diff --git a/README.md b/README.md
index 68975f92..83a6ee4e 100644
--- a/README.md
+++ b/README.md
@@ -34,4 +34,4 @@ Eth Docker uses a "semver-ish" scheme.
 large.
 - Second through fourth digit, [semver](https://semver.org/).
 
-This is Eth Docker v2.11.0.1
+This is Eth Docker v2.11.1.0
diff --git a/default.env b/default.env
index d154b8f6..984a7abd 100644
--- a/default.env
+++ b/default.env
@@ -33,6 +33,8 @@ IPV6=false
 # Directory to keep ancient/static data. In use for Reth and Geth, optional.
 # If you use this, make sure to chown the directory to uid 10001
 ANCIENT_DIR=
+# Password for Lighthouse Siren
+SIREN_PASSWORD=
 
 # Promtail logs label, something unique like the server name
 LOGS_LABEL=eth-docker
@@ -86,8 +88,8 @@ PRYSM_UDP_PORT=9000
 CL_QUIC_PORT=9001
 # Local grafana dashboard port. Do not expose to Internet, it is insecure http
 GRAFANA_PORT=3000
-# Local Siren UI port. Do not expose to Internet, it is insecure http
-SIREN_PORT=8080
+# Local Siren UI port
+SIREN_PORT=2443
 # Prometheus port used when exposing directly on host; used for federation
 PROMETHEUS_PORT=9090
 # Local key manager port. Reachable only via localhost. Also doubles as Prysm web port
@@ -306,4 +308,4 @@ DDNS_TAG=v2
 NODE_EXPORTER_IGNORE_MOUNT_REGEX='^/(dev|proc|sys|run|var/lib/docker/.+)($|/)'
 
 # Used by ethd update - please do not adjust
-ENV_VERSION=12
+ENV_VERSION=13
diff --git a/ethd b/ethd
index 4b42d23a..f4549fc5 100755
--- a/ethd
+++ b/ethd
@@ -965,7 +965,7 @@ envmigrate() {
     PRYSM_UDP_PORT CL_QUIC_PORT GRAFANA_PORT SIREN_PORT PROMETHEUS_PORT KEY_API_PORT TRAEFIK_WEB_PORT \
     TRAEFIK_WEB_HTTP_PORT CL_REST_PORT EL_RPC_PORT EL_WS_PORT EE_PORT ERIGON_TORRENT_PORT LOG_LEVEL JWT_SECRET \
     EL_EXTRAS CL_EXTRAS VC_EXTRAS ARCHIVE_NODE SSV_P2P_PORT SSV_P2P_PORT_UDP ERIGON_P2P_PORT_2 \
-    ERIGON_P2P_PORT_3 LODESTAR_HEAP SSV_DKG_PORT )
+    ERIGON_P2P_PORT_3 LODESTAR_HEAP SSV_DKG_PORT SIREN_PASSWORD )
   TARGET_VARS=( ETH_DOCKER_TAG NIM_SRC_BUILD_TARGET NIM_SRC_REPO NIM_DOCKER_TAG NIM_DOCKER_VC_TAG NIM_DOCKER_REPO \
     NIM_DOCKER_VC_REPO NIM_DOCKERFILE TEKU_SRC_BUILD_TARGET TEKU_SRC_REPO TEKU_DOCKER_TAG TEKU_DOCKER_REPO \
     TEKU_DOCKERFILE LH_SRC_BUILD_TARGET LH_SRC_REPO LH_DOCKER_TAG LH_DOCKER_REPO LH_DOCKERFILE \
@@ -985,6 +985,14 @@ envmigrate() {
   OLD_VARS=( )
   NEW_VARS=( )
 
+# Always make sure we have a SIREN password
+  var="SIREN_PASSWORD"
+  SIREN_PASSWORD=$(sed -n -e "s/^${var}=\(.*\)/\1/p" "${ENV_FILE}" || true)
+  if [ -z "${SIREN_PASSWORD}" ]; then
+    SIREN_PASSWORD=$(head -c 8 /dev/urandom | od -A n -t u8 | tr -d '[:space:]' | sha256sum | head -c 32)
+    set_value_in_env
+  fi
+
   var=ENV_VERSION
   __target_ver=$(sed -n -e "s/^${var}=\(.*\)/\1/p" "default.env" || true)
   __source_ver=$(sed -n -e "s/^${var}=\(.*\)/\1/p" "${ENV_FILE}" || true)
@@ -3192,6 +3200,12 @@ config() {
     var=GETH_DOCKERFILE
     set_value_in_env
   fi
+  var="SIREN_PASSWORD"
+  SIREN_PASSWORD=$(sed -n -e "s/^${var}=\(.*\)/\1/p" "${ENV_FILE}" || true)
+  if [ -z "${SIREN_PASSWORD}" ]; then
+    SIREN_PASSWORD=$(head -c 8 /dev/urandom | od -A n -t u8 | tr -d '[:space:]' | sha256sum | head -c 32)
+    set_value_in_env
+  fi
 
   ${__as_owner} rm .env.original
 
diff --git a/siren-shared.yml b/siren-shared.yml
index c5f37da2..1bd7f1ab 100644
--- a/siren-shared.yml
+++ b/siren-shared.yml
@@ -2,4 +2,4 @@
 services:
   siren:
     ports:
-      - ${SHARE_IP:-}:${SIREN_PORT}:80/tcp
+      - ${SHARE_IP:-}:${SIREN_PORT}:443/tcp
diff --git a/siren.yml b/siren.yml
index 689a6c20..90724f37 100644
--- a/siren.yml
+++ b/siren.yml
@@ -12,8 +12,19 @@ services:
     restart: "unless-stopped"
     image: ${SIREN_DOCKER_REPO}:${SIREN_DOCKER_TAG}
     volumes:
+      - lhvalidator-data:/var/lib/lighthouse
+      - ./siren/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh
       - /etc/localtime:/etc/localtime:ro
+    environment:
+      - BEACON_URL=${CL_NODE}
+      - VALIDATOR_URL=http://vc:7500
+      - SESSION_PASSWORD=${SIREN_PASSWORD}
+      - SSL_ENABLED=true
+      - DEBUG=false
+      - SIREN_PORT=${SIREN_PORT}
     <<: *logging
+    entrypoint:
+      - docker-entrypoint.sh
     labels:
       - traefik.enable=true
       - traefik.http.routers.$(SIREN_HOST:-siren}.service=${SIREN_HOST:-siren}
diff --git a/siren/docker-entrypoint.sh b/siren/docker-entrypoint.sh
new file mode 100755
index 00000000..cc775d8c
--- /dev/null
+++ b/siren/docker-entrypoint.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+if [ ! -f /var/lib/lighthouse/validators/api-token.txt ]; then
+  echo "Validator client API token not found. Waiting 30s before restarting."
+  sleep 30
+  exit 1
+fi
+
+API_TOKEN=$(cat /var/lib/lighthouse/validators/api-token.txt)
+export API_TOKEN
+
+echo "Log into Siren at https://my-node-ip/${SIREN_PORT} with password ${SESSION_PASSWORD}"
+exec /app/docker-assets/docker-entrypoint.sh