diff --git a/akashop/traefik-ingressR.yml b/akashop/traefik-ingressR.yml
index f369a9e..d8b5517 100644
--- a/akashop/traefik-ingressR.yml
+++ b/akashop/traefik-ingressR.yml
@@ -5,8 +5,8 @@ metadata:
   namespace: akashop
 spec:
   rateLimit:
-    average: 5
-    burst: 10
+    average: 30
+    burst: 50
 
 ---
 
diff --git a/traefik/traefik-deployment.yml b/traefik/traefik-deployment.yml
index 0d6f062..d5446dd 100644
--- a/traefik/traefik-deployment.yml
+++ b/traefik/traefik-deployment.yml
@@ -23,19 +23,35 @@ spec:
           image: traefik:latest
           args:
             - --api.insecure
-            - --accesslog
             - --log.level=DEBUG
+
+            # access log - https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers
+            - --accesslog.filepath=/root/traefik/access.log
+            - --accesslog.fields.headers.names.X-Forwarded-For=keep
+            - --accesslog.fields.headers.names.User-Agent=keep
+
             # - --providers.kubernetesingress
             # - --providers.kubernetesingress.allowexternalnameservices=true
             - --providers.kubernetescrd
             - --providers.kubernetescrd.allowCrossNamespace=true
+
             - --entrypoints.web.address=:80
             - --entrypoints.websecure.address=:443
+            
+            # Get real client IP using proxy protocol 
+            # https://doc.traefik.io/traefik/routing/entrypoints/#proxyprotocol
+            - --entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,10.2.0.0/16,172.233.0.0/16
+            - --entryPoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,10.2.0.0/16,172.233.0.0/16
+
+            # Get real client IP from X-Forwarded-For
+            # - --entrypoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.2.0.0/16
+            # - --entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,172.233.168.36/32
+
             - --certificatesresolvers.le.acme.email=learn@akamai.com
             - --certificatesresolvers.le.acme.storage=acme.json
             - --certificatesresolvers.le.acme.tlschallenge=true
-            # - --certificatesresolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
-            - --certificatesresolvers.le.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
+            - --certificatesresolvers.le.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
+            # - --certificatesresolvers.le.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
             # change caServer to production https://acme-v02.api.letsencrypt.org/directory
           ports:
             - name: web