diff --git a/backend/templates/_certificates.conf b/backend/templates/_certificates.conf
index 06ca7bb8..efcca5cd 100644
--- a/backend/templates/_certificates.conf
+++ b/backend/templates/_certificates.conf
@@ -2,6 +2,7 @@
 {% if certificate.provider == "letsencrypt" %}
   # Let's Encrypt SSL
   include conf.d/include/letsencrypt-acme-challenge.conf;
+  include conf.d/include/ssl-cache.conf;
   include conf.d/include/ssl-ciphers.conf;
   ssl_certificate /etc/letsencrypt/live/npm-{{ certificate_id }}/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate_id }}/privkey.pem;
diff --git a/backend/templates/_certificates_stream.conf b/backend/templates/_certificates_stream.conf
new file mode 100644
index 00000000..b213cf66
--- /dev/null
+++ b/backend/templates/_certificates_stream.conf
@@ -0,0 +1,13 @@
+{% if certificate and certificate_id > 0 -%}
+{% if certificate.provider == "letsencrypt" %}
+  # Let's Encrypt SSL
+  include conf.d/include/ssl-cache-stream.conf;
+  include conf.d/include/ssl-ciphers.conf;
+  ssl_certificate /etc/letsencrypt/live/npm-{{ certificate_id }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/npm-{{ certificate_id }}/privkey.pem;
+{% else %}
+  # Custom SSL
+  ssl_certificate /data/custom_ssl/npm-{{ certificate_id }}/fullchain.pem;
+  ssl_certificate_key /data/custom_ssl/npm-{{ certificate_id }}/privkey.pem;
+{% endif %}
+{% endif %}
diff --git a/backend/templates/stream.conf b/backend/templates/stream.conf
index 76159a64..8345699c 100644
--- a/backend/templates/stream.conf
+++ b/backend/templates/stream.conf
@@ -5,13 +5,15 @@
 {% if enabled %}
 {% if tcp_forwarding == 1 or tcp_forwarding == true -%}
 server {
-  listen {{ incoming_port }};
+  listen {{ incoming_port }}{% if certificate %} ssl{% endif %};
 {% if ipv6 -%}
-  listen [::]:{{ incoming_port }};
+  listen [::]:{{ incoming_port }}{% if certificate %} ssl{% endif %};
 {% else -%}
-  #listen [::]:{{ incoming_port }};
+  #listen [::]:{{ incoming_port }}{% if certificate %} ssl{% endif %};
 {% endif %}
 
+{% include "_certificates_stream.conf" %}
+
   proxy_pass {{ forwarding_host }}:{{ forwarding_port }};
 
   # Custom
diff --git a/docker/rootfs/etc/nginx/conf.d/include/ssl-cache-stream.conf b/docker/rootfs/etc/nginx/conf.d/include/ssl-cache-stream.conf
new file mode 100644
index 00000000..433555df
--- /dev/null
+++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-cache-stream.conf
@@ -0,0 +1,2 @@
+ssl_session_timeout 5m;
+ssl_session_cache shared:SSL_stream:50m;
diff --git a/docker/rootfs/etc/nginx/conf.d/include/ssl-cache.conf b/docker/rootfs/etc/nginx/conf.d/include/ssl-cache.conf
new file mode 100644
index 00000000..aa7ba2cb
--- /dev/null
+++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-cache.conf
@@ -0,0 +1,2 @@
+ssl_session_timeout 5m;
+ssl_session_cache shared:SSL:50m;
diff --git a/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf b/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
index 233abb6e..b5dacfb5 100644
--- a/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
+++ b/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf
@@ -1,6 +1,3 @@
-ssl_session_timeout 5m;
-ssl_session_cache shared:SSL:50m;
-
 # intermediate configuration. tweak to your needs.
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';