diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 7830458..4589713 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -32,23 +32,16 @@ http {
     client_max_body_size 50m;
     gzip off;
 
+    # --- DNS resolver (Google + Cloudflare, re-resolve every 30s) ---
+    resolver 8.8.8.8 1.1.1.1 valid=30s ipv6=off;
+    resolver_timeout 5s;
+
     # --- IP allowlist (generated at container start) ---
     include /etc/nginx/conf.d/allowlist.conf;
 
     # --- Token auth ---
     include /etc/nginx/conf.d/auth.conf;
 
-    # --- Upstreams with keepalive ---
-    upstream elevenlabs_backend {
-        server api.elevenlabs.io:443;
-        keepalive 32;
-    }
-
-    upstream openai_backend {
-        server api.openai.com:443;
-        keepalive 32;
-    }
-
     server {
         listen 8080;
         server_name _;
@@ -70,21 +63,25 @@ http {
                 return 403 '{"error":"invalid_token"}';
             }
 
+            # Variable forces runtime DNS resolution (not cached at startup)
+            set $elevenlabs_upstream https://api.elevenlabs.io;
+
             # Strip /elevenlabs/ prefix and proxy
             rewrite ^/elevenlabs/(.*) /$1 break;
 
-            proxy_pass https://elevenlabs_backend;
+            proxy_pass $elevenlabs_upstream;
             proxy_ssl_server_name on;
             proxy_ssl_name api.elevenlabs.io;
+            proxy_ssl_protocols TLSv1.2 TLSv1.3;
 
-            # Pass original Host header for SNI
+            # Host header must match upstream for Cloudflare
             proxy_set_header Host api.elevenlabs.io;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Pass through original headers (User-Agent, Accept, etc.)
+            # Do NOT set X-Real-IP or X-Forwarded-For — Cloudflare uses them for bot detection
             proxy_set_header Connection "";
 
-            # Do NOT forward proxy token to upstream
+            # Remove proxy token before forwarding to upstream
             proxy_set_header X-Proxy-Token "";
 
             # HTTP/1.1 for keepalive
@@ -106,16 +103,16 @@ http {
                 return 403 '{"error":"invalid_token"}';
             }
 
+            set $openai_upstream https://api.openai.com;
+
             rewrite ^/openai/(.*) /$1 break;
 
-            proxy_pass https://openai_backend;
+            proxy_pass $openai_upstream;
             proxy_ssl_server_name on;
             proxy_ssl_name api.openai.com;
+            proxy_ssl_protocols TLSv1.2 TLSv1.3;
 
             proxy_set_header Host api.openai.com;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header Connection "";
             proxy_set_header X-Proxy-Token "";