diff --git a/e2e/docker-compose.yml b/e2e/docker-compose.yml
index 82aa1fc..08825e0 100644
--- a/e2e/docker-compose.yml
+++ b/e2e/docker-compose.yml
@@ -13,9 +13,9 @@ services:
         protocol: tcp
         mode: host
     environment:
-      - "S3_BUCKET="
-      - "S3_ACCESS_ID="
-      - "S3_SECRET_KEY="
+      - "AWS_BUCKET="
+      - "AWS_ACCESS_KEY_ID="
+      - "AWS_SECRET_ACCESS_KEY="
       - ADMIN_UI_URL=${ADMIN_UI_URL}
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile
index 18f110b..25923e0 100644
--- a/rootfs/Dockerfile
+++ b/rootfs/Dockerfile
@@ -2,20 +2,17 @@ FROM caddy:2.8.4-builder as builder
 
 RUN xcaddy build \
     --with github.com/ss098/certmagic-s3 \
-    --with github.com/lucaslorentz/caddy-docker-proxy@v2.8.4
+    --with github.com/lucaslorentz/caddy-docker-proxy@v2.9.1
 
 FROM caddy:2.8.4
 
 LABEL org.opencontainers.image.description "A Caddy reverse proxy with s3 storage for certmagic, service discovery via labels"
 
-ENV S3_BUCKET ""
-ENV S3_ACCESS_ID ""
-ENV S3_SECRET_KEY ""
+ENV AWS_ENDPOINT=https://s3.storage.planetary-networks.de
 
-# optional
-ENV S3_HOST "s3.storage.planetary-networks.de"
-ENV S3_PREFIX ""
-ENV S3_INSECURE "false"
+ENV AWS_BUCKET=""
+ENV AWS_ACCESS_KEY_ID=""
+ENV AWS_SECRET_ACCESS_KEY=""
 
 WORKDIR /
 ADD . .
diff --git a/rootfs/etc/quantum-caddy/Caddyfile b/rootfs/etc/quantum-caddy/Caddyfile
index 5b421bb..961eff5 100644
--- a/rootfs/etc/quantum-caddy/Caddyfile
+++ b/rootfs/etc/quantum-caddy/Caddyfile
@@ -9,6 +9,54 @@
 	servers {
 		metrics
 	}
+
+	@s3storage {
+		storage s3 {
+			s3_force_path_style true
+			endpoint {env.AWS_ENDPOINT}
+			bucket {env.AWS_BUCKET}
+			region us-east-1
+			access_key_id {env.AWS_ACCESS_KEY_ID}
+			secret_access_key {env.AWS_SECRET_ACCESS_KEY}
+		}
+	}
+
+	# conditionally enable s3-certmagic only when AWS_ACCESS_KEY_ID is set
+	{if {env.AWS_ACCESS_KEY_ID} {len} > 0} {
+		import @s3storage
+	}
+}
+
+# cors import
+(cors) {
+	@cors_preflight {
+		method OPTIONS
+		header Origin *
+		header Access-Control-Request-Method *
+	}
+
+	@cors {
+		header Origin *
+	}
+
+	handle @cors_preflight {
+		header Access-Control-Allow-Origin "{args.0}"
+		header Access-Control-Allow-Methods "{args.1}" {
+			GET, POST, PUT, DELETE, OPTIONS
+		}
+		header Access-Control-Allow-Headers "Content-Type"
+		header Access-Control-Allow-Credentials true
+		respond 204
+	}
+
+	handle @cors {
+		header Access-Control-Allow-Origin "{args.0}"
+		header Access-Control-Allow-Methods "{args.1}" {
+			GET, POST, PUT, DELETE, OPTIONS
+		}
+		header Access-Control-Allow-Headers "Content-Type"
+		header Access-Control-Allow-Credentials true
+	}
 }
 
 # admin-ui host