diff --git a/g18/rootfs/etc/nginx/enable-ssl.conf b/g18/rootfs/etc/nginx/enable-ssl.conf
new file mode 100644
index 0000000..ff1ac7c
--- /dev/null
+++ b/g18/rootfs/etc/nginx/enable-ssl.conf
@@ -0,0 +1,13 @@
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:10m;
+# 'always' requires nginx >= 1.7.5, see http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
+# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
+add_header X-Frame-Options DENY always;
+add_header X-Content-Type-Options nosniff always;
+ssl_session_tickets off;
+ssl_stapling on; # Requires nginx >= 1.3.7
+ssl_stapling_verify on; # Requires nginx >= 1.3.7
+# resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
+# resolver_timeout 5s;
diff --git a/g18/rootfs/etc/nginx/sites-available/default b/g18/rootfs/etc/nginx/sites-available/default
new file mode 100644
index 0000000..64c5bf6
--- /dev/null
+++ b/g18/rootfs/etc/nginx/sites-available/default
@@ -0,0 +1,47 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    return 404;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    listen 443 http2 ssl;
+    listen [::]:443 http2 ssl;
+    server_name git.nasp.ob.ac.cn;
+
+    include enable-ssl.conf;
+    include ssl-for-git_nasp_ob_ac_cn.conf;
+
+    location / {
+        client_max_body_size 100G;
+        proxy_pass http://localhost:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    listen 443 http2 ssl;
+    listen [::]:443 http2 ssl;
+    server_name nasp.ob.ac.cn;
+
+    include enable-ssl.conf;
+    include ssl-for-nasp_ob_ac_cn.conf;
+
+    location / {
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header   Host $host;
+        proxy_pass         http://localhost:3001/;
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade $http_upgrade;
+        proxy_set_header   Connection "upgrade";
+    }
+}
\ No newline at end of file
diff --git a/g18/rootfs/etc/nginx/ssl-for-git_nasp_ob_ac_cn.conf b/g18/rootfs/etc/nginx/ssl-for-git_nasp_ob_ac_cn.conf
new file mode 100644
index 0000000..69f711c
--- /dev/null
+++ b/g18/rootfs/etc/nginx/ssl-for-git_nasp_ob_ac_cn.conf
@@ -0,0 +1,3 @@
+ssl_certificate /root/.acme.sh/git.nasp.ob.ac.cn/fullchain.cer;
+ssl_certificate_key /root/.acme.sh/git.nasp.ob.ac.cn/git.nasp.ob.ac.cn.key;
+ssl_trusted_certificate /root/.acme.sh/git.nasp.ob.ac.cn/git.nasp.ob.ac.cn.cer;
\ No newline at end of file
diff --git a/g18/rootfs/etc/nginx/ssl-for-nasp_ob_ac_cn.conf b/g18/rootfs/etc/nginx/ssl-for-nasp_ob_ac_cn.conf
new file mode 100644
index 0000000..7095f2a
--- /dev/null
+++ b/g18/rootfs/etc/nginx/ssl-for-nasp_ob_ac_cn.conf
@@ -0,0 +1,3 @@
+ssl_certificate /root/.acme.sh/nasp.ob.ac.cn/fullchain.cer;
+ssl_certificate_key /root/.acme.sh/nasp.ob.ac.cn/nasp.ob.ac.cn.key;
+ssl_trusted_certificate /root/.acme.sh/nasp.ob.ac.cn/nasp.ob.ac.cn.cer;
\ No newline at end of file