diff --git a/warzone/deploy/docker/Caddyfile b/warzone/deploy/docker/Caddyfile
index 9ea467d..35a19ed 100644
--- a/warzone/deploy/docker/Caddyfile
+++ b/warzone/deploy/docker/Caddyfile
@@ -1,26 +1,17 @@
 {
-	# Global ACME settings
 	email admin@manko.yoga
-	servers {
-		trusted_proxies static private_ranges
-	}
 }
 
 voip.manko.yoga {
-	# TLS via Cloudflare DNS-01 challenge
 	tls {
 		dns cloudflare {$CF_API_TOKEN}
 	}
 
 	# Audio bridge WebSocket (wzp-web)
-	# /audio/ws/* → wzp-web:8080/ws/*
 	handle_path /audio/* {
-		reverse_proxy wzp-web:8080
+		reverse_proxy 172.28.0.30:8080
 	}
 
 	# Everything else → featherChat server
-	# Web UI (/), API (/v1/*), WebSocket (/v1/ws/*)
-	reverse_proxy warzone-server:7700 {
-		header_up X-Real-IP {remote_host}
-	}
+	reverse_proxy 172.28.0.20:7700
 }
diff --git a/warzone/deploy/docker/docker-compose.yml b/warzone/deploy/docker/docker-compose.yml
index 6e1c0bd..734fd7c 100644
--- a/warzone/deploy/docker/docker-compose.yml
+++ b/warzone/deploy/docker/docker-compose.yml
@@ -8,33 +8,23 @@
 
 services:
   # ─── Caddy reverse proxy (TLS termination) ───
+  # Uses host network so it sees real client IPs (not Docker NAT)
   caddy:
     build:
       context: .
       dockerfile: Dockerfile.caddy
     restart: unless-stopped
-    ports:
-      - "80:80"
-      - "443:443"
-      - "443:443/udp"   # HTTP/3 (QUIC)
+    network_mode: host
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile:ro
       - caddy_data:/data
       - caddy_config:/config
-    environment:
-      CF_API_TOKEN: /run/secrets/cf_api_token
     secrets:
       - cf_api_token
-    # Caddy reads CF_API_TOKEN; the caddy-cloudflare image supports file-based secrets
-    # via the {$CF_API_TOKEN} placeholder in Caddyfile.
-    # We mount the secret and set env to its content at runtime.
     entrypoint: ["/bin/sh", "-c", "export CF_API_TOKEN=$(cat /run/secrets/cf_api_token) && caddy run --config /etc/caddy/Caddyfile --adapter caddyfile"]
     depends_on:
       - warzone-server
       - wzp-web
-    networks:
-      - frontend
-      - backend
 
   # ─── featherChat server ───
   warzone-server:
@@ -50,7 +40,8 @@ services:
       - server_data:/data
     command: ["--bind", "0.0.0.0:7700", "--enable-bots"]
     networks:
-      - backend
+      backend:
+        ipv4_address: 172.28.0.20
 
   # ─── WZP QUIC relay (audio SFU) ───
   wzp-relay:
@@ -63,7 +54,7 @@ services:
       - "--listen"
       - "0.0.0.0:4433"
       - "--auth-url"
-      - "http://warzone-server:7700/v1/auth/validate"
+      - "http://172.28.0.20:7700/v1/auth/validate"
     networks:
       backend:
         ipv4_address: 172.28.0.10
@@ -81,12 +72,13 @@ services:
       - "--relay"
       - "172.28.0.10:4433"
       - "--auth-url"
-      - "http://warzone-server:7700/v1/auth/validate"
+      - "http://172.28.0.20:7700/v1/auth/validate"
     depends_on:
       - wzp-relay
       - warzone-server
     networks:
-      - backend
+      backend:
+        ipv4_address: 172.28.0.30
 
 secrets:
   cf_api_token: