diff --git a/Dockerfile b/Dockerfile
index a561793..8ed9c17 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,13 +1,17 @@
 FROM php:7.4-apache
 LABEL maintainer="Niels Lippke<nlippke@gmx.de>"
-ENV VER 5.1.21
-ENV SEEDDMS_BASE=/var/www/seeddms
-ENV SEEDDMS_HOME=/var/www/seeddms/seeddms
+ENV VER 5.1.23
+ENV SEEDDMS_BASE=/var/www/seeddms \
+    SEEDDMS_HOME=/var/www/seeddms/seeddms
+ENV PUBLIC_CERT=${SEEDDMS_BASE}/conf/cacert.pem \
+    PUBLIC_CERT_SUBJ=/CN=localhost \
+    PRIVATE_KEY=${SEEDDMS_BASE}/conf/cakey.pem \
+    FORCE_SSL=0
 
 # Update and install necessary packages
 RUN apt-get update && apt-get install --no-install-recommends gnumeric libpng-dev catdoc poppler-utils a2ps \
-    id3 docx2txt tesseract-ocr tesseract-ocr-deu ocrmypdf imagemagick vim parallel dos2unix cron rsync -y
-RUN docker-php-ext-install gd mysqli pdo pdo_mysql && \
+    id3 docx2txt tesseract-ocr tesseract-ocr-deu ocrmypdf imagemagick vim parallel dos2unix cron rsync libzip-dev -y
+RUN docker-php-ext-install gd mysqli pdo pdo_mysql zip && \
     pear channel-update pear.php.net && pear install Log
 
 # Get seeddms
@@ -29,8 +33,18 @@ RUN chown -R www-data:www-data /var/www/seeddms/ && \
     dos2unix /usr/local/bin/seeddms-entrypoint && chmod a+rx /usr/local/bin/seeddms-entrypoint && \
     a2enmod rewrite && \
     echo "export SEEDDMS_BASE=$SEEDDMS_BASE" >> /usr/local/bin/seeddms-settings.sh && \
-    echo "export SEEDDMS_HOME=$SEEDDMS_HOME" >> /usr/local/bin/seeddms-settings.sh
+    echo "export SEEDDMS_HOME=$SEEDDMS_HOME" >> /usr/local/bin/seeddms-settings.sh && \
+    sed -ri -e 's!/var/www/html!${SEEDDMS_BASE}/www!g' /etc/apache2/sites-available/*.conf && \
+    sed -ri -e 's!/var/www/!${SEEDDMS_BASE}/www!g' /etc/apache2/apache2.conf /etc/apache2/conf-available/*.conf
 
+WORKDIR /etc/apache2/sites-enabled
+RUN ln -s ../sites-available/default-ssl.conf default-ssl.conf
+WORKDIR /etc/apache2/mods-enabled
+RUN ln -s ../mods-available/ssl.conf ssl.conf && \
+    ln -s ../mods-available/ssl.load ssl.load && \
+    ln -s ../mods-available/socache_shmcb.load socache_shmcb.load
+
+WORKDIR $SEEDDMS_BASE
 
 # Volumes to mount
 VOLUME [ "/var/www/seeddms/backup", "/var/www/seeddms/import", "/var/www/seeddms/www/ext" ]
diff --git a/README.md b/README.md
index 58e2626..3c320c9 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@ Cron is also included to handle jobs internally (backup, index, ...).
 
 ## How to run
 
-`docker run --name seeddms -d -v dms-data:/var/www/seeddms/data -p 8080:80 nlippke/seeddms:5.1.21`
+`docker run --name seeddms -d -v dms-data:/var/www/seeddms/data -p 8080:80 nlippke/seeddms:5.1.23`
 
 or as compose file
 
@@ -16,13 +16,16 @@ version: '2'
 
 services:
   dms:
-    image: nlippke/seeddms:5.1.21
+    image: nlippke/seeddms:5.1.23
     ports:
       - "8080:80"
+      - "8443:443"
     environment:
       - TZ=Europe/Berlin
       - 'CRON_INDEX=0 0 * * *'
       - 'CRON_BACKUP=0 23 * * *'
+      - SSL_PORT=8443
+      - FORCE_SSL=1
     mem_limit: 2g
     volumes:
       - dms-data:/var/www/seeddms/data
@@ -37,6 +40,18 @@ volumes:
   dms-data:
 ```
 
+If you run for the first time make sure to call `/install` and follow the instructions there.
+
+
+## Environment Variables
+Variable               | Default Value | Description
+-----------------------|-----------------------------------|------------
+`PUBLIC_CERT`          |`/var/www/seeddms/conf/cacert.pem` |the fully qualified container path for the CA certificate
+`PUBLIC_CERT_SUBJ`     |`/CN=localhost`                    |the subject used if the CA certificate is created
+`PRIVATE_KEY`          |`/var/www/seeddms/conf/cakey.pem`  |the fully qualified container path for the private certificate key
+`FORCE_SSL`            |`0`                                |`1` redirects to https if plain request
+`SSL_PORT`             |`443`                              |must match external port for https requests
+
 ## Default configuration
 
 The image is preconfigured. Nevertheless you're guided through the installation steps upon first start for a review.
diff --git a/sources/ocrmypdf.sh b/sources/ocrmypdf.sh
index 9087bd2..ed03c34 100755
--- a/sources/ocrmypdf.sh
+++ b/sources/ocrmypdf.sh
@@ -7,6 +7,11 @@ tmpdir=/tmp/seed
 lockfile=$tmpdir/`basename $0`
 cores=2
 
+# skip directories
+if [ -d "$1"]; then
+  exit 0
+fi
+
 mkdir -p $tmpdir
 
 while [ -e "$lockfile" ];
diff --git a/sources/seeddms-entrypoint b/sources/seeddms-entrypoint
index c57d14e..3c95326 100755
--- a/sources/seeddms-entrypoint
+++ b/sources/seeddms-entrypoint
@@ -20,6 +20,21 @@ if [ -e /etc/cron.d/seeddms ]; then
 	crontab /etc/cron.d/seeddms
 fi
 
+if [ ! -f $PUBLIC_CERT ] && [ ! -f $PRIVATE_KEY ]; then
+  openssl req -nodes -new -x509 -keyout $PRIVATE_KEY -out $PUBLIC_CERT -subj "${PUBLIC_CERT_SUBJ}"
+fi
+
+if [ $FORCE_SSL -eq 1 ]; then
+  if ! grep "RewriteCond %{HTTPS}" $SEEDDMS_BASE/www/.htaccess > /dev/null; then
+    echo "RewriteCond %{HTTPS}  !=on" >> $SEEDDMS_BASE/www/.htaccess
+    echo "RewriteRule ^/?(.*) https://%{SERVER_NAME}:${SSL_PORT:-443}/$1 [R,L]" >> $SEEDDMS_BASE/www/.htaccess
+  fi
+fi
+
+
+sed -ri -e 's!/etc/ssl/certs/ssl-cert-snakeoil.pem!${PUBLIC_CERT}!g' \
+        -e 's!/etc/ssl/private/ssl-cert-snakeoil.key!${PRIVATE_KEY}!g' /etc/apache2/sites-available/default-ssl.conf
+
 rm -f /var/run/cron*
 cron
 
diff --git a/sources/settings.xml b/sources/settings.xml
index 81c685c..e6655f0 100644
--- a/sources/settings.xml
+++ b/sources/settings.xml
@@ -7,7 +7,7 @@
        - language: default language (name of a subfolder in folder "languages")
        - theme: default style (name of a subfolder in folder "styles")
     -->
-    <display siteName="SeedDMS" footNote="" printDisclaimer="false" language="de_DE" theme="bootstrap" previewWidthList="40" previewWidthDetail="100" availablelanguages="" showFullPreview="true" convertToPdf="true" onePageMode="on" previewWidthMenuList="40" previewWidthDropFolderList="100" maxItemsPerPage="0" incItemsPerPage="0">  
+    <display siteName="SeedDMS" footNote="" printDisclaimer="false" language="de_DE" theme="bootstrap" previewWidthList="40" previewWidthDetail="100" availablelanguages="" showFullPreview="true" convertToPdf="true" previewWidthMenuList="40" previewWidthDropFolderList="100" maxItemsPerPage="0" incItemsPerPage="0" onePageMode="true" dateformat="" datetimeformat="" overrideTheme="false">
     </display>
     <!-- strictFormCheck: Strict form checking. If set to true, then all fields in the form will be checked for a value. If set to false, then (most) comments and keyword fields become optional. Comments are always required when submitting a review or overriding document status.
        - viewOnlineFileTypes: files with one of the following endings can be viewed online (USE ONLY LOWER CASE CHARACTERS)
@@ -24,7 +24,7 @@
        - stopWordsFile: path to stop word file for indexer
        - sortUsersInList: how to sort users in lists ('fullname' or '' (default))
     -->   
-    <edition strictFormCheck="false" viewOnlineFileTypes=".txt;.text;.html;.htm;.xml;.pdf;.gif;.png;.jpg;.jpeg" enableConverting="true" enableEmail="false" enableUsersView="true" enableFullSearch="true" enableClipboard="true" enableFolderTree="true" expandFolderTree="1" enableLanguageSelector="true" stopWordsFile="/var/www/seeddms/data/conf/stopwords.txt" sortUsersInList="" enableDropUpload="true" enableRecursiveCount="false" maxRecursiveCount="0" enableThemeSelector="false" fullSearchEngine="sqlitefts" sortFoldersDefault="u" editOnlineFileTypes=".txt;.text" enableMenuTasks="false" enableHelp="false" defaultSearchMethod="fulltext" libraryFolder="0" maxSizeForFullText="0" showSingleSearchHit="false" enableSessionList="false" enableDropFolderList="true" enableMultiUpload="true" defaultDocPosition="end">
+    <edition strictFormCheck="false" viewOnlineFileTypes=".txt;.text;.html;.htm;.xml;.pdf;.gif;.png;.jpg;.jpeg" enableConverting="true" enableEmail="false" enableUsersView="true" enableFullSearch="true" enableClipboard="true" enableFolderTree="true" expandFolderTree="1" enableLanguageSelector="true" stopWordsFile="/var/www/seeddms/data/conf/stopwords.txt" sortUsersInList="" enableDropUpload="true" enableRecursiveCount="false" maxRecursiveCount="0" enableThemeSelector="false" fullSearchEngine="sqlitefts" sortFoldersDefault="u" editOnlineFileTypes=".txt;.text" enableMenuTasks="false" enableHelp="false" defaultSearchMethod="fulltext" libraryFolder="0" maxSizeForFullText="0" showSingleSearchHit="false" enableSessionList="false" enableDropFolderList="true" enableMultiUpload="true" defaultDocPosition="end" noDocumentFormFields="" inlineEditing="false">
     </edition> 
     <!-- enableCalendar: enable/disable calendar
        - calendarDefaultView: calendar default view ("w" for week,"m" for month,"y" for year)
@@ -52,7 +52,7 @@
        - cacheDir: where the preview images are saved
        - backupDir: where the backups are saved
     -->
-    <server rootDir="/var/www/seeddms/seeddms/" httpRoot="/" contentDir="/var/www/seeddms/data/" stagingDir="/var/www/seeddms/data/staging/" luceneDir="/var/www/seeddms/data/lucene/" logFileEnable="true" logFileRotation="d" enableLargeFileUpload="false" partitionSize="2000000" cacheDir="/var/www/seeddms/data/cache/" dropFolderDir="/var/www/seeddms/import/" backupDir="/var/www/seeddms/backup/" checkOutDir="" createCheckOutDir="false" repositoryUrl="https://repository.seeddms.org/dd278323b03fd2aa5510b8fa9addf5ea/" maxUploadSize="" enableXsendfile="false">
+    <server rootDir="/var/www/seeddms/seeddms/" httpRoot="/" contentDir="/var/www/seeddms/data/" stagingDir="/var/www/seeddms/data/staging/" luceneDir="/var/www/seeddms/data/lucene/" logFileEnable="true" logFileRotation="d" enableLargeFileUpload="false" partitionSize="2000000" cacheDir="/var/www/seeddms/data/cache/" dropFolderDir="/var/www/seeddms/import/" backupDir="/var/www/seeddms/backup/" checkOutDir="" createCheckOutDir="false" repositoryUrl="https://repository.seeddms.org/dd278323b03fd2aa5510b8fa9addf5ea/" maxUploadSize="" enableXsendfile="false" proxyUrl="" proxyUser="" proxyPassword="">
     </server>
     
     <!-- enableGuestLogin: If you want anybody to login as guest, set the following line to true
@@ -113,13 +113,13 @@
        - rootFolderID: ID of root-folder (mostly no need to change)
        - titleDisplayHack: Workaround for page titles that go over more than 2 lines.
     -->  
-    <display siteDefaultPage="" rootFolderID="1" titleDisplayHack="true" showMissingTranslations="false">
+    <display siteDefaultPage="" rootFolderID="1" titleDisplayHack="true" showMissingTranslations="false" useHomeAsRootFolder="false">
     </display>
     <!-- guestID: ID of guest-user used when logged in as guest (mostly no need to change)
        - adminIP: if enabled admin can login only by specified IP addres, leave empty to avoid the control
        -          NOTE: works only with local autentication (no LDAP)
     --> 
-    <authentication guestID="2" adminIP="">
+    <authentication guestID="2" adminIP="" apiKey="" apiUserId="0" apiOrigin="">
     </authentication>
     <!-- enableAdminRevApp: false to don't list administrator as reviewer/approver
        - versioningFileName: the name of the versioning info file created by the backup tool
@@ -128,7 +128,7 @@
        - enableVersionModification: allow to modify versions after approval
        - enableDuplicateDocNames: allow duplicate names in a folder
     --> 
-    <edition enableAdminRevApp="false" versioningFileName="versioning_info.txt" workflowMode="traditional_only_approval" enableVersionDeletion="true" enableVersionModification="true" enableDuplicateDocNames="true" enableOwnerRevApp="false" enableSelfRevApp="false" presetExpirationDate="" overrideMimeType="false" initialDocumentStatus="0" enableAcknowledgeWorkflow="" enableRevisionWorkflow="" advancedAcl="false" enableUpdateRevApp="false" removeFromDropFolder="false" allowReviewerOnly="false" enableDuplicateSubFolderNames="false">
+    <edition enableAdminRevApp="false" versioningFileName="versioning_info.txt" workflowMode="traditional_only_approval" enableVersionDeletion="true" enableVersionModification="true" enableDuplicateDocNames="true" enableOwnerRevApp="false" enableSelfRevApp="false" presetExpirationDate="" overrideMimeType="false" initialDocumentStatus="0" enableAcknowledgeWorkflow="" enableRevisionWorkflow="" advancedAcl="false" enableUpdateRevApp="false" removeFromDropFolder="false" allowReviewerOnly="false" enableDuplicateSubFolderNames="false" enableRemoveRevApp="false">
     </edition>
 		<!-- enableNotificationAppRev: true to send notifation if a user is added as a reviewer or approver
 		-->
@@ -145,7 +145,7 @@
        - updateNotifyTime: users are notified about document-changes that took place within the last "updateNotifyTime" seconds
        - extraPath: Path to addtional software. This is the directory containing additional software like the adodb directory, or the pear Log package. This path will be added to the php include path
     -->
-    <server coreDir="" luceneClassDir="" contentOffsetDir="1048576" maxDirID="0" updateNotifyTime="86400" extraPath="/var/www/seeddms/pear/" maxExecutionTime="30" cmdTimeout="30">
+    <server coreDir="" luceneClassDir="" contentOffsetDir="1048576" maxDirID="0" updateNotifyTime="86400" extraPath="/var/www/seeddms/pear/" maxExecutionTime="30" cmdTimeout="30"  enableDebugMode="false">
     </server>
     <converters target="fulltext">
 		 <converter mimeType="application/pdf">ocrmypdf.sh %s</converter>
@@ -157,6 +157,11 @@
      <converter mimeType="text/xml">cat %s</converter>
     <converter mimeType="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet">xlsx2csv %s</converter><converter mimeType="application/vnd.openxmlformats-officedocument.wordprocessingml.document">docx2txt %s -</converter><converter mimeType="image/jpeg">tesseract %s - -l deu --psm 3 --oem 3 2&gt; /dev/null | tr '\n' ' '</converter></converters>
 
-  <converters target="preview"><converter mimeType="image/*">convert -resize %wx '%f' '%o'</converter><converter mimeType="application/pdf">convert -density 100 -resize %wx '%f[0]' '%o'</converter><converter mimeType="application/postscript">convert -density 100 -resize %wx '%f[0]' '%o'</converter><converter mimeType="text/*">a2ps -1 -a1  -R -B -o - '%f' | gs -dBATCH -dNOPAUSE -sDEVICE=pngalpha -dFirstPage=1 -dLastPage=1 -dPDFFitPage -r72x72 -sOutputFile=- -q - | convert  -resize %wx png:- '%o'</converter></converters></advanced>
+  <converters target="preview">
+    <converter mimeType="image/*">convert -resize %wx '%f' '%o'</converter>
+    <converter mimeType="application/pdf">convert -density 100 -resize %wx '%f[0]' '%o'</converter>
+    <converter mimeType="application/postscript">convert -density 100 -resize %wx '%f[0]' '%o'</converter>
+    <converter mimeType="text/*">a2ps -1 -a1  -R -B -o - '%f' | gs -dBATCH -dNOPAUSE -sDEVICE=pngalpha -dFirstPage=1 -dLastPage=1 -dPDFFitPage -r72x72 -sOutputFile=- -q - | convert  -resize %wx png:- '%o'</converter>
+  </converters></advanced>
 
 <extensions><extension name="example"/></extensions></configuration>