diff --git a/2.Common_services/5.Nginx/vhost_skyreach.conf b/2.Common_services/5.Nginx/vhost_skyreach.conf
index 8b952989c98999e54bf87b5b23409598d734272a..472709ad85d008218fb275d170f3c6733d76e67a 100644
--- a/2.Common_services/5.Nginx/vhost_skyreach.conf
+++ b/2.Common_services/5.Nginx/vhost_skyreach.conf
@@ -51,13 +51,16 @@ server {
 	}
 
 	location /proxy/ {
-		allow 127.0.0.1;
-		deny all;
-		# proxy for MediaCoder UI and files
+		# proxy to local SSH tunnels (for MediaCoder UI and files)
 		# ?: means that the group should not be stored as variable
 
+		# 404 for ports outside of range (40000-60000)
+		location ~ "^/proxy/(?!(4|5\d{4}/)).*$" {
+			return 404;
+		}
+
 		# proxy for m3u8 and ts files with cache
-		location ~ ^/proxy/([\d\.\:]+)/(.+\.(?:m3u8|ts))$ {
+		location ~ "^/proxy/(\d+)/(.+\.(?:m3u8|ts))$" {
 			proxy_cache livecache;
 			# do not consider secure urls as new files
 			proxy_cache_key $scheme$proxy_host$uri;
@@ -66,19 +69,19 @@ server {
 			# show if playlist or fragment has been cached from wowza
 			add_header X-Cache $upstream_cache_status;
 			# wowza is defining expiration headers (m3u8 is 1s, ts is 3600)
-			proxy_pass https://$1/$2;
+			proxy_pass https://127.0.0.1:$1/$2;
 		}
 
 		# proxy for other urls including websocket
-		location ~ ^/proxy/([\d\.\:]+)/(.*)$ {
+		location ~ "^/proxy/(\d+)/(.*)$" {
 			proxy_http_version 1.1;
 			proxy_buffering off;
 			# needed for websocket
 			proxy_set_header Upgrade $http_upgrade;
 			proxy_set_header Connection $connection_upgrade;
 			# change scheme of "Origin" to https
-			proxy_set_header Origin https://$1;
-			proxy_pass https://$1/$2$is_args$args;
+			proxy_set_header Origin https://127.0.0.1:$1;
+			proxy_pass https://127.0.0.1:$1/$2$is_args$args;
 		}
 	}
 
@@ -88,7 +91,7 @@ server {
 	}
 
 	# APT proxy urls
-	location ~ /[\w\d\.\-\_]+.ubuntu.com/ubuntu {
+	location ~ "/[\w\d\.\-\_]+.ubuntu.com/ubuntu" {
 		proxy_pass http://127.0.0.1:3142;
 	}
 }