diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml
index b4e280c..e29fd96 100644
--- a/roles/apache/tasks/main.yml
+++ b/roles/apache/tasks/main.yml
@@ -12,3 +12,6 @@
   with_items:
     - rewrite
     - ssl
+    - headers
+    - proxy_http
+    - proxy_wstunnel
diff --git a/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2 b/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2
index 43958bd..d64dc95 100644
--- a/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2
+++ b/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2
@@ -14,7 +14,9 @@
     </ifmodule>
 </VirtualHost>
 
-<IfFile /usr/local/etc/dehydrated/certs/{{ site_name }}>
+<IfFile /usr/local/etc/dehydrated/certs/{{ site_name }}/cert.pem>
+<IfFile /usr/local/etc/dehydrated/certs/{{ site_name }}/privkey.pem>
+<IfFile /usr/local/etc/dehydrated/certs/{{ site_name }}/chain.pem>
 <VirtualHost {{ ansible_default_ipv4.address }}:443 [{{ ansible_default_ipv6.address }}]:443>
     ServerAdmin {{ server_admin }}
     ServerName {{ site_name }}
@@ -30,5 +32,17 @@
     SSLCertificateChainFile /usr/local/etc/dehydrated/certs/{{ site_name }}/chain.pem
 
     ProxyPass / http://{{ backend_host | default("localhost") }}:{{proxy_port}}/
+    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+    RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}
+
+    <ifmodule mod_rewrite.c>
+        # see documentation of wstunnel: This allwos generic websocket passthrough
+        RewriteEngine On
+        RewriteCond %{HTTP:Upgrade} websocket [NC]
+        RewriteCond %{HTTP:Connection} upgrade [NC]
+        RewriteRule ^/?(.*) "ws://{{ backend_host | default("localhost") }}:{{ proxy_port }}/$1" [P,L]
+    </ifmodule>
 </VirtualHost>
 </IfFile>
+</IfFile>
+</IfFile>