diff --git a/service-configs.nix b/service-configs.nix
index 77fecca..6623924 100644
--- a/service-configs.nix
+++ b/service-configs.nix
@@ -68,10 +68,6 @@ rec {
         port = 64738;
         proto = "both";
       };
-      traccar_tracking = {
-        port = 5056;
-        proto = "tcp";
-      };
     };
 
     # Ports bound to localhost / VPN only. The flake asserts none of
@@ -205,6 +201,10 @@ rec {
         port = 8082;
         proto = "tcp";
       };
+      traccar_tracking = {
+        port = 5056;
+        proto = "tcp";
+      };
     };
   };
 
diff --git a/services/traccar.nix b/services/traccar.nix
index bf35026..36f7b71 100644
--- a/services/traccar.nix
+++ b/services/traccar.nix
@@ -12,10 +12,6 @@
     (lib.serviceFilePerms "traccar" [
       "Z /var/lib/traccar 0700 traccar traccar"
     ])
-    (lib.mkCaddyReverseProxy {
-      subdomain = "traccar";
-      port = service_configs.ports.private.traccar_web.port;
-    })
   ];
 
   users.users.traccar = {
@@ -63,7 +59,7 @@
       # Only enable OsmAnd protocol (phone app). Prevents Traccar from
       # opening 200+ default protocol ports that conflict with other services.
       protocols.enable = "osmand";
-      osmand.port = toString service_configs.ports.public.traccar_tracking.port;
+      osmand.port = toString service_configs.ports.private.traccar_tracking.port;
     };
   };
 
@@ -78,8 +74,11 @@
     };
   };
 
-  # OsmAnd tracking port must be reachable from the internet for the phone app
-  networking.firewall.allowedTCPPorts = [
-    service_configs.ports.public.traccar_tracking.port
-  ];
+  # Route tracking requests (OsmAnd protocol) through Caddy for TLS.
+  # The phone app connects via HTTPS instead of a separate plain port.
+  services.caddy.virtualHosts."${service_configs.traccar.domain}".extraConfig = ''
+    @tracking query id=*
+    reverse_proxy @tracking :${toString service_configs.ports.private.traccar_tracking.port}
+    reverse_proxy :${toString service_configs.ports.private.traccar_web.port}
+  '';
 }