diff --git a/README.md b/README.md
index 8caf7a5..1d6f565 100644
--- a/README.md
+++ b/README.md
@@ -163,8 +163,10 @@ So, without further ado, here's the current list:
# Reverse proxy & SSO
-- Authelia
-- Traefik
+- [Authelia](apps/reverse-proxy-sso/authelia.md)
+- [Traefik](apps/reverse-proxy-sso/traefik.md)
+- [Caddy](https://caddyserver.com/) [external] - very good web server with reverse-proxy & automatic https.
+- [Nginx Proxy Manager](https://nginxproxymanager.com/) [external] - another nice solution based on the battle-tested & probably the most popular web-server - nginx. It has a pretty UI that allows to manage the services.
# RSS
diff --git a/apps/reverse-proxy-sso/authelia.md b/apps/reverse-proxy-sso/authelia.md
new file mode 100644
index 0000000..ec14be1
--- /dev/null
+++ b/apps/reverse-proxy-sso/authelia.md
@@ -0,0 +1,111 @@
+# Authelia
+This is a fantastic, feature rich and simple to set-up Single Sign-On solution.
+The config files below, will use a file-storage for users, because it's simpler and quite sufficient for simple self-hosting server at home (as opposed to seting up full featured LDAP back-end).
+
+
+
+- [Homepage](https://www.authelia.com/)
+- [Github repo](https://github.com/authelia/authelia)
+- [Docs](https://www.authelia.com/docs/)
+
+
+## docker-compose.yml
+```yml
+version: '3.3'
+networks:
+ net:
+ driver: bridge
+
+services:
+ authelia:
+ image: authelia/authelia
+ container_name: authelia
+ restart: unless-stopped
+ expose:
+ - 9091
+ ports:
+ - "9091:9091"
+ networks:
+ - net
+ environment:
+ - TZ=Europe/Dublin
+ volumes:
+ - ./data:/var/lib/authelia
+ - ./config.yml:/etc/authelia/configuration.yml:ro
+ - ./users.yml:/etc/authelia/users.yml:ro
+
+ redis:
+ image: redis:alpine
+ container_name: redis
+ volumes:
+ - ./redis:/data
+ expose:
+ - 6379
+ networks:
+ - net
+ restart: unless-stopped
+ environment:
+ - TZ=Europe/Dublin
+```
+
+## config.yml
+```yml
+host: 0.0.0.0
+port: 9091
+
+# log_level: debug
+jwt_secret: DphJJcoCO2aXK666tq3d2AgMQ8gaugukKsUjKzMciA
+
+authentication_backend:
+ file:
+ path: /etc/authelia/users.yml
+
+storage:
+ local:
+ path: /var/lib/authelia/db.sqlite3
+
+notifier:
+ filesystem:
+ filename: /tmp/authelia/notification.txt
+
+session:
+ name: authelia_session
+ secret: U8kmbel7WhP1YneQh2134DXhsiSHctE5Emtf
+ expiration: 3600 # 1 hour
+ inactivity: 300 # 5 minutes
+ # The domain to protect.
+ # Note: the login portal must also be a subdomain of that domain.
+ domain: example.com
+ redis:
+ host: redis
+ port: 6379
+
+regulation:
+ max_retries: 3
+ find_time: 120
+ ban_time: 300
+
+access_control:
+ default_policy: one_factor
+ rules:
+ - domain: "*.example.com"
+ subject: "group:admins"
+ policy: one_factor
+```
+
+## users.yml
+```yml
+users:
+ admin:
+ displayname: "admin"
+ password: "" # password hash - see below how to generate
+ email: admin@example.com
+ groups:
+ - admins
+```
+
+## Tips & Tricks
+Generate password hash for the `users.yml`:
+```sh
+docker run authelia/authelia:latest authelia hash-password
+```
diff --git a/apps/reverse-proxy-sso/traefik.md b/apps/reverse-proxy-sso/traefik.md
new file mode 100644
index 0000000..b3abad0
--- /dev/null
+++ b/apps/reverse-proxy-sso/traefik.md
@@ -0,0 +1,185 @@
+# Traefik
+This is one of the best reverse-proxy solutions for self-hosting.
+Very easy to run & maintain (once you pass the setup).
+
+Traefik can detect docker services and use docker labels to automatically create routes.
+However, I prefer to keep my docker-compose files clean and explicitly set routers & services myself, so this solution does that exactly.
+
+Traefik can also be set-up to automatically provide Let's Encrypt certs for your services.
+However, there are some services that need cert files (AdGuard Home, Mailcow), and because I want to have a single wildcard certificate for my whole domain (and all subdomains) I prefer to generate it manually (i.e. scripts in cron) and just reference it whenever it's required - so this setup reflects that.
+
+## General overview
+Traefik has 2 types of config: static (requires restart of the container) and dynamic (refreshes live).
+Dynamic config can be provided as a folder, where all `yml` files are parsed and configuration from them is applied to the running server.
+You can create multiple files and split the dynamic config to your preference. I prefer to keep the 2 main layers (routers & services) separate, as it's easy for me to structure the files and it's clear to see what services are defined and the ports that they use. The down-side is that adding/removing a service requires editing 2 files.
+Another approach would be to use 1 yaml file per service (with route & service definition). It would be clearer from the Filesystem (ls -al) to see what services are configured, but e.g. checking all ports would require viewing all config files.
+For that reason it's also good to keep a note somewhere with a table of service-port mapping.
+
+
+
+- [Homepage](https://traefik.io/)
+- [Github repo](https://github.com/traefik)
+- [Docs](https://doc.traefik.io/traefik/)
+
+## docker-compose.yml
+```yml
+version: '3'
+services:
+ traefik:
+ image: traefik:v2.3
+ container_name: traefik
+ restart: unless-stopped
+ security_opt: ["no-new-privileges"]
+ ports:
+ - "80:80"
+ - "443:443"
+ - "3080:8080"
+ volumes:
+ - /etc/localtime:/etc/localtime:ro
+ - /path/to/certs:/certs:ro
+ - ./config:/config:ro
+ - ./traefik.yml:/traefik.yml:ro
+```
+
+## Static config
+
+### traefik.yml
+```yml
+global:
+ checkNewVersion: true
+ sendAnonymousUsage: false
+
+api:
+ dashboard: true
+ insecure: true
+
+entryPoints:
+ http:
+ address: ":80"
+ https:
+ address: ":443"
+
+serversTransport:
+ insecureSkipVerify: true
+
+providers:
+ file:
+ directory: /config
+ watch: true
+```
+
+## Dynamic config
+
+### config/middlewares.yml
+```yml
+http:
+ middlewares:
+ authelia:
+ forwardAuth:
+ address: http://:9091/api/verify?rd=https://login.example.com/
+ trustForwardHeader: true
+
+ redirect-to-https:
+ redirectScheme:
+ scheme: https
+ permanent: true
+
+ security-headers:
+ headers:
+ referrerPolicy: "same-origin"
+ contentTypeNosniff: true
+ frameDeny: false
+ forceSTSHeader: true
+ stsIncludeSubdomains: true
+ stsPreload: true
+ stsSeconds: 15552000
+
+ nextcloud-redirectregex:
+ redirectRegex:
+ permanent: true
+ regex: 'https://(.*)/.well-known/(card|cal)dav'
+ replacement: 'https://${1}/remote.php/dav/'
+
+ some-redirect:
+ redirectRegex:
+ regex: "https://subdomain1.example.com/"
+ replacement: "https://subdomain2.example.com?query=123"
+ permanent: true
+
+```
+
+### config/tls.yml
+```yml
+tls:
+ certificates:
+ - certFile: /example1-com/fullchain.cer
+ keyFile: /example1-com/example1.com.key
+ stores:
+ - default
+ - certFile: /example2-com/fullchain.cer
+ keyFile: /example2-com/example2.com.key
+ stores:
+ - default
+
+ stores:
+ default:
+ defaultCertificate:
+ certFile: /example1-com/fullchain.cer
+ keyFile: /example1-com/example1.com.key
+```
+
+### config/routers.yml
+```yml
+http:
+ routers:
+ authelia:
+ rule: "Host(`login.example.com`)"
+ service: authelia
+ tls: {}
+ middlewares:
+ - security-headers
+
+ nextcloud:
+ rule: "Host(`cloud.example.com`)"
+ service: nextcloud
+ tls: {}
+ middlewares:
+ - security-headers
+ - nextcloud-redirectregex
+
+ sonarr:
+ rule: "Host(`sonarr.example.com`)"
+ service: sonarr
+ tls: {}
+ middlewares:
+ - security-headers
+ - authelia
+```
+
+
+### config/services.yml
+```yml
+http:
+ services:
+
+ authelia:
+ loadBalancer:
+ servers:
+ - url: "http://:9091"
+
+ nextcloud:
+ loadBalancer:
+ servers:
+ - url: "http://:3100"
+
+ sonarr:
+ loadBalancer:
+ servers:
+ - url: "http://:8989/"
+```
+
+## Useful links
+- [Traefik 2 + Docker — a Simple Step by Step Guide](https://medium.com/@containeroo/traefik-2-0-docker-a-simple-step-by-step-guide-e0be0c17cfa5#37d9)
+- [Traefik 2 + Docker — an Advanced Guide](https://medium.com/@containeroo/traefik-2-0-docker-an-advanced-guide-d098b9e9be96)
+- [Traefik 2 & TLS 101](https://containo.us/blog/traefik-2-tls-101-23b4fbee81f1/)
+- [check security headers](https://securityheaders.com)