diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 0ceacca..fe7205a 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -3,81 +3,127 @@
 #     server 127.0.0.1:8080;
 #     server 172.18.10.8:8080;
 # }
+
 server {
     listen 80;
-    server_name comp.soict.io; 
+    server_name comp.soict.io;
 
     location /.well-known/acme-challenge/ {
         root /var/www/certbot;
     }
 
     location / {
-        # root /usr/share/nginx/html;
-        # index index.html index.htm;
         return 301 https://$host$request_uri;
     }
 }
 
-server{
+server {
     listen 443 ssl;
     server_name comp.soict.io;
+
     ssl_certificate     /etc/letsencrypt/live/comp.soict.io/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/comp.soict.io/privkey.pem;
-
     ssl_protocols       TLSv1.2 TLSv1.3;
     ssl_ciphers         HIGH:!aNULL:!MD5;
-    
+
+    # MeshCentral proxied flow can set sizable auth cookies.
+    client_header_buffer_size 16k;
+    large_client_header_buffers 8 32k;
+
+    # Required when proxy_pass uses variables.
+    # In Docker, 127.0.0.11 is the embedded DNS resolver.
+    resolver 127.0.0.11 valid=30s ipv6=off;
+    resolver_timeout 5s;
+
     set $backend_server 172.18.10.8:8080;
-    set $meshserver 172.18.10.8:8082;
-    # MeshCentral traffic should go through backend proxy controller
-    # (api/meshcentral/proxy/*) for consistent auth/cookie/header handling.
-    
+    # Internal MeshCentral hop to avoid upstream TLS handshake instability.
+    set $meshserver meshcentral:8082;
+    # Public host MeshCentral expects in Host header.
+    set $meshhost soict-overleaf.tailc51e09.ts.net;
+
     root /usr/share/nginx/html;
-    # Default file to serve for directory requests
     index index.html index.htm;
- 
-    location / {
-        # Try to serve the requested file directly ($uri)
-        # If it's a directory, try serving the index file ($uri/)
-        # If neither exists, fall back to serving /index.html
+
+    # MeshCentral auth entrypoint. If iframe/browser lands on /login due to
+    # redirect, keep it on MeshCentral instead of frontend routing.
+    location = /login {
+        proxy_pass http://$meshserver;
+
+        proxy_http_version 1.1;
+        proxy_set_header Host $meshhost;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+
+        proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+        proxy_buffering off;
+    }
+
+    # MeshCentral may redirect to "/" with remote params after login.
+    # Detect those requests and proxy them to MeshCentral instead of SPA.
+    location = / {
+        if ($arg_node != "") {
+            rewrite ^ /__mesh_root_proxy__ last;
+        }
+
+        if ($arg_viewmode != "") {
+            rewrite ^ /__mesh_root_proxy__ last;
+        }
+
+        if ($arg_gotonode != "") {
+            rewrite ^ /__mesh_root_proxy__ last;
+        }
+
+        try_files $uri $uri/ /index.html;
+    }
+
+    location = /__mesh_root_proxy__ {
+        proxy_pass http://$meshserver;
+
+        proxy_http_version 1.1;
+        proxy_set_header Host $meshhost;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+
+        proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+        proxy_buffering off;
+    }
+
+    location / {
         try_files $uri $uri/ /index.html;
     }
 
-    # Optional: Add cache control headers for static assets for better performance
     location ~* \.(?:css|js|jpg|jpeg|gif|png|ico|svg|webp)$ {
         expires 1y;
         add_header Cache-Control "public";
-        access_log off; # Optional: Don't log accesses for static files
+        access_log off;
     }
 
     location /api/ {
         proxy_pass http://$backend_server;
 
-        # Cho phép upload file lớn (vd: 200MB)
         client_max_body_size 200M;
-
-        # Truyền thẳng stream sang backend
         proxy_request_buffering off;
-
-        # Tăng timeout khi upload
         proxy_read_timeout 300s;
         proxy_connect_timeout 300s;
         proxy_send_timeout 300s;
 
-        # CORS headers - Comment vi da xu ly o backend C#
-        # add_header 'Access-Control-Allow-Origin' '*' always;
-        # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
-        # add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization' always;
-
         if ($request_method = OPTIONS) {
             return 204;
         }
     }
+
     location /api/Sse/events {
         proxy_pass http://$backend_server/api/Sse/events;
         proxy_http_version 1.1;
 
-        # cần thiết cho SSE
         proxy_set_header Connection '';
         proxy_buffering off;
         proxy_cache off;
@@ -85,18 +131,15 @@ server{
     }
 
     # MeshCentral client builds WebSocket URL from current location,
-    # e.g. wss://comp.soict.io/control.ashx. Route these root endpoints
-    # to meshserver so browser URL stays on comp.soict.io while upstream
-    # is forced to 172.18.10.8:8082.
+    # e.g. wss://comp.soict.io/control.ashx.
     location ~ ^/(control|meshrelay|commander|mesh)\.ashx$ {
-        proxy_pass https://$meshserver;
-        proxy_ssl_verify off;
+        proxy_pass http://$meshserver;
 
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
 
-        proxy_set_header Host $host;
+        proxy_set_header Host $meshhost;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
@@ -112,18 +155,22 @@ server{
     }
 
     location ^~ /api/meshcentral/proxy/ {
-        # Forward to backend MeshCentralProxyController (api/meshcentral/proxy/*)
-        # so backend can handle MeshCentral auth/session consistently.
-        proxy_pass http://$backend_server;
+        # Forward directly to MeshCentral, but strip proxy prefix first.
+        # Without this, upstream sees /api/meshcentral/proxy/* and can redirect-loop.
+        rewrite ^/api/meshcentral/proxy/(.*)$ /$1 break;
+        proxy_pass http://$meshserver;
         proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";
 
-        proxy_set_header Host $host;
+        proxy_set_header Host $meshhost;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Host $host;
 
-        # Cấu hình WebSocket/SSE cho MeshCentral
+        # Keep browser navigation under /api/meshcentral/proxy/*.
+        proxy_redirect ~^https?://[^/]+(/.*)$ /api/meshcentral/proxy$1;
+        proxy_redirect ~^(/.*)$ /api/meshcentral/proxy$1;
+
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
@@ -137,7 +184,7 @@ server{
         return 301 /meshapi/api/meshcentral/proxy/;
     }
 
-    location ^~ /meshapi/api/meshcentral/proxy/ { 
+    location ^~ /meshapi/api/meshcentral/proxy/ {
         # Legacy frontend path -> backend MeshCentralProxyController
         rewrite ^/meshapi/api/meshcentral/proxy/(.*)$ /$1 break;
         proxy_pass http://$backend_server;