diff --git a/root/defaults/default.conf b/root/defaults/default.conf
index 2b6258a..8bdcaf1 100644
--- a/root/defaults/default.conf
+++ b/root/defaults/default.conf
@@ -48,6 +48,36 @@ server {
         add_header X-Content-Type-Options "nosniff";
     }
   }
+  # Selkies signaling-server (upstream selkies, src/selkies/signaling_server.py)
+  # exposes a few HTTP endpoints next to the WebSocket upgrade handler:
+  # /turn returns the TURN/STUN config as JSON, and any path ending in
+  # /signaling is upgraded to a WebSocket for the WebRTC peer-handshake.
+  # The selkies-dashboard frontend connects to /webrtc/signaling/ when the
+  # streamMode is "webrtc", and fetches /turn for TURN credentials.
+  location SUBFOLDERturn {
+    proxy_set_header        Host $host;
+    proxy_set_header        X-Real-IP $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto $scheme;
+    proxy_http_version      1.1;
+    proxy_buffering         off;
+    proxy_pass              http://127.0.0.1:CWS;
+  }
+  location ~ ^SUBFOLDERwebrtc/signaling/?$ {
+    proxy_set_header        Upgrade $http_upgrade;
+    proxy_set_header        Connection "upgrade";
+    proxy_set_header        Host $host;
+    proxy_set_header        X-Real-IP $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto $scheme;
+    proxy_http_version      1.1;
+    proxy_read_timeout      3600s;
+    proxy_send_timeout      3600s;
+    proxy_connect_timeout   3600s;
+    proxy_buffering         off;
+    client_max_body_size    10M;
+    proxy_pass              http://127.0.0.1:CWS;
+  }
   error_page 500 502 503 504 /50x.html;
   location = SUBFOLDER50x.html {
     root /usr/share/selkies/web/;
@@ -106,6 +136,36 @@ server {
         add_header X-Content-Type-Options "nosniff";
     }
   } 
+  # Selkies signaling-server (upstream selkies, src/selkies/signaling_server.py)
+  # exposes a few HTTP endpoints next to the WebSocket upgrade handler:
+  # /turn returns the TURN/STUN config as JSON, and any path ending in
+  # /signaling is upgraded to a WebSocket for the WebRTC peer-handshake.
+  # The selkies-dashboard frontend connects to /webrtc/signaling/ when the
+  # streamMode is "webrtc", and fetches /turn for TURN credentials.
+  location SUBFOLDERturn {
+    proxy_set_header        Host $host;
+    proxy_set_header        X-Real-IP $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto $scheme;
+    proxy_http_version      1.1;
+    proxy_buffering         off;
+    proxy_pass              http://127.0.0.1:CWS;
+  }
+  location ~ ^SUBFOLDERwebrtc/signaling/?$ {
+    proxy_set_header        Upgrade $http_upgrade;
+    proxy_set_header        Connection "upgrade";
+    proxy_set_header        Host $host;
+    proxy_set_header        X-Real-IP $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto $scheme;
+    proxy_http_version      1.1;
+    proxy_read_timeout      3600s;
+    proxy_send_timeout      3600s;
+    proxy_connect_timeout   3600s;
+    proxy_buffering         off;
+    client_max_body_size    10M;
+    proxy_pass              http://127.0.0.1:CWS;
+  }
   error_page 500 502 503 504 /50x.html;
   location = SUBFOLDER50x.html {
     root /usr/share/selkies/web/;