diff --git a/docker-compose.yml b/docker-compose.yml
index 8562a1a..8d7a75b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,8 +8,6 @@ services:
     networks:
       - traefik-internal
     command:
-      #      - "--log.level=DEBUG"
-      #      - "--api.insecure=true"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--providers.docker.network=marvinblum_traefik-internal"
@@ -17,21 +15,29 @@ services:
       - "--entrypoints.websecure.address=:443"
       - "--certificatesresolvers.tls-resolver.acme.httpchallenge=true"
       - "--certificatesresolvers.tls-resolver.acme.httpchallenge.entrypoint=web"
-      #      - "--certificatesresolvers.tls-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
       - "--certificatesresolvers.tls-resolver.acme.email=marvin@marvinblum.de"
       - "--certificatesresolvers.tls-resolver.acme.storage=/letsencrypt/acme.json"
     ports:
       - "80:80"
       - "443:443"
-    #      - "8080:8080"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /root/marvinblum/letsencrypt:/letsencrypt
-  #    labels:
-  #      - "traefik.enable=true"
-  #      - "traefik.port=8080"
-  #      - "traefik.http.routers.traefik.entrypoints=web"
-  #      - "traefik.http.routers.traefik.service=api@internal"
+    labels:
+      - "traefik.enable=true"
+      # Global redirection: http to https
+      - 'traefik.http.routers.http-catchall.rule=HostRegexp(`{host:(www\.)?.+}`)'
+      - "traefik.http.routers.http-catchall.entrypoints=web"
+      - "traefik.http.routers.http-catchall.middlewares=wwwtohttps"
+      # Global redirection: https (www.) to https
+      - 'traefik.http.routers.wwwsecure-catchall.rule=HostRegexp(`{host:(www\.).+}`)'
+      - "traefik.http.routers.wwwsecure-catchall.entrypoints=websecure"
+      - "traefik.http.routers.wwwsecure-catchall.tls=true"
+      - "traefik.http.routers.wwwsecure-catchall.middlewares=wwwtohttps"
+      # middleware: http(s)://(www.) to  https://
+      - 'traefik.http.middlewares.wwwtohttps.redirectregex.regex=^https?://(?:www\.)?(.+)'
+      - 'traefik.http.middlewares.wwwtohttps.redirectregex.replacement=https://$${1}'
+      - 'traefik.http.middlewares.wwwtohttps.redirectregex.permanent=true'
   marvinblum:
     image: kugel/marvinblum
     container_name: marvinblum
@@ -41,25 +47,19 @@ services:
     networks:
       - postgres_db-internal
       - traefik-internal
+    env_file:
+      - secrets.env
     environment:
       MB_EMVI_CLIENT_ID: 3fBBn144yvSF9R3dPC8l
-      MB_EMVI_CLIENT_SECRET: dw3FeshelTgdf1Gj13J7uF5FfdPDi40sQvvwqeFVKTTyIDuCdlAHhRY72csFL6yg
       MB_EMVI_ORGA: marvin
       MB_DB_HOST: postgres
-      MB_DB_USER:
-      MB_DB_PASSWORD:
-      MB_DB_SCHEMA:
     labels:
       - "traefik.enable=true"
       - "traefik.port=8888"
-      - "traefik.http.routers.marvinblum.entrypoints=web"
-      - "traefik.http.routers.marvinblum.rule=Host(`marvinblum.de`)"
-      - "traefik.http.routers.marvinblum.middlewares=http-redirect"
-      - "traefik.http.routers.marvinblum-secure.entrypoints=websecure"
-      - "traefik.http.routers.marvinblum-secure.rule=Host(`marvinblum.de`)"
-      - "traefik.http.routers.marvinblum-secure.tls.certresolver=tls-resolver"
-      - "traefik.http.middlewares.http-redirect.redirectscheme.scheme=https"
-      - "traefik.http.middlewares.http-redirect.redirectscheme.permanent=true"
+      - "traefik.http.routers.schnittfest.rule=Host(`marvinblum.de`) || Host(`www.marvinblum.de`)"
+      - "traefik.http.routers.schnittfest.entrypoints=websecure"
+      - "traefik.http.routers.schnittfest.tls=true"
+      - "traefik.http.routers.schnittfest.tls.certresolver=tls-resolver"
 
 networks:
   traefik-internal:
diff --git a/secrets.env b/secrets.env
new file mode 100644
index 0000000..b7b7882
--- /dev/null
+++ b/secrets.env
@@ -0,0 +1,4 @@
+MB_EMVI_CLIENT_SECRET=
+MB_DB_USER=
+MB_DB_PASSWORD=
+MB_DB_SCHEMA=