diff --git a/docker-compose.yml b/docker-compose.yml
index f6fa12f..bced0a5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -36,8 +36,9 @@
         - "traefik.http.services.wifi-nucleoriofrio-service.loadbalancer.responseforwarding.flushinterval=1ms"
         - "traefik.http.services.wifi-nucleoriofrio-service.loadbalancer.serverstransport=wifi-transport@file"
 
-        # Router 1: Público (assets, manifest, icons, callback de Authentik) - SIN autenticación - ALTA PRIORIDAD
-        - "traefik.http.routers.wifi-nucleoriofrio-public.rule=Host(`wifi.nucleoriofrio.com`) && (PathPrefix(`/assets`) || PathPrefix(`/.well-known`) || PathPrefix(`/icons`) || PathPrefix(`/outpost.goauthentik.io`) || Path(`/manifest.webmanifest`) || Path(`/favicon.ico`) || Path(`/vite.svg`) || Path(`/sw.js`))"
+        # Router 1: Público (assets, manifest, icons) - SIN autenticación - ALTA PRIORIDAD
+        # NOTA: /outpost.goauthentik.io NO debe estar aquí, lo maneja el middleware de Authentik
+        - "traefik.http.routers.wifi-nucleoriofrio-public.rule=Host(`wifi.nucleoriofrio.com`) && (PathPrefix(`/assets`) || PathPrefix(`/.well-known`) || PathPrefix(`/icons`) || Path(`/manifest.webmanifest`) || Path(`/favicon.ico`) || Path(`/vite.svg`) || Path(`/sw.js`))"
         - "traefik.http.routers.wifi-nucleoriofrio-public.entrypoints=websecure"
         - "traefik.http.routers.wifi-nucleoriofrio-public.tls.certresolver=letsencrypt"
         - "traefik.http.routers.wifi-nucleoriofrio-public.service=wifi-nucleoriofrio-service"