diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 4d45f16..0e31797 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -154,10 +154,12 @@ server {
         return 301 /api/meshcentral/proxy/;
     }
 
-    location ~ ^/api/meshcentral/proxy/(.*)$ {
-        # Forward directly to MeshCentral via Tailscale HTTPS so MeshCentral receives
-        # requests over TLS and generates correct absolute URLs based on $meshhost.
-        proxy_pass https://soict-overleaf.tailc51e09.ts.net:8443/$1$is_args$args;
+    # ^~ prefix match takes priority over ALL regex locations (including the
+    # static-asset cache rule below).  Nginx strips /api/meshcentral/proxy/ from
+    # the URI and appends the remainder to the proxy URL, so
+    # /api/meshcentral/proxy/styles/style.css → soict-overleaf:8443/styles/style.css.
+    location ^~ /api/meshcentral/proxy/ {
+        proxy_pass https://soict-overleaf.tailc51e09.ts.net:8443/;
         proxy_ssl_verify off;
         proxy_ssl_server_name on;
         proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";
@@ -168,7 +170,6 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Host $host;
 
-        # Keep browser navigation under /api/meshcentral/proxy/*.
         proxy_redirect ~^https?://[^/]+(/.*)$ /api/meshcentral/proxy$1;
         proxy_redirect ~^(/.*)$ /api/meshcentral/proxy$1;