diff --git a/backend/nginx.conf b/backend/nginx.conf
index 27112f0..f64dae2 100644
--- a/backend/nginx.conf
+++ b/backend/nginx.conf
@@ -47,7 +47,7 @@ http {
         keepalive 32;
     }
 
-    # HTTP redirect to HTTPS
+    # HTTP server - handles both Let's Encrypt and Cloudflare Flexible SSL
     server {
         listen 80;
         server_name mtd.runfoo.run www.mtd.runfoo.run;
@@ -57,9 +57,63 @@ http {
             root /var/www/certbot;
         }
 
-        # Redirect all other traffic to HTTPS
+        # For Cloudflare Flexible SSL: if X-Forwarded-Proto is https, serve the app
+        # Otherwise redirect to HTTPS (for direct HTTP access)
         location / {
-            return 301 https://$server_name$request_uri;
+            # Check if coming from Cloudflare with HTTPS
+            set $redirect_to_https 1;
+            if ($http_x_forwarded_proto = "https") {
+                set $redirect_to_https 0;
+            }
+
+            # Redirect direct HTTP to HTTPS
+            if ($redirect_to_https = 1) {
+                return 301 https://$server_name$request_uri;
+            }
+
+            # Cloudflare Flexible SSL: serve through proxy
+            proxy_pass http://frontend:3000;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_cache_bypass $http_upgrade;
+        }
+
+        # API endpoints for Cloudflare Flexible SSL
+        location /api/v1/ {
+            proxy_pass http://api;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_set_header Connection "";
+            proxy_redirect off;
+        }
+
+        location /docs {
+            proxy_pass http://api;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+        }
+
+        location /redoc {
+            proxy_pass http://api;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+        }
+
+        location /openapi.json {
+            proxy_pass http://api;
+            proxy_set_header Host $host;
         }
     }