diff --git a/dockers/ldap/docker-compose.yml b/dockers/ldap/docker-compose.yml
index 379fea1..fd82338 100644
--- a/dockers/ldap/docker-compose.yml
+++ b/dockers/ldap/docker-compose.yml
@@ -68,6 +68,16 @@ services:
       - /etc/timezone:/etc/timezone:ro
     networks:
       - ldapNet
+    labels:
+      - "traefik.enable=true"
+      - "traefik.tcp.routers.${ldapServName}.rule=HostSNI(`ldap.${domain}`)"
+      - "traefik.tcp.routers.${ldapServName}.entrypoints=ldapsecure"
+      - "traefik.tcp.routers.${ldapServName}.tls=true"
+      - "traefik.tcp.routers.${ldapServName}.tls.domains[0].main=ldap.${domain}"
+      - "traefik.tcp.routers.${ldapServName}.tls.certResolver=letsencrypt"
+      - "traefik.tcp.routers.${ldapServName}.middlewares=ldap-ip-allowlist@file"
+      - "traefik.tcp.services.${ldapServName}.loadbalancer.server.port=389"
+      - "traefik.docker.network=ldapNet"
 
 volumes:
   openldapData:
diff --git a/dockers/traefik/conf/allow_ip.yml.dist b/dockers/traefik/conf/allow_ip.yml.dist
index 5eb6dec..ab8cd65 100644
--- a/dockers/traefik/conf/allow_ip.yml.dist
+++ b/dockers/traefik/conf/allow_ip.yml.dist
@@ -9,3 +9,10 @@ http:
       ipallowlist:
         sourceRange:
           - "127.0.0.1"
+
+tcp:
+  middlewares:
+    ldap-ip-allowlist:
+      ipAllowList:
+        sourceRange:
+          - "127.0.0.1"
diff --git a/dockers/traefik/docker-compose.tmpl.yml.dist b/dockers/traefik/docker-compose.tmpl.yml.dist
index 1004d13..970f3f4 100644
--- a/dockers/traefik/docker-compose.tmpl.yml.dist
+++ b/dockers/traefik/docker-compose.tmpl.yml.dist
@@ -7,6 +7,7 @@ services:
     ports:
       - ${MAIN_IP}:80:80
       - ${MAIN_IP}:443:443
+      - ${MAIN_IP}:636:636
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./conf:/etc/traefik/
@@ -24,6 +25,7 @@ services:
       - TRAEFIK_ENTRYPOINTS_websecure_HTTP_MIDDLEWARES=hsts@file,test-ipallowlist@file
       - TRAEFIK_ENTRYPOINTS_websecure_TRANSPORT_RESPONDINGTIMEOUTS_READTIMEOUT=600
       - TRAEFIK_ENTRYPOINTS_websecure_TRANSPORT_RESPONDINGTIMEOUTS_IDLETIMEOUT=600
+      - TRAEFIK_ENTRYPOINTS_ldapsecure_ADDRESS=:636
       - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_EMAIL=admin@${domain}
       - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_CASERVER=${acme_server}
       - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_STORAGE=/letsencrypt/acme.json