diff --git a/README.md b/README.md
index 6bbecc4..5bbbc2f 100644
--- a/README.md
+++ b/README.md
@@ -22,8 +22,47 @@
 * `abra app config <app-name>`
 * `abra app deploy <app-name>`
 
-For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).
+(For more `abra` commands, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech).)
+
+Then, configure an HTTP proxy (either system-wide, or in your app), using:
+
+* Address/hostname: (your configured domain)
+* Port: 9999
+* Authentication: None (so far..)
 
 ## SSL (and Man-in-the-Middle)
 
+To enable SSL (recommended), to encrypt the connection between you and Compy,
+and to prevent hordes of certificate warnings:
 
+1. `abra app config <app-name>`
+2. (uncomment the SSL section)
+3. `abra app deploy <app-name> --force`
+
+When using SSL, there are a few extra steps to set up your client:
+
+1. Download the generated Certificate Authority certificate: 
+   `abra app cp <app-name> app:/certs/ca.crt .`
+2. Import and trust this CA -- e.g. for Firefox, "Settings" → "Privacy and
+	 Security" → "Certificates" → "Authorities" → "Import".
+3. Add a security exception for the self-signed certificate that Compy uses for
+	 its own connection (see #1), e.g. by visiting `https://<your-domain>:9999` in
+	 your browser.
+4. You may need to clear a certificate cache, if there is one (see below for
+	 Firefox)
+
+## Troubleshooting
+
+### Firefox `cert9.db`
+
+Firefox has a certificate cache, including HSTS information, which can prevent
+Compy from working. Clear it by deleting or renaming
+`$HOME/.mozilla/firefox/<your-profile>/cert9.db`
+
+### Firefox & FoxyProxy
+
+FoxyProxy is great. As of March 2022, it doesn't support Proxy Access
+Configuration files, which Compy needs for working good (FoxyProxy say it's
+because of [an unresolved bug in
+Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=1396485#c3)). No solution
+is known at this time 😕
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..5664307
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1 @@
+export PAC_CONF_VERSION=v1
diff --git a/compose.ssl.yml b/compose.ssl.yml
index 34b1d07..cf7f266 100644
--- a/compose.ssl.yml
+++ b/compose.ssl.yml
@@ -6,6 +6,50 @@ services:
     command: ["-cert", "/certs/cert.crt", "-key", "/certs/cert.key", "-ca", "/certs/ca.crt", "-cakey", "/certs/ca.key"]
     volumes:
       - "compy_certs:/certs"
+    depends_on:
+      - ssl_generator
+
+  web:
+    # NOTE(3wc): this is just to host the PAC file 
+    image: nginx:1.20
+    networks:
+      - proxy
+    environment:
+      - DOMAIN
+    configs:
+      - source: pac_conf
+        target: /usr/share/nginx/html/proxy.pac
+    deploy:
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+
+  ssl_generator:
+    image: nginx:1.20
+    volumes:
+      - "compy_certs:/certs"
+    deploy:
+      replicas: 1
+      restart_policy:
+        condition: none
+    environment:
+      - DOMAIN
+    command: |
+      sh -c
+        "if [ ! -f /certs/ca.crt ]; then
+          openssl req -x509 -newkey rsa:4096 -nodes -keyout /certs/cert.key -out /certs/cert.crt -days 3650 -subj '/CN=$DOMAIN'
+          openssl req -x509 -newkey rsa:4096 -nodes -keyout /certs/ca.key -out /certs/ca.crt -days 3650 -subj '/CN=$DOMAIN'
+        fi;"
+
+configs:
+  # NOTE(3wc): ah yes, the Proxy Auto-Configuration config..
+  pac_conf:
+    name: ${STACK_NAME}_pac_conf_${PAC_CONF_VERSION}
+    file: proxy.pac.tmpl
+    template_driver: golang
 
 volumes:
   compy_certs:
diff --git a/compose.yml b/compose.yml
index 2d95dd0..36ea3be 100644
--- a/compose.yml
+++ b/compose.yml
@@ -11,10 +11,10 @@ services:
         condition: on-failure
       labels:
         - "traefik.enable=true"
-        - "traefik.tcp.routers.${STACK_NAME}.entrypoints=compy"
-        - "traefik.tcp.routers.${STACK_NAME}.service=${STACK_NAME}-tcp-service"
-        - "traefik.tcp.routers.${STACK_NAME}.rule=HostSNI(`*`)"
-        - "traefik.tcp.routers.${STACK_NAME}.tls.passthrough=true"
+        - "traefik.tcp.routers.${STACK_NAME}-tcp.entrypoints=compy"
+        - "traefik.tcp.routers.${STACK_NAME}-tcp.service=${STACK_NAME}-tcp-service"
+        - "traefik.tcp.routers.${STACK_NAME}-tcp.rule=HostSNI(`*`)"
+        - "traefik.tcp.routers.${STACK_NAME}-tcp.tls.passthrough=true"
         - "traefik.tcp.services.${STACK_NAME}-tcp-service.loadbalancer.server.port=9999"
         - "coop-cloud.${STACK_NAME}.version="
     # healthcheck:
diff --git a/proxy.pac.tmpl b/proxy.pac.tmpl
new file mode 100644
index 0000000..331bb57
--- /dev/null
+++ b/proxy.pac.tmpl
@@ -0,0 +1,6 @@
+function FindProxyForURL(url, host) {
+   if (url.substring(0, 5) == 'http:' || url.substring(0, 6) == 'https:') {
+      return "HTTPS {{ env "DOMAIN" }}:9999";
+   }
+   return "DIRECT";
+}