diff --git a/docker/compose/zrok-instance/Caddyfile b/docker/compose/zrok-instance/Caddyfile
index 6c6cc43e..83ddd646 100644
--- a/docker/compose/zrok-instance/Caddyfile
+++ b/docker/compose/zrok-instance/Caddyfile
@@ -8,7 +8,7 @@
 # 	redir https://{host}{uri} permanent
 # }
 
-*.{$ZROK_DNS_ZONE} {
+*.{$ZROK_DNS_ZONE}:{$CADDY_HTTPS_PORT} {
 	tls {
 		dns {$CADDY_DNS_PLUGIN} {$CADDY_DNS_PLUGIN_TOKEN}
 		propagation_timeout 60m
diff --git a/docker/compose/zrok-instance/README.md b/docker/compose/zrok-instance/README.md
index 73992947..09a3d118 100644
--- a/docker/compose/zrok-instance/README.md
+++ b/docker/compose/zrok-instance/README.md
@@ -64,7 +64,7 @@ ZROK_ADMIN_TOKEN=zroktoken
 ```
 
 ```bash title=".env options"
-# Caddy TLS option: rename compose.caddy.yml to compose.override.yml and set these vars; allow 80,443 in firewall
+# Caddy TLS option: rename compose.caddy.yml to compose.override.yml; allow CADDY_HTTPS_PORT in firewall
 
 #
 ## set these in .env for providers other than Route53
@@ -94,9 +94,10 @@ ZROK_CTRL_PORT=18080
 ZROK_FRONTEND_PORT=8080
 ZROK_OAUTH_PORT=8081
 
-# these secure ziti ports must be published to the internet
+# these secure ports must be published to the internet
 ZITI_CTRL_ADVERTISED_PORT=80
 ZITI_ROUTER_PORT=3022
+CADDY_HTTPS_PORT=443
 
 # optionally configure oauth for public shares
 #ZROK_OAUTH_HASH_KEY=oauthhashkeysecret
@@ -264,9 +265,10 @@ See "My internet connection can only send traffic to common ports" below about c
 
 1. My internet connection can only send traffic to common ports like 80, 443, and 3389.
 
-    You can change the required ports in the `.env` file. Caddy will still use port 443 for zrok shares and API if you renamed `compose.caddy.yml` as `compose.override.yml` to enable Caddy.
+    You can change the required ports in the `.env` file before the first run of the Docker Compose project.
 
     ```bash title=".env"
     ZITI_CTRL_ADVERTISED_PORT=80
     ZITI_ROUTER_PORT=3389
+    CADDY_HTTPS_PORT=443
     ```
diff --git a/docker/compose/zrok-instance/bootstrap-frontend.bash b/docker/compose/zrok-instance/bootstrap-frontend.bash
index 2341db11..03578b4c 100755
--- a/docker/compose/zrok-instance/bootstrap-frontend.bash
+++ b/docker/compose/zrok-instance/bootstrap-frontend.bash
@@ -87,7 +87,7 @@ until [[ -n "${ZITI_PUBLIC_ID}" ]]; do
 done
 echo "DEBUG: 'public' ZITI_PUBLIC_ID=$ZITI_PUBLIC_ID"
 
-until curl -sSf "${ZROK_API_ENDPOINT}/api/v1/version"; do
+until curl -sSf "${ZROK_API_ENDPOINT}" &>/dev/null; do
     echo "DEBUG: waiting for zrok controller API version endpoint to respond"
     sleep 3
 done
diff --git a/docker/compose/zrok-instance/compose.caddy.yml b/docker/compose/zrok-instance/compose.caddy.yml
index 96d912e9..ebf0f76c 100644
--- a/docker/compose/zrok-instance/compose.caddy.yml
+++ b/docker/compose/zrok-instance/compose.caddy.yml
@@ -8,6 +8,7 @@ services:
         CADDY_DNS_PLUGIN: ${CADDY_DNS_PLUGIN} # e.g., "digitalocean" (see github.com/caddy-dns)
     restart: unless-stopped
     environment:
+      CADDY_HTTPS_PORT: ${CADDY_HTTPS_PORT:-443}
       #
       ## set these in .env for providers other than Route53
       #
@@ -31,12 +32,12 @@ services:
       ZROK_OAUTH_PORT: ${ZROK_OAUTH_PORT:-8081}
     expose:
       # - 80/tcp
-      - 443/tcp
-      - 443/udp   # Caddy's HTTP/3 (QUIC) (not published)
+      - ${CADDY_HTTPS_PORT:-443}/tcp
+      - ${CADDY_HTTPS_PORT:-443}/udp   # Caddy's HTTP/3 (QUIC) (not published)
       - 2019/tcp  # Caddy's admin API     (not published)
     ports:
-      # - ${CADDY_INTERFACE:-0.0.0.0}:80:80
-      - ${CADDY_INTERFACE:-0.0.0.0}:443:443
+      # - ${CADDY_INTERFACE:-0.0.0.0}:80:80         # port occupied by ziti
+      - ${CADDY_INTERFACE:-0.0.0.0}:${CADDY_HTTPS_PORT:-443}:${CADDY_HTTPS_PORT:-443}
       # - ${CADDY_INTERFACE:-0.0.0.0}:443:443/udp"  # future: HTTP/3 (QUIC)
     volumes:
       - caddy_data:/data
@@ -47,7 +48,7 @@ services:
   zrok-frontend:
     environment:
       ZROK_FRONTEND_SCHEME: https
-      ZROK_FRONTEND_PORT: 443
+      ZROK_FRONTEND_PORT: ${CADDY_HTTPS_PORT:-443}
 
 volumes:
   caddy_data:
diff --git a/docker/compose/zrok-instance/route53.Caddyfile b/docker/compose/zrok-instance/route53.Caddyfile
index ab846626..46626331 100644
--- a/docker/compose/zrok-instance/route53.Caddyfile
+++ b/docker/compose/zrok-instance/route53.Caddyfile
@@ -8,7 +8,7 @@
 # 	redir https://{host}{uri} permanent
 # }
 
-*.{$ZROK_DNS_ZONE} {
+*.{$ZROK_DNS_ZONE}:{$CADDY_HTTPS_PORT} {
 	tls {
 		dns route53 {
 			access_key_id {$AWS_ACCESS_KEY_ID}
diff --git a/docker/compose/zrok-public-reserved/compose.override.yml b/docker/compose/zrok-public-reserved/compose.override.yml
deleted file mode 100644
index 4faadf94..00000000
--- a/docker/compose/zrok-public-reserved/compose.override.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-services:
-  my-other-zrok-share:
-    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
-    restart: unless-stopped
-    entrypoint: zrok-share.bash
-    depends_on:
-      zrok-enable:
-        condition: service_completed_successfully
-    volumes:
-      - zrok_env:/mnt
-      - ./Caddyfile:/Caddyfile
-    environment:
-      # most relevant options
-      ZROK_UNIQUE_NAME:     "butter"
-      ZROK_BACKEND_MODE:    caddy
-      ZROK_TARGET:          /Caddyfile
-      # internal configuration
-      HOME: /mnt  # zrok homedir in container