diff --git a/modules/kubernetes/reverse_proxy/factory/main.tf b/modules/kubernetes/reverse_proxy/factory/main.tf
index b194ff54..4bb7135c 100644
--- a/modules/kubernetes/reverse_proxy/factory/main.tf
+++ b/modules/kubernetes/reverse_proxy/factory/main.tf
@@ -49,7 +49,7 @@ resource "kubernetes_service" "proxied-service" {
     external_name = var.external_name
 
     port {
-      name        = "${var.name}-web"
+      name        = var.backend_protocol == "HTTPS" ? "https-${var.name}" : "${var.name}-web"
       port        = var.port
       protocol    = "TCP"
       target_port = var.port
@@ -70,7 +70,9 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
         var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
         var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
       ]))
-      "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
+      "traefik.ingress.kubernetes.io/router.entrypoints"    = "websecure"
+      "traefik.ingress.kubernetes.io/service.serversscheme"  = var.backend_protocol == "HTTPS" ? "https" : null
+      "traefik.ingress.kubernetes.io/service.serverstransport" = var.backend_protocol == "HTTPS" ? "traefik-insecure-skip-verify@kubernetescrd" : null
     }, var.extra_annotations)
   }
 
diff --git a/modules/kubernetes/traefik/main.tf b/modules/kubernetes/traefik/main.tf
index dd6640c4..0480c101 100644
--- a/modules/kubernetes/traefik/main.tf
+++ b/modules/kubernetes/traefik/main.tf
@@ -142,6 +142,8 @@ resource "helm_release" "traefik" {
       "--api.insecure=true",
       "--global.checknewversion=false",
       "--global.sendanonymoususage=false",
+      # Skip TLS verification for self-signed backend certs (proxmox, idrac, etc.)
+      "--serversTransport.insecureSkipVerify=true",
       # Increase timeouts for services like Immich
       "--serversTransport.forwardingTimeouts.dialTimeout=60s",
       "--serversTransport.forwardingTimeouts.responseHeaderTimeout=0s",
diff --git a/modules/kubernetes/traefik/middleware.tf b/modules/kubernetes/traefik/middleware.tf
index 4b3d9185..61f0f338 100644
--- a/modules/kubernetes/traefik/middleware.tf
+++ b/modules/kubernetes/traefik/middleware.tf
@@ -156,6 +156,23 @@ resource "kubernetes_manifest" "tls_option_mtls" {
   depends_on = [helm_release.traefik]
 }
 
+# ServersTransport for backends with self-signed certificates
+resource "kubernetes_manifest" "servers_transport_insecure" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "ServersTransport"
+    metadata = {
+      name      = "insecure-skip-verify"
+      namespace = kubernetes_namespace.traefik.metadata[0].name
+    }
+    spec = {
+      insecureSkipVerify = true
+    }
+  }
+
+  depends_on = [helm_release.traefik]
+}
+
 # Immich-specific rate limit (higher limits for photo uploads)
 resource "kubernetes_manifest" "middleware_immich_rate_limit" {
   manifest = {