diff --git a/docker-compose.yml b/docker-compose.yml
index f762a1a..eebcb70 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -17,13 +17,11 @@ services:
 
   # Optional: OnlyOffice Document Server fuer Office-Bearbeitung
   # Auskommentieren um DOCX/XLSX/PPTX bearbeiten zu koennen
-  # Nach dem Start die ONLYOFFICE_URL in den Admin-Einstellungen setzen
-  # oder als Umgebungsvariable: ONLYOFFICE_URL=http://onlyoffice
   #
   # onlyoffice:
   #   image: onlyoffice/documentserver:latest
-  #   ports:
-  #     - "8080:80"
+  #   # Kein ports-Mapping noetig! Zugriff nur ueber nginx (HTTPS)
+  #   # und intern im Docker-Netzwerk (minicloud -> onlyoffice)
   #   environment:
   #     - JWT_ENABLED=true
   #     - JWT_SECRET=${ONLYOFFICE_JWT_SECRET:-minicloud-onlyoffice-secret}
diff --git a/frontend/src/views/AdminView.vue b/frontend/src/views/AdminView.vue
index 3c2a4a4..5bf31d9 100644
--- a/frontend/src/views/AdminView.vue
+++ b/frontend/src/views/AdminView.vue
@@ -93,12 +93,15 @@
         <Button label="Speichern" icon="pi pi-save" size="small" @click="saveSmtp" />
       </div>
       <div class="restore-instructions" style="margin-top: 1rem">
-        <strong>Docker-Setup:</strong>
+        <strong>Setup:</strong>
         <ol>
           <li>In <code>docker-compose.yml</code> den <code>onlyoffice</code>-Service auskommentieren</li>
+          <li>Nginx-Eintrag fuer OnlyOffice anlegen (z.B. <code>office.deine-domain.de</code>) - siehe <code>nginx.example.conf</code></li>
+          <li>Let's Encrypt Zertifikat fuer die OnlyOffice-Domain erstellen</li>
           <li><code>docker-compose up -d</code></li>
-          <li>URL auf <code>http://onlyoffice</code> (intern) oder die oeffentliche URL setzen</li>
-          <li>JWT Secret muss in beiden Services identisch sein</li>
+          <li>Hier die <strong>oeffentliche HTTPS-URL</strong> eintragen (z.B. <code>https://office.deine-domain.de</code>)<br/>
+              <em>Nicht</em> die interne Docker-URL - der Browser muss OnlyOffice erreichen koennen!</li>
+          <li>JWT Secret muss mit <code>ONLYOFFICE_JWT_SECRET</code> in <code>docker-compose.yml</code> uebereinstimmen</li>
         </ol>
       </div>
     </div>
diff --git a/nginx.example.conf b/nginx.example.conf
new file mode 100644
index 0000000..1a39739
--- /dev/null
+++ b/nginx.example.conf
@@ -0,0 +1,64 @@
+# Beispiel nginx-Konfiguration fuer Mini-Cloud mit OnlyOffice
+# Anpassen: cloud.example.com und office.example.com durch eigene Domains ersetzen
+
+# Mini-Cloud
+server {
+    listen 443 ssl http2;
+    server_name cloud.example.com;
+
+    ssl_certificate /etc/letsencrypt/live/cloud.example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/cloud.example.com/privkey.pem;
+
+    client_max_body_size 0;  # Kein Upload-Limit (wird von Flask gesteuert)
+
+    location / {
+        proxy_pass http://127.0.0.1:5000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket (falls spaeter benoetigt)
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+
+    # CalDAV/CardDAV braucht spezielle Methoden
+    location /dav/ {
+        proxy_pass http://127.0.0.1:5000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass_request_headers on;
+    }
+}
+
+# OnlyOffice Document Server (optional)
+# Nur noetig wenn OnlyOffice in docker-compose aktiviert ist
+server {
+    listen 443 ssl http2;
+    server_name office.example.com;
+
+    ssl_certificate /etc/letsencrypt/live/office.example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/office.example.com/privkey.pem;
+
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
+
+# HTTP -> HTTPS Redirect
+server {
+    listen 80;
+    server_name cloud.example.com office.example.com;
+    return 301 https://$host$request_uri;
+}