diff --git a/.envrc.sample b/.envrc.sample
index a98d081..bc3c94f 100644
--- a/.envrc.sample
+++ b/.envrc.sample
@@ -1,6 +1,9 @@
 export SERVICE=selfoss
-export DOMAIN=reader.example.com
 export STACK_NAME=selfoss
+
+export DOMAIN=reader.example.com
+## Domain aliases
+#export EXTRA_DOMAINS=', `www.wordpress.example.com`'
 export LETS_ENCRYPT_ENV=production
 
 # Selfoss options, see https://www.selfoss.aditu.de/#configuration
diff --git a/compose.postgres.yml b/compose.postgres.yml
index c5917a3..d47efab 100644
--- a/compose.postgres.yml
+++ b/compose.postgres.yml
@@ -2,10 +2,10 @@
 version: '3.8'
 
 services:
-  postgres:
+  db:
     image: "postgres:9.6.5"
     volumes:
-      - "postgres:/var/lib/postgresql/data"
+      - "db:/var/lib/postgresql/data"
     networks:
       - internal
     environment:
@@ -19,17 +19,17 @@ services:
     networks:
       - internal
     depends_on:
-      - postgres
+      - db
     secrets:
       - db_password
     environment:
-      - SELFOSS_DB_HOST=postgres
+      - SELFOSS_DB_HOST=db
       - SELFOSS_DB_NAME=selfoss
       - SELFOSS_DB_USERNAME=selfoss
       - SELFOSS_DB_PASSWORD_FILE=/run/secrets/db_password
 
 volumes:
-  postgres:
+  db:
 
 secrets:
   db_password:    
diff --git a/compose.yml b/compose.yml
index 6cea6e3..f92a1a0 100644
--- a/compose.yml
+++ b/compose.yml
@@ -2,24 +2,10 @@
 version: '3.8'
 
 services:
-  selfoss:
+  app:
     image: akito13/selfoss
     volumes:
       - selfoss:/selfoss/data
-    deploy:
-      labels:
-        - traefik.enable=true
-        - traefik.docker.network=proxy
-        - traefik.http.routers.${STACK_NAME}-http.rule=Host(`${DOMAIN?Variable not set}`)
-        - traefik.http.routers.${STACK_NAME}-http.entrypoints=web
-        - traefik.http.routers.${STACK_NAME}-https.rule=Host(`${DOMAIN?Variable not set}`)
-        - traefik.http.routers.${STACK_NAME}-https.entrypoints=web-secure
-        - traefik.http.routers.${STACK_NAME}-https.tls=true
-        - traefik.http.routers.${STACK_NAME}-https.tls.certresolver=${LETS_ENCRYPT_ENV}
-        - traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8888
-      update_config:
-        failure_action: rollback
-        order: start-first
     environment:
       - SELFOSS_USERNAME
       - SELFOSS_PASSWORD
@@ -31,19 +17,33 @@ services:
     #secrets:
       # TODO 3wc: see above note about issue #3
       #- selfoss_password
-    entrypoint: /docker-entrypoint.sh
     configs:
       - source: entrypoint_conf
         target: /docker-entrypoint.sh
         mode: 0555
     networks:
       - proxy
+    entrypoint: /docker-entrypoint.sh
     healthcheck:
       test: ["CMD", "wget", "-qO", "-", "http://localhost:8888"]
       interval: 30s
       timeout: 10s
       retries: 10
       start_period: 1m
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+      labels:
+        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8888"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
 
 networks:
   proxy: