diff --git a/server-ce/nginx/overleaf.conf b/server-ce/nginx/overleaf.conf
index 77e59df5a0..616b5084b9 100644
--- a/server-ce/nginx/overleaf.conf
+++ b/server-ce/nginx/overleaf.conf
@@ -9,6 +9,21 @@ server {
 		internal;
 	}
 
+	# File upload endpoints: stream directly to Node.js with generous timeouts
+	# for large files on slow / unreliable connections.
+	location ~ ^/project/[^/]+/upload$ {
+		proxy_pass http://127.0.0.1:4000;
+		proxy_http_version 1.1;
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-Host $host;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_read_timeout 15m;
+		proxy_send_timeout 15m;
+		client_body_timeout 15m;
+		client_max_body_size 550m;
+		proxy_request_buffering off;
+	}
+
 	location / {
 		proxy_pass http://127.0.0.1:4000;
 		proxy_http_version 1.1;
diff --git a/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs b/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs
index 8079e54187..77462f82cb 100644
--- a/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs
+++ b/services/web/app/src/Features/PasswordReset/PasswordResetController.mjs
@@ -215,12 +215,23 @@ async function renderSetPasswordForm(req, res, next) {
   const passwordResetToken = req.session.resetToken
   delete req.session.resetToken
 
+  let isLumiere = false
+  if (email) {
+    try {
+      const emailUser = await UserGetter.promises.getUserByMainEmail(email, {
+        'ace.overallTheme': 1,
+      })
+      isLumiere = (emailUser?.ace?.overallTheme ?? '') === 'lumiere-'
+    } catch {}
+  }
+
   res.render(
     Features.hasFeature('saas') ? 'user/setPasswordCiam' : 'user/setPassword',
     {
       title: 'set_password',
       email,
       passwordResetToken,
+      isLumiere,
     }
   )
 }
diff --git a/services/web/app/src/Features/User/UserPagesController.mjs b/services/web/app/src/Features/User/UserPagesController.mjs
index edf00d1960..3e1255f947 100644
--- a/services/web/app/src/Features/User/UserPagesController.mjs
+++ b/services/web/app/src/Features/User/UserPagesController.mjs
@@ -177,6 +177,7 @@ async function settingsPage(req, res) {
     isSaas: Features.hasFeature('saas'),
     memberOfSSOEnabledGroups,
     capabilities: [...req.capabilitySet],
+    isLumiere: (user?.ace?.overallTheme ?? '') === 'lumiere-',
   })
 }
 
diff --git a/services/web/frontend/stylesheets/pages/auth.scss b/services/web/frontend/stylesheets/pages/auth.scss
index 034ef7e502..e8c95eecfe 100644
--- a/services/web/frontend/stylesheets/pages/auth.scss
+++ b/services/web/frontend/stylesheets/pages/auth.scss
@@ -1,3 +1,15 @@
+// Lumière-themed overrides for auth pages (setPassword, activate, etc.)
+[data-lumiere='true'] {
+  .auth-aux-container {
+    background: rgba(255, 255, 255, 0.88);
+    border-radius: 16px;
+    padding: 2rem;
+    box-shadow: 0 4px 24px rgba(42, 157, 143, 0.12);
+    min-height: unset;
+    margin-top: 5rem;
+  }
+}
+
 .auth-aux-logo {
   position: absolute;
   top: var(--spacing-06);
diff --git a/services/web/modules/user-activate/app/src/UserActivateController.mjs b/services/web/modules/user-activate/app/src/UserActivateController.mjs
index 6bee167e03..83a0c348d9 100644
--- a/services/web/modules/user-activate/app/src/UserActivateController.mjs
+++ b/services/web/modules/user-activate/app/src/UserActivateController.mjs
@@ -40,6 +40,7 @@ async function activateAccountPage(req, res, next) {
   const user = await UserGetter.promises.getUser(req.query.user_id, {
     email: 1,
     loginCount: 1,
+    'ace.overallTheme': 1,
   })
 
   if (!user) {
@@ -59,6 +60,7 @@ async function activateAccountPage(req, res, next) {
     title: 'activate_account',
     email: user.email,
     token: req.query.token,
+    isLumiere: (user?.ace?.overallTheme ?? '') === 'lumiere-',
   })
 }