diff --git a/.woodpecker.star b/.woodpecker.star
index b36b789028..96f396c577 100644
--- a/.woodpecker.star
+++ b/.woodpecker.star
@@ -1231,7 +1231,7 @@ def wopiValidatorTests(ctx, storage, wopiServerType, accounts_hash_difficulty =
                          "commands": [
                              "curl -v -X PUT '%s/remote.php/webdav/test.wopitest' -k --fail --retry-connrefused --retry 7 --retry-all-errors -u admin:admin -D headers.txt" % OC_URL,
                              "cat headers.txt",
-                             "export FILE_ID=$(cat headers.txt | sed -n -e 's/^.*Oc-Fileid: //p')",
+                             "export FILE_ID=$(cat headers.txt | sed -n -e 's/^.*oc-fileid: //Ip')",
                              "export URL=\"%s/app/open?app_name=FakeOffice&file_id=$FILE_ID\"" % OC_URL,
                              "export URL=$(echo $URL | tr -d '[:cntrl:]')",
                              "curl -v -X POST \"$URL\" -k --fail --retry-connrefused --retry 7 --retry-all-errors -u admin:admin > open.json",
diff --git a/devtools/deployments/opencloud_full/docker-compose.yml b/devtools/deployments/opencloud_full/docker-compose.yml
index 99179f58aa..3e2d806998 100644
--- a/devtools/deployments/opencloud_full/docker-compose.yml
+++ b/devtools/deployments/opencloud_full/docker-compose.yml
@@ -19,6 +19,11 @@ services:
       - "--entryPoints.http.http.redirections.entryPoint.to=https"
       - "--entryPoints.http.http.redirections.entryPoint.scheme=https"
       - "--entryPoints.https.address=:443"
+      # http2 optimizations
+      - "--entryPoints.https.http2.maxConcurrentStreams=512"
+      - "--serversTransport.maxIdleConnsPerHost=100"
+      # allow self signed certificate from OpenCloud
+      - "--serversTransport.insecureSkipVerify=true"
       # change default timeouts for long-running requests
       # this is needed for webdav clients that do not support the TUS protocol
       - "--entryPoints.https.transport.respondingTimeouts.readTimeout=12h"
diff --git a/devtools/deployments/opencloud_full/opencloud.yml b/devtools/deployments/opencloud_full/opencloud.yml
index afe703140d..1c8790dcf2 100644
--- a/devtools/deployments/opencloud_full/opencloud.yml
+++ b/devtools/deployments/opencloud_full/opencloud.yml
@@ -25,7 +25,7 @@ services:
       OC_LOG_COLOR: "${LOG_PRETTY:-false}"
       OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
       # do not use SSL between Traefik and OpenCloud
-      PROXY_TLS: "false"
+      PROXY_TLS: "true"
       # make the REVA gateway accessible to the app drivers
       GATEWAY_GRPC_ADDR: 0.0.0.0:9142
       # INSECURE: needed if OpenCloud / Traefik is using self generated certificates
@@ -72,6 +72,7 @@ services:
       - "traefik.http.routers.opencloud.tls.certresolver=http"
       - "traefik.http.routers.opencloud.service=opencloud"
       - "traefik.http.services.opencloud.loadbalancer.server.port=9200"
+      - "traefik.http.services.opencloud.loadbalancer.server.scheme=https"
     logging:
       driver: ${LOG_DRIVER:-local}
     restart: always
diff --git a/pkg/service/http/service.go b/pkg/service/http/service.go
index ae8d67082f..4c184c6164 100644
--- a/pkg/service/http/service.go
+++ b/pkg/service/http/service.go
@@ -49,6 +49,8 @@ func NewService(opts ...Option) (Service, error) {
 		}
 		tlsConfig := &tls.Config{
 			Certificates: []tls.Certificate{cert},
+			MinVersion:   tls.VersionTLS12,
+			NextProtos:   []string{"h2", "http/1.1"},
 		}
 		mServer = mhttps.NewServer(server.TLSConfig(tlsConfig))
 	} else {