diff --git a/management/Dockerfile.multistage b/management/Dockerfile.multistage
new file mode 100644
index 000000000..619f84615
--- /dev/null
+++ b/management/Dockerfile.multistage
@@ -0,0 +1,17 @@
+FROM golang:1.25-bookworm AS builder
+WORKDIR /app
+
+# Install build dependencies
+RUN apt-get update && apt-get install -y gcc libc6-dev && rm -rf /var/lib/apt/lists/*
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+RUN CGO_ENABLED=1 GOOS=linux go build -ldflags="-s -w" -o netbird-mgmt ./management
+
+FROM ubuntu:24.04
+RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
+ENTRYPOINT [ "/go/bin/netbird-mgmt","management"]
+CMD ["--log-file", "console"]
+COPY --from=builder /app/netbird-mgmt /go/bin/netbird-mgmt
diff --git a/proxy/cmd/proxy/cmd/root.go b/proxy/cmd/proxy/cmd/root.go
index ebb0ff71d..00f41aa50 100644
--- a/proxy/cmd/proxy/cmd/root.go
+++ b/proxy/cmd/proxy/cmd/root.go
@@ -39,9 +39,10 @@ var (
 	addr              string
 	proxyDomain       string
 	certDir           string
-	acmeCerts         bool
-	acmeAddr          string
-	acmeDir           string
+	acmeCerts          bool
+	acmeAddr           string
+	acmeDir            string
+	acmeChallengeType  string
 	debugEndpoint     bool
 	debugEndpointAddr string
 	healthAddr        string
@@ -72,9 +73,10 @@ func init() {
 	rootCmd.Flags().StringVar(&addr, "addr", envStringOrDefault("NB_PROXY_ADDRESS", ":443"), "Reverse proxy address to listen on")
 	rootCmd.Flags().StringVar(&proxyDomain, "domain", envStringOrDefault("NB_PROXY_DOMAIN", ""), "The Domain at which this proxy will be reached. e.g., netbird.example.com")
 	rootCmd.Flags().StringVar(&certDir, "cert-dir", envStringOrDefault("NB_PROXY_CERTIFICATE_DIRECTORY", "./certs"), "Directory to store certificates")
-	rootCmd.Flags().BoolVar(&acmeCerts, "acme-certs", envBoolOrDefault("NB_PROXY_ACME_CERTIFICATES", false), "Generate ACME certificates using HTTP-01 challenges")
-	rootCmd.Flags().StringVar(&acmeAddr, "acme-addr", envStringOrDefault("NB_PROXY_ACME_ADDRESS", ":80"), "HTTP address for ACME HTTP-01 challenges")
+	rootCmd.Flags().BoolVar(&acmeCerts, "acme-certs", envBoolOrDefault("NB_PROXY_ACME_CERTIFICATES", false), "Generate ACME certificates automatically")
+	rootCmd.Flags().StringVar(&acmeAddr, "acme-addr", envStringOrDefault("NB_PROXY_ACME_ADDRESS", ":80"), "HTTP address for ACME HTTP-01 challenges (only used when acme-challenge-type is http-01)")
 	rootCmd.Flags().StringVar(&acmeDir, "acme-dir", envStringOrDefault("NB_PROXY_ACME_DIRECTORY", acme.LetsEncryptURL), "URL of ACME challenge directory")
+	rootCmd.Flags().StringVar(&acmeChallengeType, "acme-challenge-type", envStringOrDefault("NB_PROXY_ACME_CHALLENGE_TYPE", "tls-alpn-01"), "ACME challenge type: tls-alpn-01 (default, port 443 only) or http-01 (requires port 80)")
 	rootCmd.Flags().BoolVar(&debugEndpoint, "debug-endpoint", envBoolOrDefault("NB_PROXY_DEBUG_ENDPOINT", false), "Enable debug HTTP endpoint")
 	rootCmd.Flags().StringVar(&debugEndpointAddr, "debug-endpoint-addr", envStringOrDefault("NB_PROXY_DEBUG_ENDPOINT_ADDRESS", "localhost:8444"), "Address for the debug HTTP endpoint")
 	rootCmd.Flags().StringVar(&healthAddr, "health-addr", envStringOrDefault("NB_PROXY_HEALTH_ADDRESS", "localhost:8080"), "Address for the health probe endpoint (liveness/readiness/startup)")
@@ -151,6 +153,7 @@ func runServer(cmd *cobra.Command, args []string) error {
 		GenerateACMECertificates: acmeCerts,
 		ACMEChallengeAddress:     acmeAddr,
 		ACMEDirectory:            acmeDir,
+		ACMEChallengeType:        acmeChallengeType,
 		DebugEndpointEnabled:     debugEndpoint,
 		DebugEndpointAddress:     debugEndpointAddr,
 		HealthAddress:            healthAddr,
diff --git a/proxy/server.go b/proxy/server.go
index 62c408d31..096e1be5c 100644
--- a/proxy/server.go
+++ b/proxy/server.go
@@ -77,6 +77,9 @@ type Server struct {
 	GenerateACMECertificates bool
 	ACMEChallengeAddress     string
 	ACMEDirectory            string
+	// ACMEChallengeType specifies the ACME challenge type: "http-01" or "tls-alpn-01".
+	// Defaults to "tls-alpn-01" if not specified.
+	ACMEChallengeType string
 	// CertLockMethod controls how ACME certificate locks are coordinated
 	// across replicas. Default: CertLockAuto (detect environment).
 	CertLockMethod   acme.CertLockMethod
@@ -205,17 +208,28 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) {
 	// When generating ACME certificates, start a challenge server.
 	tlsConfig := &tls.Config{}
 	if s.GenerateACMECertificates {
-		s.Logger.WithField("acme_server", s.ACMEDirectory).Debug("ACME certificates enabled, configuring certificate manager")
-		s.acme = acme.NewManager(s.CertificateDirectory, s.ACMEDirectory, s, s.Logger, s.CertLockMethod)
-		s.http = &http.Server{
-			Addr:    s.ACMEChallengeAddress,
-			Handler: s.acme.HTTPHandler(nil),
+		// Default to TLS-ALPN-01 challenge if not specified
+		if s.ACMEChallengeType == "" {
+			s.ACMEChallengeType = "tls-alpn-01"
 		}
-		go func() {
-			if err := s.http.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
-				s.Logger.WithError(err).Error("ACME HTTP-01 challenge server failed")
+		s.Logger.WithFields(log.Fields{
+			"acme_server":    s.ACMEDirectory,
+			"challenge_type": s.ACMEChallengeType,
+		}).Debug("ACME certificates enabled, configuring certificate manager")
+		s.acme = acme.NewManager(s.CertificateDirectory, s.ACMEDirectory, s, s.Logger, s.CertLockMethod)
+
+		// Only start HTTP server for HTTP-01 challenge type
+		if s.ACMEChallengeType == "http-01" {
+			s.http = &http.Server{
+				Addr:    s.ACMEChallengeAddress,
+				Handler: s.acme.HTTPHandler(nil),
 			}
-		}()
+			go func() {
+				if err := s.http.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
+					s.Logger.WithError(err).Error("ACME HTTP-01 challenge server failed")
+				}
+			}()
+		}
 		tlsConfig = s.acme.TLSConfig()
 
 		// ServerName needs to be set to allow for ACME to work correctly
@@ -223,8 +237,9 @@ func (s *Server) ListenAndServe(ctx context.Context, addr string) (err error) {
 		tlsConfig.ServerName = s.ProxyURL
 
 		s.Logger.WithFields(log.Fields{
-			"ServerName": s.ProxyURL,
-		}).Debug("started ACME challenge server")
+			"ServerName":     s.ProxyURL,
+			"challenge_type": s.ACMEChallengeType,
+		}).Debug("ACME certificate manager configured")
 	} else {
 		s.Logger.Debug("ACME certificates disabled, using static certificates with file watching")
 		certPath := filepath.Join(s.CertificateDirectory, s.CertificateFile)