diff --git a/roles/drawio/defaults/main.yml b/roles/drawio/defaults/main.yml
index 2b2b758..22b9238 100644
--- a/roles/drawio/defaults/main.yml
+++ b/roles/drawio/defaults/main.yml
@@ -11,6 +11,10 @@ drawio_docker_compose_dir: "{{ docker_compose_base_dir }}/{{ drawio_service_name
 
 # Service configuration
 drawio_domain: "drawio.local.test"
+# Additional hostnames the same drawio container should answer on
+# (e.g. an internal *.int.* FQDN so a DMZ reverseproxy can reach
+# drawio via a backend hostname covered by the local traefik cert).
+drawio_extra_domains: []
 drawio_image: "jgraph/drawio:latest"
 drawio_port: 8080
 drawio_extra_hosts: []
diff --git a/roles/drawio/templates/docker-compose.yml.j2 b/roles/drawio/templates/docker-compose.yml.j2
index c9b0c9a..65eb396 100644
--- a/roles/drawio/templates/docker-compose.yml.j2
+++ b/roles/drawio/templates/docker-compose.yml.j2
@@ -14,7 +14,7 @@ services:
     labels:
       - traefik.enable=true
       - traefik.docker.network={{ drawio_traefik_network }}
-      - traefik.http.routers.{{ drawio_service_name }}.rule=Host(`{{ drawio_domain }}`)
+      - traefik.http.routers.{{ drawio_service_name }}.rule={% set _all_domains = [drawio_domain] + (drawio_extra_domains | default([])) %}{% for d in _all_domains %}Host(`{{ d }}`){% if not loop.last %} || {% endif %}{% endfor +%}
       - traefik.http.services.{{ drawio_service_name }}.loadbalancer.server.port={{ drawio_port }}
 {% if drawio_use_ssl %}
       - traefik.http.routers.{{ drawio_service_name }}.entrypoints=websecure