diff --git a/Dockerfile b/Dockerfile
index bbb5e3d..f20f471 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,13 +1,18 @@
-FROM traefik:v2.9.5
+FROM traefik:2.9.5
+
+ARG BUILD_TIME
 
 LABEL dev.egommerce.image.author="Piotr Biernat"
 LABEL dev.egommerce.image.vendor="Egommerce"
 LABEL dev.egommerce.image.service="api-gateway"
 LABEL dev.egommerce.image.version="1.0"
+LABEL dev.egommerce.image.build_time=${BUILD_TIME}
 
 COPY ./api-gateway/etc /etc/traefik
 COPY ./api-gateway/plugins /plugins-local
+COPY ./api-gateway/entrypoint.sh ./api-gateway/wait-for-it.sh /
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["traefik"]
 
 EXPOSE 443 8080
-
-# ENTRYPOINT ["/traefik"] # FIXME stack->stack config.yml
diff --git a/api-gateway/entrypoint.sh b/api-gateway/entrypoint.sh
new file mode 100755
index 0000000..4217125
--- /dev/null
+++ b/api-gateway/entrypoint.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+set +e 
+
+waitForService()
+{
+    ./wait-for-it.sh $1 -t 2 1>/dev/null 2>&1
+    status=$?
+    while [ $status != 0 ]
+    do
+        echo "[x] wating for $1..."
+        sleep 1
+        ./wait-for-it.sh $1 -t 2 1>/dev/null 2>&1
+        status=$?
+    done
+}
+
+waitForService "api-registry:8500"
+
+set -e
+
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+    set -- traefik "$@"
+fi
+
+# if our command is a valid Traefik subcommand, let's invoke it through Traefik instead
+# (this allows for "docker run traefik version", etc)
+if traefik "$1" --help >/dev/null 2>&1
+then
+    set -- traefik "$@"
+else
+    echo "= '$1' is not a Traefik command: assuming shell execution." 1>&2
+fi
+
+# echo "Executing: $@"
+exec "$@"
diff --git a/api-gateway/etc/tls.yml b/api-gateway/etc/tls.yml
new file mode 100644
index 0000000..8010688
--- /dev/null
+++ b/api-gateway/etc/tls.yml
@@ -0,0 +1,9 @@
+tls:
+  certificates:
+        certFile: /etc/traefik/certs/client.cert
+        keyFile: /etc/traefik/certs/client.key
+  # stores:
+  #   default:
+  #     defaultCertificate:
+  #       certFile: /etc/traefik/certs/client.cert
+  #       keyFile: /etc/traefik/certs/client.key
diff --git a/api-gateway/etc/traefik.yml b/api-gateway/etc/traefik.yml
index 2a8f978..1e19cc0 100644
--- a/api-gateway/etc/traefik.yml
+++ b/api-gateway/etc/traefik.yml
@@ -1,7 +1,7 @@
 ################################################################
-# global:
-  # checkNewVersion: true
-  # sendAnonymousUsage: true
+global:
+  checkNewVersion: false
+  sendAnonymousUsage: false
 
 ################################################################
 entryPoints:
@@ -9,27 +9,16 @@ entryPoints:
     address: :443
     transport:
       respondingTimeouts:
-        readTimeout: '10ms'
-        writeTimeout: '10ms'
-        idleTimeout: '20ms'
-  db:
-    address: :5432
-  mongodb:
-    address: :27017
-  eventbus:
-    address: :5672
-  # redis:
-  #   address: :6379
+        readTimeout: '100ms'
+        writeTimeout: '100ms'
+        idleTimeout: '200ms'
+        # ^^ FIXME: Use ENV var
 
 ################################################################
 serversTransport:
-#   # insecureSkipVerify: true
+  insecureSkipVerify: true
   rootCAs:
-    - /etc/traefik/certs/identity-svc/server.cert
-    - /etc/traefik/certs/basket-svc/server.cert
-    - /etc/traefik/certs/catalog-svc/server.cert
-    - /etc/traefik/certs/postgres-db/server.cert
-    # - /etc/traefik/certs/api-eventbus/server.cert
+    - /etc/traefik/certs/client.cert
 
 ################################################################
 api:
@@ -38,16 +27,10 @@ api:
 
 ################################################################
 providers:
-  # file:
-  #   directory: /etc/traefik/services
-################################################################
+  file:
+    filename: /etc/traefik/tls.yml
   docker:
-    # Docker server endpoint. Can be a tcp or a unix socket endpoint.
-    # endpoint: unix:///var/run/docker.sock
     exposedByDefault: false
-    # network: api-gateway-network
-    # useBindPortIP: true
-
     # Default host rule.
     # Optional
     # Default: "Host(`{{ normalize .Name }}`)"
@@ -55,16 +38,15 @@ providers:
 ################################################################
   consulCatalog:
     exposedByDefault: false
-    # serviceName: api-gateway
     refreshInterval: 5s
+    # ^^ configure in stack`s yml api-registry `command:` section: --providers.consulcatalog.refreshInterval=10s
     endpoint:
       address: api-registry:8500
+      # ^^ FIXME: Use ENV var
 
 ################################################################
 log:
   level: DEBUG
-#  filePath: log/traefik.log
-#  format: json
 
 ################################################################
 # accessLog: {}
diff --git a/api-gateway/wait-for-it.sh b/api-gateway/wait-for-it.sh
new file mode 100755
index 0000000..fff13c9
--- /dev/null
+++ b/api-gateway/wait-for-it.sh
@@ -0,0 +1,165 @@
+#!/usr/bin/env sh
+#   Use this script to test if a given TCP host/port are available
+
+set -e
+
+cmdname=$(basename "$0")
+
+echoerr() {
+    if [ "$QUIET" -ne 1 ]; then
+        printf "%s\n" "$*" 1>&2;
+    fi
+}
+
+usage()
+{
+    exitcode="$1"
+    cat << USAGE >&2
+Usage:
+    $cmdname host:port [-s] [-t timeout] [-- command args]
+    -h HOST | --host=HOST       Host or IP under test
+    -p PORT | --port=PORT       TCP port under test
+                                Alternatively, you specify the host and port as host:port
+    -s | --strict               Only execute subcommand if the test succeeds
+    -q | --quiet                Don't output any status messages
+    -t TIMEOUT | --timeout=TIMEOUT
+                                Timeout in seconds, zero for no timeout
+    -- COMMAND ARGS             Execute command with args after the test finishes
+USAGE
+    exit "$exitcode"
+}
+
+wait_for()
+{
+    if [ "$TIMEOUT" -gt 0 ]; then
+        echoerr "$cmdname: waiting $TIMEOUT seconds for $HOST:$PORT"
+    else
+        echoerr "$cmdname: waiting for $HOST:$PORT without a timeout"
+    fi
+    start_ts=$(date +%s)
+    while true
+    do
+        nc -z "$HOST" "$PORT" >/dev/null 2>&1
+        result=$?
+        if [ $result -eq 0 ]; then
+            end_ts=$(date +%s)
+            echoerr "$cmdname: $HOST:$PORT is available after $((end_ts - start_ts)) seconds"
+            break
+        fi
+        sleep 1
+    done
+    return $result
+}
+
+wait_for_wrapper()
+{
+    # In order to support SIGINT during timeout: http://unix.stackexchange.com/a/57692
+    if [ "$QUIET" -eq 1 ]; then
+        timeout "$TIMEOUT" "$0" -q -child "$HOST":"$PORT" -t "$TIMEOUT" &
+    else
+        timeout "$TIMEOUT" "$0" --child "$HOST":"$PORT" -t "$TIMEOUT" &
+    fi
+    PID=$!
+    trap 'kill -INT -$PID' INT
+    wait $PID
+    RESULT=$?
+    if [ $RESULT -ne 0 ]; then
+        echoerr "$cmdname: timeout occurred after waiting $TIMEOUT seconds for $HOST:$PORT"
+    fi
+    return $RESULT
+}
+
+TIMEOUT=15
+STRICT=0
+CHILD=0
+QUIET=0
+# process arguments
+while [ $# -gt 0 ]
+do
+    case "$1" in
+        *:* )
+        HOST=$(printf "%s\n" "$1"| cut -d : -f 1)
+        PORT=$(printf "%s\n" "$1"| cut -d : -f 2)
+        shift 1
+        ;;
+        --child)
+        CHILD=1
+        shift 1
+        ;;
+        -q | --quiet)
+        QUIET=1
+        shift 1
+        ;;
+        -s | --strict)
+        STRICT=1
+        shift 1
+        ;;
+        -h)
+        HOST="$2"
+        if [ "$HOST" = "" ]; then break; fi
+        shift 2
+        ;;
+        --host=*)
+        HOST=$(printf "%s" "$1" | cut -d = -f 2)
+        shift 1
+        ;;
+        -p)
+        PORT="$2"
+        if [ "$PORT" = "" ]; then break; fi
+        shift 2
+        ;;
+        --port=*)
+        PORT="${1#*=}"
+        shift 1
+        ;;
+        -t)
+        TIMEOUT="$2"
+        if [ "$TIMEOUT" = "" ]; then break; fi
+        shift 2
+        ;;
+        --timeout=*)
+        TIMEOUT="${1#*=}"
+        shift 1
+        ;;
+        --)
+        shift
+        break
+        ;;
+        --help)
+        usage 0
+        ;;
+        *)
+        echoerr "Unknown argument: $1"
+        usage 1
+        ;;
+    esac
+done
+
+if [ "$HOST" = "" -o "$PORT" = "" ]; then
+    echoerr "Error: you need to provide a host and port to test."
+    usage 2
+fi
+
+if [ $CHILD -gt 0 ]; then
+    wait_for
+    RESULT=$?
+    exit $RESULT
+else
+    if [ "$TIMEOUT" -gt 0 ]; then
+        wait_for_wrapper
+        RESULT=$?
+    else
+        wait_for
+        RESULT=$?
+    fi
+fi
+
+if [ "$*" != "" ]; then
+    if [ $RESULT -ne 0 -a $STRICT -eq 1 ]; then
+        echoerr "$cmdname: strict mode, refusing to execute subprocess"
+        exit $RESULT
+    fi
+    exec "$@"
+else
+    exit $RESULT
+fi
diff --git a/deploy/image-build.sh b/deploy/image-build.sh
index 0dbf09e..5a1a89e 100755
--- a/deploy/image-build.sh
+++ b/deploy/image-build.sh
@@ -2,15 +2,16 @@
 # RUN IN REPO ROOT DIR !!
 
 export IMAGE_NAME="git.pbiernat.dev/egommerce/api-gateway"
+export BUILD_TIME=$(date +"%Y%m%d%H%M%S")
 
 TARGET=${1:-latest}
 
 echo "Building: $IMAGE_NAME:$TARGET"
 if [ $TARGET = "dev" ]
 then
-    docker build --rm --no-cache -t "$IMAGE_NAME:dev" . # >/dev/null 2>&1
+    docker build --build-arg BUILD_TIME --rm --no-cache -t "$IMAGE_NAME:dev" . # >/dev/null 2>&1
 else
-    docker build --rm --cache-from "$IMAGE_NAME:$TARGET" -t "$IMAGE_NAME:$TARGET" . >/dev/null 2>&1
+    docker build --build-arg BUILD_TIME --rm --cache-from "$IMAGE_NAME:$TARGET" -t "$IMAGE_NAME:$TARGET" . >/dev/null 2>&1
 fi
 
 echo "Done."