diff --git a/base.yml b/base.yml
index 6ac87cd..91eacc8 100644
--- a/base.yml
+++ b/base.yml
@@ -4,6 +4,8 @@ networks:
   frontend:
     driver: overlay
     attachable: true
+  cache:
+    driver: overlay
 
 secrets:
   cf_op:
@@ -40,7 +42,29 @@ services:
       - cf_op
     volumes:
       - 'haproxysock:/haproxy:rw' ## Telegraf monitoring
-    ports:
-    - '443:443'
     networks:
       - frontend
+      - cache
+
+  varnish:
+    image: localhost:5000/varnish
+    deploy: *gt2
+    logging: *json-log
+    tmpfs: /usr/local/var/varnish
+    networks:
+      - cache
+
+  hitch:
+    image: zazukoians/hitch
+    deploy: *gt2
+    logging: *json-log
+    secrets:
+      - source: ssl_master
+    environment:
+      HITCH_PEM: '/run/secrets/ssl_master'
+      HITCH_PARAMS: '--backend=[varnish]:80 --frontend=[*]:443'
+      HITCH_CIPHER: 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'
+    ports:
+      - '443:443'
+    networks:
+      - cache
diff --git a/build/Dockerfile b/build/HAProxy/Dockerfile
similarity index 100%
rename from build/Dockerfile
rename to build/HAProxy/Dockerfile
diff --git a/build/haproxy.conf b/build/HAProxy/haproxy.conf
similarity index 93%
rename from build/haproxy.conf
rename to build/HAProxy/haproxy.conf
index 887246b..cd91aae 100644
--- a/build/haproxy.conf
+++ b/build/HAProxy/haproxy.conf
@@ -33,9 +33,8 @@ resolvers dockerdns
 
 frontend https
   mode http
-  bind *:443 ssl crt /run/secrets/ssl_master ciphers EECDH+AESGCM:EDH+AESGCM ca-file /run/secrets/cf_op verify required
+  bind *:80
   
-  acl secure dst_port eq 443
   acl is_cf req.hdr_ip(x-forwarded-for) -m found
   acl dav url_beg /.well-known/carddav /.well-known/caldav
   acl root url /
@@ -44,14 +43,14 @@ frontend https
   acl public_cache res.hdr(content-type) -i -m str text/css -i -m str application/javascript -i -m beg font/
   acl private_cache res.hdr(content-type) -i -m beg image/ -i -m beg audio/ -i -m beg video/ -i -m beg text/ -i -m beg application/
   
-  acl yagpdb req.hdr(host) -i yagpdb.redxen.eu or -i yagpdb.redxen.eu:443
-  acl grafana req.hdr(host) -i stats.redxen.eu or -i stats.redxen.eu:443
-  acl nextcloud req.hdr(host) -i cloud.redxen.eu or -i cloud.redxen.eu:443
-  acl webgit req.hdr(host) -i webgit.redxen.eu or -i webgit.redxen.eu:443
-  acl transmission req.hdr(host) -i seed.redxen.eu or -i seed.redxen.eu:443
-  acl onlyoffice req.hdr(host) -i office.redxen.eu or -i office.redxen.eu:443
-  acl homepage req.hdr(host) -i redxen.eu or -i www.redxen.eu or -i redxen.eu:443 or -i www.redxen.eu:443
-  acl znc req.hdr(host) -i znc.redxen.eu or -i znc.redxen.eu:443
+  acl yagpdb req.hdr(host) -i yagpdb.redxen.eu or -i yagpdb.redxen.eu:443 or -i yagpdb.redxen.eu:2096
+  acl grafana req.hdr(host) -i stats.redxen.eu or -i stats.redxen.eu:443 or -i stats.redxen.eu:2096
+  acl nextcloud req.hdr(host) -i cloud.redxen.eu or -i cloud.redxen.eu:443 or -i cloud.redxen.eu:2096
+  acl webgit req.hdr(host) -i webgit.redxen.eu or -i webgit.redxen.eu:443 or -i webgit.redxen.eu:2096
+  acl transmission req.hdr(host) -i seed.redxen.eu or -i seed.redxen.eu:443 or -i seed.redxen.eu:2096
+  acl onlyoffice req.hdr(host) -i office.redxen.eu or -i office.redxen.eu:443 or -i office.redxen.eu:2096
+  acl homepage req.hdr(host) -i redxen.eu or -i www.redxen.eu or -i redxen.eu:443 or -i www.redxen.eu:443 or -i redxen.eu:2096 or -i www.redxen.eu:2096
+  acl znc req.hdr(host) -i znc.redxen.eu or -i znc.redxen.eu:443 or -i znc.redxen.eu:2096
   
   acl homepage-res res.hdr(host) -i redxen.eu or -i redxen.eu:443
   
@@ -60,8 +59,8 @@ frontend https
   redirect location /index.html code 301 if homepage root
   redirect location https://discord.gg/CTFMzde code 301 if discord-redirect homepage
   
-  http-response replace-header Set-Cookie (.*) \1;\ Secure if secure
-  http-response add-header X-Forwarded-Proto https if secure
+  http-response replace-header Set-Cookie (.*) \1;\ Secure
+  http-response add-header X-Forwarded-Proto https
   
   http-response set-header Cache-Control public\ max-age=31536000 if public_cache ! private_cache or homepage-res
   http-response set-header Cache-Control private\ max-age=86400\ must-revalidate if private_cache
diff --git a/build/Varnish/Dockerfile b/build/Varnish/Dockerfile
new file mode 100644
index 0000000..05bfb19
--- /dev/null
+++ b/build/Varnish/Dockerfile
@@ -0,0 +1,3 @@
+FROM varnish
+
+COPY varnish.vcl /etc/varnish/default.vcl
diff --git a/build/Varnish/varnish.vcl b/build/Varnish/varnish.vcl
new file mode 100644
index 0000000..65f6a68
--- /dev/null
+++ b/build/Varnish/varnish.vcl
@@ -0,0 +1,10 @@
+vcl 4.0;
+
+backend default {
+  .host                   = "haproxy";
+  .port                   = "80";
+  .max_connections        = 300;
+  .first_byte_timeout     = 300s;
+  .connect_timeout        = 5s;
+  .between_bytes_timeout  = 2s;
+}