diff --git a/docker/compose/zrok-instance/README.md b/docker/compose/zrok-instance/README.md
index bc7131b2..1cdf2b02 100644
--- a/docker/compose/zrok-instance/README.md
+++ b/docker/compose/zrok-instance/README.md
@@ -64,6 +64,7 @@ ZROK_ADMIN_TOKEN=zroktoken
 ```
 
 ```bash title=".env options"
+# Caddy TLS option: rename caddy.compose.override.yml to compose.override.yml and set these vars; allow 80,443 in firewall
 # plugin name for your DNS provider
 CADDY_DNS_PLUGIN=cloudflare
 # API token from your DNS provider
@@ -71,12 +72,13 @@ CADDY_DNS_PLUGIN_TOKEN=abcd1234
 # use the staging API until you're sure everything is working to avoid hitting the rate limit
 CADDY_ACME_API=https://acme-staging-v02.api.letsencrypt.org/directory
 
-# zrok version, e.g., 1.0.0
-ZROK_IMAGE_TAG=latest
+# no TLS option: publish the insecure ports to the internet and allow them in the firewall 
+ZROK_INSECURE_INTERFACE=0.0.0.0
+ZROK_CTRL_PORT=18080
+ZROK_FRONTEND_PORT=8080
+ZROK_OAUTH_PORT=8081
 
-# ziti version, e.g., 1.0.0
-ZITI_IMAGE_TAG=latest
-# ziti ports
+# ziti ports must be published to the internet and allowed by firewall
 ZITI_CTRL_ADVERTISED_PORT=1280
 ZITI_ROUTER_PORT=3022
 
@@ -86,6 +88,11 @@ ZROK_OAUTH_GITHUB_CLIENT_ID=abcd1234
 ZROK_OAUTH_GITHUB_CLIENT_SECRET=abcd1234
 ZROK_OAUTH_GOOGLE_CLIENT_ID=abcd1234
 ZROK_OAUTH_GOOGLE_CLIENT_SECRET=abcd1234
+
+# zrok version, e.g., 1.0.0
+ZROK_IMAGE_TAG=latest
+# ziti version, e.g., 1.0.0
+ZITI_IMAGE_TAG=latest
 ```
 
 ### Start the Docker Compose Project
diff --git a/docker/compose/zrok-instance/compose.yml b/docker/compose/zrok-instance/compose.yml
index eb7ae970..805b130d 100644
--- a/docker/compose/zrok-instance/compose.yml
+++ b/docker/compose/zrok-instance/compose.yml
@@ -110,7 +110,7 @@ services:
     expose:
       - ${ZROK_CTRL_PORT:-18080}  # (not published)
     ports:
-      - 127.0.0.1:${ZROK_CTRL_PORT:-18080}:${ZROK_CTRL_PORT:-18080}
+      - ${ZROK_INSECURE_INTERFACE:-127.0.0.1}:${ZROK_CTRL_PORT:-18080}:${ZROK_CTRL_PORT:-18080}
     environment:
       ZROK_USER_PWD: ${ZROK_USER_PWD} # admin account password     (initial user account)
       ZROK_USER_EMAIL: ${ZROK_USER_EMAIL}  # login email address (initial user account)
@@ -144,8 +144,8 @@ services:
       - ${ZROK_FRONTEND_PORT:-8080}  # (not published)
       - ${ZROK_OAUTH_PORT:-8081}     # (not published)
     ports:
-      - 127.0.0.1:${ZROK_FRONTEND_PORT:-8080}:${ZROK_FRONTEND_PORT:-8080}
-      - 127.0.0.1:${ZROK_OAUTH_PORT:-8081}:${ZROK_OAUTH_PORT:-8081}
+      - ${ZROK_INSECURE_INTERFACE:-127.0.0.1}:${ZROK_FRONTEND_PORT:-8080}:${ZROK_FRONTEND_PORT:-8080}
+      - ${ZROK_INSECURE_INTERFACE:-127.0.0.1}:${ZROK_OAUTH_PORT:-8081}:${ZROK_OAUTH_PORT:-8081}
     environment:
       HOME: /var/lib/zrok-frontend
       ZROK_DNS_ZONE: ${ZROK_DNS_ZONE}  # e.g., "example.com" or "127.0.0.1.sslip.io"
diff --git a/docker/compose/zrok-private-access/compose.yml b/docker/compose/zrok-private-access/compose.yml
index 1138cd97..e3b4adbd 100644
--- a/docker/compose/zrok-private-access/compose.yml
+++ b/docker/compose/zrok-private-access/compose.yml
@@ -1,8 +1,8 @@
 services:
   zrok-init:
     image: busybox
-    # matches uid:gid of "nobody" in zrok container image
-    command: chown -Rc 65534:65534 /mnt/.zrok
+    # matches uid:gid of "ziggy" in zrok container image
+    command: chown -Rc 2171:2171 /mnt/.zrok
     user: root
     volumes:
       - zrok_env:/mnt/.zrok
diff --git a/docker/compose/zrok-private-share/compose.yml b/docker/compose/zrok-private-share/compose.yml
index f94b0563..8ed0828c 100644
--- a/docker/compose/zrok-private-share/compose.yml
+++ b/docker/compose/zrok-private-share/compose.yml
@@ -1,8 +1,8 @@
 services:
   zrok-init:
     image: busybox
-    # matches uid:gid of "nobody" in zrok container image
-    command: chown -Rc 65534:65534 /mnt/.zrok
+    # matches uid:gid of "ziggy" in zrok container image
+    command: chown -Rc 2171:2171 /mnt/.zrok
     user: root
     volumes:
       - zrok_env:/mnt/.zrok
diff --git a/docker/compose/zrok-public-reserved/compose.yml b/docker/compose/zrok-public-reserved/compose.yml
index 6abd9020..f57a3a00 100644
--- a/docker/compose/zrok-public-reserved/compose.yml
+++ b/docker/compose/zrok-public-reserved/compose.yml
@@ -2,8 +2,8 @@ services:
   # set file ownership
   zrok-init:
     image: busybox
-    # matches uid:gid of "nobody" in zrok container image
-    command: chown -Rc 65534:65534 /mnt/
+    # matches uid:gid of "ziggy" in zrok container image
+    command: chown -Rc 2171:2171 /mnt/
     user: root
     volumes:
       - zrok_env:/mnt
diff --git a/docker/compose/zrok-public-share/compose.yml b/docker/compose/zrok-public-share/compose.yml
index e1de6e72..47d58266 100644
--- a/docker/compose/zrok-public-share/compose.yml
+++ b/docker/compose/zrok-public-share/compose.yml
@@ -3,8 +3,8 @@ services:
   # set file ownership
   zrok-init:
     image: busybox
-    # matches uid:gid of "nobody" in zrok container image
-    command: chown -Rc 65534:65534 /mnt/.zrok
+    # matches uid:gid of "ziggy" in zrok container image
+    command: chown -Rc 2171:2171 /mnt/.zrok
     user: root
     volumes:
       - zrok_env:/mnt/.zrok
diff --git a/docs/guides/frontdoor.mdx b/docs/guides/frontdoor.mdx
index 307cf015..5e19aa43 100644
--- a/docs/guides/frontdoor.mdx
+++ b/docs/guides/frontdoor.mdx
@@ -32,6 +32,8 @@ zrok frontends are the parts of zrok that proxy incoming public web traffic to z
 
 Choose between installing the Linux package or running zrok with Docker (Linux, macOS, or Windows).
 
+{/* The OsTabs component must be aligned with these specific values: `Linux`, `Docker` which are auto-selected based on
+the detected OS of the visitor's browser */}
 <OsTabs
   queryString="os"
   values={[
diff --git a/website/src/theme/OsTabs/index.js b/website/src/theme/OsTabs/index.js
index 46f18219..6ea36700 100644
--- a/website/src/theme/OsTabs/index.js
+++ b/website/src/theme/OsTabs/index.js
@@ -7,9 +7,9 @@ function OsTabs(props) {
 
   useEffect(() => {
     // Based on the OS or any other client-side condition, set the default value
-    const tabs = ['Mac OS', 'Windows', 'Linux']
-    if (tabs.includes(osName)) {
-      setDefaultValue(osName);
+    const dockerTabs = ['Mac OS', 'Windows']
+    if (dockerTabs.includes(osName)) {
+      setDefaultValue('Docker');
     } else {
       setDefaultValue('Linux');
     }