diff --git a/setup_nginx_proxy.sh b/setup_nginx_proxy.sh
index 3f2a84b..41b4209 100755
--- a/setup_nginx_proxy.sh
+++ b/setup_nginx_proxy.sh
@@ -8,6 +8,8 @@ set -Eeuo pipefail
 # für eine neue n8n-Instanz über die OPNsense API.
 # =============================================================================
 
+SCRIPT_VERSION="1.0.8"
+
 # Debug mode: 0 = nur JSON, 1 = Logs auf stderr
 DEBUG="${DEBUG:-0}"
 export DEBUG
@@ -29,7 +31,9 @@ die() {
 # Default Configuration
 # =============================================================================
 # OPNsense kann über Hostname ODER IP angesprochen werden
+# Port 4444 ist der Standard-Port für die OPNsense WebUI/API
 OPNSENSE_HOST="${OPNSENSE_HOST:-192.168.45.1}"
+OPNSENSE_PORT="${OPNSENSE_PORT:-4444}"
 OPNSENSE_API_KEY="${OPNSENSE_API_KEY:-cUUs80IDkQelMJVgAVK2oUoDHrQf+cQPwXoPKNd3KDIgiCiEyEfMq38UTXeY5/VO/yWtCC7k9Y9kJ0Pn}"
 OPNSENSE_API_SECRET="${OPNSENSE_API_SECRET:-2egxxFYCAUjBDp0OrgbJO3NBZmR4jpDm028jeS8Nq8OtCGu/0lAxt4YXWXbdZjcFVMS0Nrhru1I2R1si}"
 
@@ -54,6 +58,7 @@ Required options (for proxy setup):
 
 Optional:
   --opnsense-host <ip>     OPNsense IP or hostname (default: 192.168.45.1)
+  --opnsense-port <port>   OPNsense WebUI/API port (default: 4444)
   --certificate-uuid <uuid> UUID of the SSL certificate in OPNsense
   --list-certificates      List available certificates and exit
   --test-connection        Test API connection and exit
@@ -98,6 +103,7 @@ while [[ $# -gt 0 ]]; do
     --backend-ip) BACKEND_IP="${2:-}"; shift 2 ;;
     --backend-port) BACKEND_PORT="${2:-}"; shift 2 ;;
     --opnsense-host) OPNSENSE_HOST="${2:-}"; shift 2 ;;
+    --opnsense-port) OPNSENSE_PORT="${2:-}"; shift 2 ;;
     --certificate-uuid) CERTIFICATE_UUID="${2:-}"; shift 2 ;;
     --list-certificates) LIST_CERTIFICATES="1"; shift 1 ;;
     --test-connection) TEST_CONNECTION="1"; shift 1 ;;
@@ -110,7 +116,7 @@ done
 # =============================================================================
 # API Base URL (nach Argument-Parsing setzen!)
 # =============================================================================
-API_BASE="https://${OPNSENSE_HOST}/api"
+API_BASE="https://${OPNSENSE_HOST}:${OPNSENSE_PORT}/api"
 
 # =============================================================================
 # API Helper Functions (MÜSSEN VOR list_certificates definiert werden!)
@@ -128,28 +134,94 @@ api_request() {
   info "API ${method} ${url}"
   
   local response
+  local http_code
+  
   if [[ -n "$data" ]]; then
-    response=$(curl -s -k -X "${method}" \
+    response=$(curl -s -k -w "\n%{http_code}" -X "${method}" \
       -u "${auth}" \
       -H "Content-Type: application/json" \
       -d "${data}" \
       "${url}" 2>&1)
   else
-    response=$(curl -s -k -X "${method}" \
+    response=$(curl -s -k -w "\n%{http_code}" -X "${method}" \
       -u "${auth}" \
       "${url}" 2>&1)
   fi
   
+  # Extract HTTP code from last line
+  http_code=$(echo "$response" | tail -n1)
+  response=$(echo "$response" | sed '$d')
+  
+  # Check for permission errors
+  if [[ "$http_code" == "401" ]]; then
+    warn "API Error 401: Unauthorized - Check API key and secret"
+  elif [[ "$http_code" == "403" ]]; then
+    warn "API Error 403: Forbidden - API user lacks permission for ${endpoint}"
+  elif [[ "$http_code" == "404" ]]; then
+    warn "API Error 404: Not Found - Endpoint ${endpoint} does not exist"
+  elif [[ "$http_code" -ge 400 ]]; then
+    warn "API Error ${http_code} for ${endpoint}"
+  fi
+  
   echo "$response"
 }
 
+# Check API response for errors and return status
+# Usage: if check_api_response "$response" "endpoint_name"; then ... fi
+check_api_response() {
+  local response="$1"
+  local endpoint_name="$2"
+  
+  # Check for JSON error responses
+  local status
+  status=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('status', 'ok'))" 2>/dev/null || echo "ok")
+  
+  if [[ "$status" == "403" ]]; then
+    die "Permission denied for ${endpoint_name}. Please add the required API permission in OPNsense: System > Access > Users > [API User] > Effective Privileges"
+  elif [[ "$status" == "401" ]]; then
+    die "Authentication failed for ${endpoint_name}. Check your API key and secret."
+  fi
+  
+  # Check for validation errors
+  local validation_error
+  validation_error=$(echo "$response" | python3 -c "
+import json,sys
+try:
+    d=json.load(sys.stdin)
+    if 'validations' in d and d['validations']:
+        for field, errors in d['validations'].items():
+            print(f'{field}: {errors}')
+except:
+    pass
+" 2>/dev/null || true)
+  
+  if [[ -n "$validation_error" ]]; then
+    warn "Validation errors: ${validation_error}"
+    return 1
+  fi
+  
+  # Check for result status
+  local result
+  result=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('result', 'unknown'))" 2>/dev/null || echo "unknown")
+  
+  if [[ "$result" == "failed" ]]; then
+    local message
+    message=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('message', 'Unknown error'))" 2>/dev/null || echo "Unknown error")
+    warn "API operation failed: ${message}"
+    return 1
+  fi
+  
+  return 0
+}
+
 # Search for existing item by description
+# OPNsense NGINX API uses "search<Type>" format, e.g., searchUpstreamServer
 search_by_description() {
-  local endpoint="$1"
+  local search_endpoint="$1"
   local description="$2"
   
   local response
-  response=$(api_request "GET" "${endpoint}/search")
+  response=$(api_request "GET" "${search_endpoint}")
   
   # Extract UUID where description matches
   echo "$response" | python3 -c "
@@ -166,29 +238,22 @@ except:
 " 2>/dev/null || true
 }
 
-# Find certificate by Common Name (CN)
-find_certificate_by_cn() {
-  local cn_pattern="$1"
+# Search for existing HTTP Server by servername
+# HTTP Servers don't have a description field, they use servername
+search_http_server_by_servername() {
+  local servername="$1"
   
   local response
-  response=$(api_request "GET" "/trust/cert/search")
+  response=$(api_request "GET" "/nginx/settings/searchHttpServer")
   
-  # Extract UUID where CN contains the pattern (for wildcard certs)
+  # Extract UUID where servername matches
   echo "$response" | python3 -c "
 import json, sys
-pattern = '${cn_pattern}'
 try:
     data = json.load(sys.stdin)
     rows = data.get('rows', [])
     for row in rows:
-        cn = row.get('cn', '')
-        descr = row.get('descr', '')
-        # Match wildcard or exact domain
-        if pattern in cn or pattern in descr:
-            print(row.get('uuid', ''))
-            sys.exit(0)
-        # Also check for wildcard pattern
-        if cn.startswith('*.') and pattern.endswith(cn[2:]):
+        if row.get('servername', '') == '${servername}':
             print(row.get('uuid', ''))
             sys.exit(0)
 except:
@@ -196,36 +261,115 @@ except:
 " 2>/dev/null || true
 }
 
+# Find certificate by Common Name (CN) or Description
+# Returns the certificate ID used by NGINX API (not the full UUID)
+find_certificate_by_cn() {
+  local cn_pattern="$1"
+  
+  # First, get the certificate list from the HTTP Server schema
+  # This gives us the correct certificate IDs that NGINX expects
+  local response
+  response=$(api_request "GET" "/nginx/settings/getHttpServer")
+  
+  # Extract certificate ID where description contains the pattern
+  echo "$response" | python3 -c "
+import json, sys
+pattern = '${cn_pattern}'.lower()
+try:
+    data = json.load(sys.stdin)
+    certs = data.get('httpserver', {}).get('certificate', {})
+    for cert_id, cert_info in certs.items():
+        if cert_id:  # Skip empty key
+            value = cert_info.get('value', '').lower()
+            if pattern in value:
+                print(cert_id)
+                sys.exit(0)
+except Exception as e:
+    print(f'Error: {e}', file=sys.stderr)
+" 2>/dev/null || true
+}
+
 # =============================================================================
 # Utility Functions
 # =============================================================================
 
 # Test API connection
 test_connection() {
-  info "Testing API connection to OPNsense at ${OPNSENSE_HOST}..."
+  info "Testing API connection to OPNsense at ${OPNSENSE_HOST}:${OPNSENSE_PORT}..."
   
+  echo "Testing various API endpoints..."
+  echo ""
+  
+  # Test 1: Firmware status (general API access)
+  echo "1. Testing /core/firmware/status..."
   local response
   response=$(api_request "GET" "/core/firmware/status")
-  
-  if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'product' in d or 'status' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
-    echo "✓ API connection successful to ${OPNSENSE_HOST}"
-    echo "Response: $(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(json.dumps(d, indent=2)[:500])" 2>/dev/null || echo "$response")"
-    return 0
+  if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'product' in d or 'connection' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
+    echo "   ✓ Firmware API: OK"
   else
-    echo "✗ API connection failed to ${OPNSENSE_HOST}"
-    echo "Response: $response"
-    return 1
+    echo "   ✗ Firmware API: FAILED"
+    echo "   Response: $response"
   fi
+  
+  # Test 2: NGINX settings (required for this script)
+  echo ""
+  echo "2. Testing /nginx/settings/searchHttpServer..."
+  response=$(api_request "GET" "/nginx/settings/searchHttpServer")
+  if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d or 'rowCount' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
+    echo "   ✓ NGINX HTTP Server API: OK"
+    local count
+    count=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('rowCount', len(d.get('rows', []))))" 2>/dev/null || echo "?")
+    echo "   Found ${count} HTTP Server(s)"
+  else
+    echo "   ✗ NGINX HTTP Server API: FAILED"
+    echo "   Response: $response"
+  fi
+  
+  # Test 3: NGINX upstream servers
+  echo ""
+  echo "3. Testing /nginx/settings/searchUpstreamServer..."
+  response=$(api_request "GET" "/nginx/settings/searchUpstreamServer")
+  if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d or 'rowCount' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
+    echo "   ✓ NGINX Upstream Server API: OK"
+    local count
+    count=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('rowCount', len(d.get('rows', []))))" 2>/dev/null || echo "?")
+    echo "   Found ${count} Upstream Server(s)"
+  else
+    echo "   ✗ NGINX Upstream Server API: FAILED"
+    echo "   Response: $response"
+  fi
+  
+  # Test 4: Trust/Certificates (optional)
+  echo ""
+  echo "4. Testing /trust/cert/search (optional)..."
+  response=$(api_request "GET" "/trust/cert/search")
+  if echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print('OK' if 'rows' in d else 'FAIL')" 2>/dev/null | grep -q "OK"; then
+    echo "   ✓ Trust/Cert API: OK"
+  else
+    local status
+    status=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('status', 'unknown'))" 2>/dev/null || echo "unknown")
+    if [[ "$status" == "403" ]]; then
+      echo "   ⚠ Trust/Cert API: 403 Forbidden (API user needs 'System: Trust: Certificates' permission)"
+      echo "   Note: You can still use --certificate-uuid to specify the certificate manually"
+    else
+      echo "   ✗ Trust/Cert API: FAILED"
+      echo "   Response: $response"
+    fi
+  fi
+  
+  echo ""
+  echo "Connection test complete."
+  return 0
 }
 
 # List available certificates
 list_certificates() {
-  info "Fetching available certificates from OPNsense at ${OPNSENSE_HOST}..."
+  info "Fetching available certificates from OPNsense at ${OPNSENSE_HOST}:${OPNSENSE_PORT}..."
   
   local response
   response=$(api_request "GET" "/trust/cert/search")
   
-  echo "Available SSL Certificates in OPNsense (${OPNSENSE_HOST}):"
+  echo "Available SSL Certificates in OPNsense (${OPNSENSE_HOST}:${OPNSENSE_PORT}):"
   echo "============================================================"
   echo "$response" | python3 -c "
 import json, sys
@@ -272,12 +416,13 @@ fi
 [[ -n "$FQDN" ]] || die "--fqdn is required"
 [[ -n "$BACKEND_IP" ]] || die "--backend-ip is required"
 
+info "Script Version: ${SCRIPT_VERSION}"
 info "Configuration:"
 info "  CTID: ${CTID}"
 info "  Hostname: ${HOSTNAME}"
 info "  FQDN: ${FQDN}"
 info "  Backend: ${BACKEND_IP}:${BACKEND_PORT}"
-info "  OPNsense: ${OPNSENSE_HOST}"
+info "  OPNsense: ${OPNSENSE_HOST}:${OPNSENSE_PORT}"
 info "  Certificate UUID: ${CERTIFICATE_UUID:-auto-detect}"
 
 # =============================================================================
@@ -294,8 +439,10 @@ create_upstream_server() {
   
   # Check if upstream server already exists
   local existing_uuid
-  existing_uuid=$(search_by_description "/nginx/settings/upstream_server" "${description}")
+  existing_uuid=$(search_by_description "/nginx/settings/searchUpstreamServer" "${description}")
   
+  # Note: OPNsense API expects specific values
+  # no_use: empty string means "use this server" (not "0")
   local data
   data=$(cat <<EOF
 {
@@ -306,8 +453,7 @@ create_upstream_server() {
     "priority": "1",
     "max_conns": "",
     "max_fails": "",
-    "fail_timeout": "",
-    "no_use": "0"
+    "fail_timeout": ""
   }
 }
 EOF
@@ -320,7 +466,21 @@ EOF
   else
     info "Creating new Upstream Server..."
     response=$(api_request "POST" "/nginx/settings/addUpstreamServer" "$data")
-    existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true)
+    info "API Response: ${response}"
+    # OPNsense returns {"uuid":"xxx"} or {"result":"saved","uuid":"xxx"}
+    existing_uuid=$(echo "$response" | python3 -c "
+import json,sys
+try:
+    d = json.load(sys.stdin)
+    # Try different response formats
+    uuid = d.get('uuid', '')
+    if not uuid and 'rows' in d:
+        # Sometimes returns in rows format
+        uuid = d['rows'][0].get('uuid', '') if d['rows'] else ''
+    print(uuid)
+except Exception as e:
+    print('', file=sys.stderr)
+" 2>/dev/null || true)
   fi
   
   info "Upstream Server UUID: ${existing_uuid}"
@@ -336,7 +496,7 @@ create_upstream() {
   
   # Check if upstream already exists
   local existing_uuid
-  existing_uuid=$(search_by_description "/nginx/settings/upstream" "${description}")
+  existing_uuid=$(search_by_description "/nginx/settings/searchUpstream" "${description}")
   
   local data
   data=$(cat <<EOF
@@ -379,7 +539,7 @@ create_location() {
   
   # Check if location already exists
   local existing_uuid
-  existing_uuid=$(search_by_description "/nginx/settings/location" "${description}")
+  existing_uuid=$(search_by_description "/nginx/settings/searchLocation" "${description}")
   
   local data
   data=$(cat <<EOF
@@ -439,9 +599,9 @@ create_http_server() {
   
   info "Step 4: Creating HTTP Server..."
   
-  # Check if HTTP server already exists
+  # Check if HTTP server already exists (by servername, not description)
   local existing_uuid
-  existing_uuid=$(search_by_description "/nginx/settings/http_server" "${description}")
+  existing_uuid=$(search_http_server_by_servername "${server_name}")
   
   # Determine certificate configuration
   local cert_config=""
@@ -457,37 +617,49 @@ create_http_server() {
     info "Using ACME/Let's Encrypt for certificate"
   fi
   
+  # HTTP Server configuration
+  # Note: API uses "httpserver" not "http_server"
+  # Required fields based on API schema
+  # listen_http_address: "80" and listen_https_address: "443" for standard ports
   local data
-  data=$(cat <<EOF
+  if [[ -n "$cert_uuid" ]]; then
+    data=$(cat <<EOF
 {
-  "http_server": {
-    "description": "${description}",
+  "httpserver": {
     "servername": "${server_name}",
-    "listen_http_address": "",
-    "listen_http_port": "",
-    "listen_https_address": "",
-    "listen_https_port": "443",
+    "listen_http_address": "80",
+    "listen_https_address": "443",
     "locations": "${location_uuid}",
-    "rewrites": "",
-    "root": "",
-    ${cert_config}
-    "ca": "",
-    "verify_client": "",
-    "access_log_format": "",
-    "enable_acme_plugin": "${acme_config}",
-    "charset": "",
+    "certificate": "${cert_uuid}",
+    "verify_client": "off",
+    "access_log_format": "main",
     "https_only": "1",
-    "block_nonpublic_data": "0",
-    "naxsi_extensive_log": "0",
-    "sendfile": "1",
-    "security_header": "",
-    "limit_request_connections": "",
-    "limit_request_connections_burst": "",
-    "limit_request_connections_nodelay": "0"
+    "http2": "1",
+    "sendfile": "1"
   }
 }
 EOF
 )
+  else
+    # Without certificate, enable ACME support
+    data=$(cat <<EOF
+{
+  "httpserver": {
+    "servername": "${server_name}",
+    "listen_http_address": "80",
+    "listen_https_address": "443",
+    "locations": "${location_uuid}",
+    "enable_acme_support": "1",
+    "verify_client": "off",
+    "access_log_format": "main",
+    "https_only": "1",
+    "http2": "1",
+    "sendfile": "1"
+  }
+}
+EOF
+)
+  fi
   
   local response
   if [[ -n "$existing_uuid" ]]; then
@@ -496,7 +668,8 @@ EOF
   else
     info "Creating new HTTP Server..."
     response=$(api_request "POST" "/nginx/settings/addHttpServer" "$data")
-    existing_uuid=$(echo "$response" | python3 -c "import json,sys; print(json.load(sys.stdin).get('uuid',''))" 2>/dev/null || true)
+    info "API Response: ${response}"
+    existing_uuid=$(echo "$response" | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('uuid',''))" 2>/dev/null || true)
   fi
   
   info "HTTP Server UUID: ${existing_uuid}"