diff --git a/compose.yaml b/compose.yaml
index b489900..49bfa41 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -25,16 +25,15 @@ services:
   stream:
     build: ./nginx-stream
     volumes:
-      - ./ca.pem:/etc/nginx/certs/ca.pem:ro
-      - ./cert.pem:/etc/nginx/certs/cert.pem:ro
-      - ./privkey.pem:/etc/nginx/certs/privkey.pem:ro
+      - ./ca.pem:/etc/nginx/certs/chain.pem:ro
+      - ./cert.pem:/etc/nginx/certs/api.bearns.me/fullchain.pem:ro
+      - ./privkey.pem:/etc/nginx/certs/api.bearns.me/key.pem:ro
     expose:
       - "443/tcp"
     ports:
       - "443:443/tcp"
     environment:
-      - ENABLE_IPV6=true
-      - TRUST_DOWNSTREAM_PROXY=true
+      SNI_NAME: "api.bearns.me"
     networks:
       - proxy-tier
 
diff --git a/nginx-stream/Dockerfile b/nginx-stream/Dockerfile
index c03a5c4..c88caca 100644
--- a/nginx-stream/Dockerfile
+++ b/nginx-stream/Dockerfile
@@ -2,10 +2,16 @@ FROM nginx:alpine
 
 ENV HTTPS_UPSTREAM="proxy"
 ENV SSTP_UPSTREAM="sstp"
-ENV SNI_NAME="api.bearns.me"
-ENV CA_CERT="ca.pem"
+ENV SNI_NAME="cloud.bearns.me"
+# self signed for client certification
+# put in /etc/nginx/certs/
+ENV CA_CERT="chain.pem"
+# put in /etc/nginx/certs/$SNI_NAME
+ENV CERT="fullchain.pem"
+ENV KEY="key.pem"
+
+RUN rm -f /etc/nginx/conf.d/default.conf
 
 COPY nginx.conf /etc/nginx/
-COPY stream.conf.template /etc/nginx/templates/
+COPY *.conf.template /etc/nginx/templates/
 
-RUN rm -f /etc/nginx/conf.d/default.conf
\ No newline at end of file
diff --git a/nginx-stream/http.conf.template b/nginx-stream/http.conf.template
new file mode 100644
index 0000000..17f5e42
--- /dev/null
+++ b/nginx-stream/http.conf.template
@@ -0,0 +1,37 @@
+http {
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    server {
+        listen unix:/tmp/fallback-stream.socket ssl proxy_protocol;
+        server_name _;
+
+        ssl_certificate /etc/nginx/certs/${SNI_NAME}/${CERT};
+        ssl_certificate_key /etc/nginx/certs/${SNI_NAME}/${KEY};
+
+        access_log  /dev/stdout  main;
+
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+        }
+
+        #error_page  404              /404.html;
+
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+
+        # deny access to .htaccess files, if Apache's document root
+        # concurs with nginx's one
+        #
+        #location ~ /\.ht {
+        #    deny  all;
+        #}
+    }
+}
diff --git a/nginx-stream/stream.conf.template b/nginx-stream/stream.conf.template
index 60397e9..9c034cf 100644
--- a/nginx-stream/stream.conf.template
+++ b/nginx-stream/stream.conf.template
@@ -1,6 +1,10 @@
 error_log /dev/stderr;
 
 stream {
+    log_format stream '"$ssl_preread_server_name" $remote_addr [$time_local] '
+                      '$protocol $status $bytes_sent $bytes_received "$upstream_addr" '
+                      '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+
     map $ssl_preread_server_name $sni_name {
             ${SNI_NAME} cert-check;
             default https;
@@ -18,8 +22,11 @@ stream {
         listen 443;
         listen [::]:443;
 
+        access_log /dev/stdout stream;
+
         proxy_pass $sni_name;
         ssl_preread on;
+        # todo nginx-proxy by default don't listen proxy_protocol, enable it in both sides
         #proxy_protocol on;
     }
 
@@ -39,8 +46,8 @@ stream {
     server {
         listen unix:/tmp/virtual-stream.socket ssl;
 
-        ssl_certificate /etc/nginx/certs/cert.pem;
-        ssl_certificate_key /etc/nginx/certs/privkey.pem;
+        ssl_certificate /etc/nginx/certs/${SNI_NAME}/${CERT};
+        ssl_certificate_key /etc/nginx/certs/${SNI_NAME}/${KEY};
 
         ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};
         ssl_verify_client optional;
@@ -52,44 +59,3 @@ stream {
         proxy_protocol on;
     }
 }
-
-http {
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    server {
-        listen unix:/tmp/fallback-stream.socket ssl proxy_protocol;
-        server_name _;
-
-        ssl_certificate /etc/nginx/certs/cert.pem;
-        ssl_certificate_key /etc/nginx/certs/privkey.pem;
-
-        ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};
-
-        #access_log  /var/log/nginx/host.access.log  main;
-        access_log  /dev/stdout  main;
-
-        location / {
-            root   /usr/share/nginx/html;
-            index  index.html index.htm;
-        }
-
-        #error_page  404              /404.html;
-
-        # redirect server error pages to the static page /50x.html
-        #
-        error_page   500 502 503 504  /50x.html;
-        location = /50x.html {
-            root   /usr/share/nginx/html;
-        }
-
-        # deny access to .htaccess files, if Apache's document root
-        # concurs with nginx's one
-        #
-        #location ~ /\.ht {
-        #    deny  all;
-        #}
-    }
-}
\ No newline at end of file