker-compose.yml
index 31ae053949e0adfac62183b4bf71ca9facc51ad8..458e24253456e80951b03f9e87f3e2cae8fcbf7c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,8 +3,6 @@ services:
   httpd:
     build: .
     restart: $RESTART
-    ports:
-      - $PORT:80
     environment:
       - CORS_ALLOWED_HOSTS
       - WEBPACK_MODE=production
diff --git a/traefik.yml b/traefik.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6bc19581be76db37f189dba844b56f9ee82a81bf
--- /dev/null
+++ b/traefik.yml
@@ -0,0 +1,18 @@
+version: "3.9"
+services:
+  httpd:
+    networks:
+      - default
+      - traefik
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.http.routers.${NAME}.rule=Host(`${HOST}`)"
+      - "traefik.http.routers.${NAME}.tls.certresolver=myresolver"
+      - "traefik.http.routers.${NAME}.entrypoints=web,websecure"
+      - "traefik.http.routers.${NAME}.middlewares=hardening@docker"
+
+
+networks:
+  traefik:
+    external: true