diff --git a/conf/ipwhitelist.conf b/conf/ipwhitelist.conf
new file mode 100644
index 0000000..97e149e
--- /dev/null
+++ b/conf/ipwhitelist.conf
@@ -0,0 +1,2 @@
+allow 146.19.174.104;
+allow 103.20.235.147;
diff --git a/conf/nginx.conf b/conf/nginx.conf
new file mode 100644
index 0000000..79717c4
--- /dev/null
+++ b/conf/nginx.conf
@@ -0,0 +1,79 @@
+user  root root;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /www/wwwlogs/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+    keepalive_timeout  65;
+    #gzip  on;
+
+    server {
+      listen       80;
+      listen  [::]:80;
+      server_name  localhost;
+
+      #access_log  /var/log/nginx/host.access.log  main;
+
+      location / {
+          root   /usr/share/nginx/html;
+          index  index.html index.htm;
+      }
+
+      #error_page  404              /404.html;
+
+      # redirect server error pages to the static page /50x.html
+      #
+      error_page   500 502 503 504  /50x.html;
+      location = /50x.html {
+          root   /usr/share/nginx/html;
+      }
+    }
+}
+
+stream {
+
+  log_format proxy '$remote_addr [$time_local]:$proxy_protocol_addr '
+               '|$ssl_preread_server_name  '
+               '|$protocol |$status $bytes_sent $bytes_received '
+               '|$session_time |"$upstream_addr" '
+               '|"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+
+  access_log  /www/wwwlogs/tcp-access.log proxy;
+  open_log_file_cache off;
+
+  # 加一组 map，根据规则过滤 $ssl_preread_server_name （也就是请求的 SNI）
+  # 将过滤过的 SNI 存入自定义变量 $filtered_sni_name，
+  # 如果没有匹配到任何规则，则默认为一个 443 端口没有服务的本地回环。
+  map $ssl_preread_server_name $filtered_sni_name {
+      include /etc/nginx/unlock.conf;
+      default "127.255.255.255";
+  }
+
+  server {
+      resolver 1.1.1.1;
+      listen 443;
+      ssl_preread on;
+      include /etc/nginx/ipwhitelist.conf;
+      deny  all;
+      # 只代理经过 SNI 过滤的流量，
+      # 其他流量都被丢入不存在的地址
+      proxy_pass $filtered_sni_name:443;
+  }
+}
+
diff --git a/conf/unlock.conf b/conf/unlock.conf
new file mode 100644
index 0000000..ab13d8d
--- /dev/null
+++ b/conf/unlock.conf
@@ -0,0 +1,8 @@
+~^(.*|)netflix\.com$ $ssl_preread_server_name;
+~^(.*|)netflix\.net$ $ssl_preread_server_name;
+~^(.*|)nflximg\.com$ $ssl_preread_server_name;
+~^(.*|)nflximg\.net$ $ssl_preread_server_name;
+~^(.*|)nflxvideo\.net$ $ssl_preread_server_name;
+~^(.*|)nflxext\.com$ $ssl_preread_server_name;
+~^(.*|)nflxso\.net$ $ssl_preread_server_name;
+~^(.*|)fast\.com$ $ssl_preread_server_name;
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..3418b93
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,13 @@
+version: '3'
+services:
+  netflix-unlock:
+    container_name: un-nf
+    image: nginx
+    ports:
+      - 8443:443
+    privileged: true
+    volumes:
+      - /data/NFNginx/conf/nginx.conf:/etc/nginx/nginx.conf
+      - /data/NFNginx/conf/unlock.conf:/etc/nginx/unlock.conf
+      - /data/NFNginx/conf/ipwhitelist.conf:/etc/nginx/ipwhitelist.conf
+      - /data/NFNginx/logs:/www/wwwlogs
diff --git a/logs/nginx/access.log b/logs/nginx/access.log
new file mode 100644
index 0000000..e69de29
diff --git a/logs/tcp-access.log b/logs/tcp-access.log
new file mode 100644
index 0000000..e69de29