diff --git a/caddy/Dockerfile.ratelimit b/caddy/Dockerfile.ratelimit
new file mode 100644
index 0000000..38b47b7
--- /dev/null
+++ b/caddy/Dockerfile.ratelimit
@@ -0,0 +1,18 @@
+# Custom Caddy v2.10.2 image that adds the HTTP rate-limiting module
+# (github.com/mholt/caddy-ratelimit) which is absent from the stock
+# caddy:2.10.2-alpine image. Multi-stage: build the binary with xcaddy, then
+# drop it into the official runtime image so all stock modules/entrypoint and
+# the existing Caddyfile config are preserved unchanged.
+ARG CADDY_VERSION=2.10.2
+
+FROM caddy:${CADDY_VERSION}-builder-alpine AS builder
+ARG CADDY_VERSION
+# Pin the rate-limit module to a known-good commit (master @ 2026-05-21, go.mod
+# requires caddyserver/caddy v2.10.0 -> compatible with v2.10.2).
+RUN xcaddy build "v${CADDY_VERSION}" \
+    --with github.com/mholt/caddy-ratelimit@16aecbbcb8ca07dc1c671e263379606ff9493c55
+
+FROM caddy:${CADDY_VERSION}-alpine
+# Replace only the caddy binary; keep the official image's entrypoint, CA certs,
+# and default config layout intact.
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy