diff --git a/playbooks/templates/chaosknoten/configs/keycloak/compose.yaml.j2 b/playbooks/templates/chaosknoten/configs/keycloak/compose.yaml.j2
index 2e0bdc3..78eb438 100644
--- a/playbooks/templates/chaosknoten/configs/keycloak/compose.yaml.j2
+++ b/playbooks/templates/chaosknoten/configs/keycloak/compose.yaml.j2
@@ -25,14 +25,14 @@ services:
     build:
       context: .
       dockerfile_inline: |
-        FROM quay.io/keycloak/keycloak:24.0 as builder
+        FROM quay.io/keycloak/keycloak:25.0 as builder
 
         ENV KC_DB=postgres
 
         WORKDIR /opt/keycloak
         RUN /opt/keycloak/bin/kc.sh build
 
-        FROM quay.io/keycloak/keycloak:24.0
+        FROM quay.io/keycloak/keycloak:25.0
         COPY --from=builder /opt/keycloak/ /opt/keycloak/
 
         # Runtime options set in compose directly.
@@ -51,10 +51,11 @@ services:
       KC_DB_URL_HOST: db
       KC_DB_USERNAME: keycloak
       KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/keycloak/KC_DB_PASSWORD", create=false, missing="error") }}
-      KC_HOSTNAME: id.hamburg.ccc.de
-      KC_HOSTNAME_STRICT_BACKCHANNEL: true
-      KC_HOSTNAME_ADMIN: keycloak-admin.hamburg.ccc.de
-      KC_PROXY: edge
+      KC_HOSTNAME: https://id.hamburg.ccc.de
+      KC_HOSTNAME_BACKCHANNEL_DYNAMIC: false
+      KC_HOSTNAME_ADMIN: https://keycloak-admin.hamburg.ccc.de
+      KC_PROXY_HEADERS: xforwarded
+      KC_HTTP_ENABLED: true
     ports:
       - "8080:8080"