diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index ff3d1e8..06d8b14 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -55,10 +55,14 @@ services:
       - web
     labels:
       - "traefik.enable=true"
+      # HTTPS route (primary, once DNS + cert are working)
       - "traefik.http.routers.golf.rule=Host(`${DOMAIN:-golf.example.com}`)"
       - "traefik.http.routers.golf.entrypoints=websecure"
       - "traefik.http.routers.golf.tls=true"
       - "traefik.http.routers.golf.tls.certresolver=letsencrypt"
+      # HTTP route (fallback for testing before DNS/cert)
+      - "traefik.http.routers.golf-http.rule=Host(`${DOMAIN:-golf.example.com}`)"
+      - "traefik.http.routers.golf-http.entrypoints=web"
       - "traefik.http.services.golf.loadbalancer.server.port=8000"
       # WebSocket sticky sessions
       - "traefik.http.services.golf.loadbalancer.sticky.cookie=true"
@@ -114,8 +118,9 @@ services:
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"
-      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
-      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
+      # HTTP->HTTPS redirect disabled until DNS propagates and cert is issued
+      # - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
+      # - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
       - "--entrypoints.websecure.address=:443"
       - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
       - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"