diff --git a/modules/nginx.nix b/modules/nginx.nix
index 4285db1..6cd620c 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -395,32 +395,29 @@ in
         enableACME = true;
         forceSSL = true;
 
+        # lk-jwt-service (handles its own CORS)
         locations."~ ^(/sfu/get|/healthz)" = {
           priority = 400;
           proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}";
           extraConfig = ''
             proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
-
-            add_header Access-Control-Allow-Origin "*" always;
-            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
-            add_header Access-Control-Allow-Headers "Authorization, Content-Type" always;
-
-            if ($request_method = OPTIONS) {
-              return 204;
-            }
           '';
         };
 
+        # livekit
         locations."/" = {
           proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}";
           proxyWebsockets = true;
           extraConfig = ''
-            proxy_send_timeout 120;
-            proxy_read_timeout 120;
-            proxy_buffering off;
-            proxy_set_header Accept-Encoding gzip;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_read_timeout 300;
+            proxy_send_timeout 300;
           '';
         };
       };