diff --git a/docker-compose.yml b/docker-compose.yml
index bce0e44..212069a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,77 +5,62 @@ services:
     image: ghcr.io/ylianst/meshcentral:latest
     container_name: ${APP_NAME:-meshcentral}
     restart: unless-stopped
+
     volumes:
       - /srv/meshcentral/data:/opt/meshcentral/meshcentral-data
       - /srv/meshcentral/files:/opt/meshcentral/meshcentral-files
       - /srv/meshcentral/backup:/opt/meshcentral/meshcentral-backup
       - /srv/meshcentral/config:/opt/meshcentral/meshcentral-config
+
     environment:
       - HOSTNAME=${APP_DOMAIN}
       - NODE_ENV=production
-      - REVERSE_PROXY_TLS_PORT=    # Sobrescribir a vacío para desactivar modo reverse proxy
+      - REVERSE_PROXY_TLS_PORT=
+
     ulimits:
       nofile:
         soft: 65536
         hard: 65536
+
     sysctls:
       - net.ipv6.conf.all.disable_ipv6=1
       - net.ipv6.conf.default.disable_ipv6=1
+
     dns_opt:
       - use-vc
       - ndots:1
+
     extra_hosts:
       - "authentik.nucleoriofrio.com:172.19.0.6"
+
     networks:
       - principal
       - traefik-network
+
     labels:
       - "traefik.enable=true"
-      - "traefik.docker.network=principal"
+      - "traefik.docker.network=traefik-network"
 
-      # ======================================================================
-      # HTTP Services & Routers - Para Web UI de usuarios
-      # ======================================================================
-
-      # Service - Conexión HTTP interna (Traefik maneja HTTPS hacia el exterior)
+      # =========================
+      # WEB UI (HTTPS vía Traefik)
+      # =========================
       - "traefik.http.services.${APP_NAME}.loadbalancer.server.port=79"
 
-      # Router principal con Authentik Forward Auth para rutas de usuario
-      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`) && !PathPrefix(`/agent.ashx`) && !PathPrefix(`/meshrelay.ashx`) && !PathPrefix(`/devicefile.ashx`) && !PathPrefix(`/amtactivate`) && !PathPrefix(`/meshsettings`) && !PathPrefix(`/devicepower.ashx`)"
+      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`)"
       - "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
       - "traefik.http.routers.${APP_NAME}.tls=true"
       - "traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt"
       - "traefik.http.routers.${APP_NAME}.service=${APP_NAME}"
       - "traefik.http.routers.${APP_NAME}.priority=100"
-      - "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-headers"
 
-      # Router para agentes (sin autenticación) - mayor prioridad
-      - "traefik.http.routers.${APP_NAME}-agents.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/agent.ashx`) || PathPrefix(`/meshrelay.ashx`) || PathPrefix(`/devicefile.ashx`) || PathPrefix(`/amtactivate`) || PathPrefix(`/meshsettings`) || PathPrefix(`/devicepower.ashx`))"
-      - "traefik.http.routers.${APP_NAME}-agents.entrypoints=websecure"
-      - "traefik.http.routers.${APP_NAME}-agents.tls=true"
-      - "traefik.http.routers.${APP_NAME}-agents.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.${APP_NAME}-agents.service=${APP_NAME}"
-      - "traefik.http.routers.${APP_NAME}-agents.priority=200"
-      - "traefik.http.routers.${APP_NAME}-agents.middlewares=${APP_NAME}-headers"
-
-      # Custom headers middleware
-      - "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
-      - "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Host=${APP_DOMAIN}"
-      - "traefik.http.middlewares.${APP_NAME}-headers.headers.sslredirect=true"
-
-      # ======================================================================
-      # TCP Router & Service - Para agentes con TCP Passthrough
-      # ======================================================================
-      # Los agentes se conectarán a mesh-agents.nucleoriofrio.com
-      # y verán el certificado SSL de MeshCentral (no el de Traefik)
-
-      # TCP Router - SNI routing para subdominio de agentes
+      # ===========================================================
+      # AGENTES: TCP passthrough directo al 443 interno de Mesh
+      # ===========================================================
       - "traefik.tcp.routers.${APP_NAME}-agents-tcp.rule=HostSNI(`${MESH_AGENTS_DOMAIN}`)"
       - "traefik.tcp.routers.${APP_NAME}-agents-tcp.entrypoints=websecure"
       - "traefik.tcp.routers.${APP_NAME}-agents-tcp.tls.passthrough=true"
       - "traefik.tcp.routers.${APP_NAME}-agents-tcp.service=${APP_NAME}-tcp"
 
-      # TCP Service - Conexión directa al puerto HTTPS de MeshCentral
       - "traefik.tcp.services.${APP_NAME}-tcp.loadbalancer.server.port=443"
 
 networks: