diff --git a/.gitignore b/.gitignore
index 70660058..35041b98 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,4 +6,5 @@ docker-compose.override.yaml
 *.DS_Store
 maps/yarn.lock
 maps/dist/computer.js
-maps/dist/computer.js.map
\ No newline at end of file
+maps/dist/computer.js.map
+contrib/docker/acme
diff --git a/contrib/docker/.env.prod.singledomain.template b/contrib/docker/.env.prod.singledomain.template
new file mode 100644
index 00000000..55dd976b
--- /dev/null
+++ b/contrib/docker/.env.prod.singledomain.template
@@ -0,0 +1,38 @@
+## The single (sub)domain to use
+BASE_DOMAIN=wa.example.com
+
+DEBUG_MODE=false
+
+## JITSI settings
+JITSI_URL=meet.jit.si
+# If your Jitsi environment has authentication set up, you MUST set JITSI_PRIVATE_MODE to "true" and you MUST pass a SECRET_JITSI_KEY to generate the JWT secret
+JITSI_PRIVATE_MODE=false
+JITSI_ISS=
+SECRET_JITSI_KEY=
+
+## ADMIN backend settings
+ADMIN_API_TOKEN=2342
+ADMIN_API_URL=
+
+## TURN server settings
+# URL of the TURN server (needed to "punch a hole" through some networks for P2P connections)
+STUN_SERVER=
+TURN_SERVER=
+TURN_USER=
+TURN_PASSWORD=
+
+## Reverse proxy settings (note: these must also be manually activated in the docker-compose file for now)
+TRAEFIK_BASICAUTH=testuser:$2y$05$L2t/Wx937mHhKH61mjPL7OvepvjcyUnzVUkpiMo.nKeWSdRd5oyUC
+TRAEFIK_BASICAUTHFILE=/.htpasswd
+
+# Maximum allowed number of people per "ring" group
+MAX_PER_GROUP=5
+
+# The URL used by default, in the form: "/_/global/map/url.json" or with active admin backend as "/@/org/world/room"
+START_ROOM_URL=/_/global/maps.workadventu.re/Floor0/floor0.json
+
+# The email address used by Let's encrypt to send renewal warnings (compulsory)
+ACME_EMAIL=
+
+# Set to true to allow using this instance as a target for the apiUrl property
+FEDERATE_PUSHER=false
diff --git a/contrib/docker/.htpasswd b/contrib/docker/.htpasswd
new file mode 100644
index 00000000..e69de29b
diff --git a/contrib/docker/docker-compose.prod.singledomain.yaml b/contrib/docker/docker-compose.prod.singledomain.yaml
new file mode 100644
index 00000000..2670970d
--- /dev/null
+++ b/contrib/docker/docker-compose.prod.singledomain.yaml
@@ -0,0 +1,123 @@
+version: "3"
+services:
+  reverse-proxy:
+    image: traefik:v2.3.7
+    restart: unless-stopped
+    command:
+      - --providers.docker
+      - --entryPoints.web.address=:80
+      - --entrypoints.web.http.redirections.entryPoint.to=websecure
+      - --entrypoints.web.http.redirections.entryPoint.scheme=https
+      - --entrypoints.web.http.redirections.entrypoint.permanent=true
+      - --entryPoints.websecure.address=:443
+      - --providers.file.directory=/configs/
+      - --certificatesresolvers.myhttpchallenge.acme.tlschallenge=true
+      - --certificatesresolvers.myhttpchallenge.acme.email=$ACME_EMAIL
+      - --certificatesresolvers.myhttpchallenge.acme.storage=/acme/acme.json
+    ports:
+      - "80:80"
+      - "443:443"
+    depends_on:
+      - back
+      - front
+      - up
+      - pusher
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./acme:/acme
+      - ./traefik_tls.yaml:/configs/traefik_tls.yml
+      - ./.htpasswd:/.htpasswd  
+
+  front:
+    restart: unless-stopped
+    build:
+      context: ../..
+      dockerfile: front/Dockerfile
+      args:
+        BASE_DOMAIN: ${BASE_DOMAIN:-workadventure.localhost}
+
+        # These should fall back to window.location.host
+        API_URL: ""
+        UPLOADER_URL: ""
+
+        START_ROOM_URL: "$START_ROOM_URL"
+        JITSI_PRIVATE_MODE: "$JITSI_PRIVATE_MODE"
+        JITSI_URL: "$JITSI_URL"
+        START_ROOM_URL: "$START_ROOM_URL"
+        STUN_SERVER: "$STUN_SERVER"
+        TURN_PASSWORD: "$TURN_PASSWORD"
+        TURN_SERVER: "$TURN_SERVER"
+        TURN_USER: "$TURN_USER"
+        MAX_PER_GROUP: "$MAX_PER_GROUP"
+    labels:
+      - "traefik.http.routers.front.rule=PathPrefix(`/`)"
+      - "traefik.http.routers.front.rule=Host(`${BASE_DOMAIN}`)"
+      - "traefik.http.routers.front.entryPoints=web"
+      - "traefik.http.services.front.loadbalancer.server.port=8000"
+      - "traefik.http.routers.front-ssl.rule=PathPrefix(`/`)"
+      - "traefik.http.routers.front-ssl.rule=Host(`${BASE_DOMAIN}`)"
+      - "traefik.http.routers.front-ssl.entryPoints=websecure"
+      - "traefik.http.routers.front-ssl.tls=true"
+      - "traefik.http.routers.front-ssl.service=front"
+      - "traefik.http.routers.front-ssl.tls.certresolver=myhttpchallenge"
+# uncomment to enable user/pass basic auth        
+#      - "traefik.http.routers.front.middlewares=auth"
+#      - "traefik.http.routers.front-ssl.middlewares=auth"
+#      - "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_BASICAUTH}"
+#      - "traefik.http.middlewares.auth.basicauth.usersFile=${TRAEFIK_BASICAUTHFILE}"
+#      - "traefik.http.middlewares.auth.basicauth.headerField=X-WebAuth-User"
+
+
+
+  pusher:
+    restart: unless-stopped
+    build:
+      context: ../..
+      dockerfile: pusher/Dockerfile
+    environment:
+      SECRET_KEY: yourSecretKey
+      SECRET_JITSI_KEY: "$SECRET_JITSI_KEY"
+      ADMIN_API_TOKEN: "$ADMIN_API_TOKEN"
+      ADMIN_API_URL: "$ADMIN_API_URL"
+      API_URL: back:50051
+      JITSI_URL: $JITSI_URL
+      JITSI_ISS: $JITSI_ISS
+    labels:
+      - "traefik.http.routers.pusher.rule=Path(`/admin/rooms`, `/room`, `/verify`, `/register`, `/anonymLogin`, `/metrics`, `/dump`, `/map`)"
+      - "traefik.http.routers.pusher.entryPoints=web"
+      - "traefik.http.services.pusher.loadbalancer.server.port=8080"
+      - "traefik.http.routers.pusher-ssl.rule=Path(`/admin/rooms`, `/room`, `/verify`, `/register`, `/anonymLogin`, `/metrics`, `/dump`, `/map`)"
+      - "traefik.http.routers.pusher-ssl.entryPoints=websecure"
+      - "traefik.http.routers.pusher-ssl.tls=true"
+      - "traefik.http.routers.pusher-ssl.service=pusher"
+      - "traefik.http.routers.pusher-ssl.tls.certresolver=myhttpchallenge"
+
+  back:
+    restart: unless-stopped
+    build:
+      context: ../..
+      dockerfile: back/Dockerfile
+    environment:
+      SECRET_KEY: yourSecretKey
+      SECRET_JITSI_KEY: "$SECRET_JITSI_KEY"
+      ADMIN_API_TOKEN: "$ADMIN_API_TOKEN"
+      ADMIN_API_URL: "$ADMIN_API_URL"
+      JITSI_URL: $JITSI_URL
+      JITSI_ISS: $JITSI_ISS
+      MAX_PER_GROUP: $MAX_PER_GROUP
+
+  up:
+    restart: unless-stopped
+    build:
+      context: ../..
+      dockerfile: uploader/Dockerfile
+    labels:
+      - "traefik.http.routers.up.rule=Path(`/upload-audio-message`, `/download-audio-message`)"
+      - "traefik.http.routers.up.entryPoints=web"
+      - "traefik.http.services.up.loadbalancer.server.port=8080"
+      - "traefik.http.routers.up-ssl.rule=Path(`/upload-audio-message`, `/download-audio-message`)"
+      - "traefik.http.routers.up-ssl.entryPoints=websecure"
+      - "traefik.http.routers.up-ssl.tls=true"
+      - "traefik.http.routers.up-ssl.service=up"
+      - "traefik.http.routers.up-ssl.tls.certresolver=myhttpchallenge"
+ 
diff --git a/contrib/docker/traefik_tls.yaml b/contrib/docker/traefik_tls.yaml
new file mode 100644
index 00000000..03362edb
--- /dev/null
+++ b/contrib/docker/traefik_tls.yaml
@@ -0,0 +1,13 @@
+tls:
+  options:
+    default:
+      sniStrict: true
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+