diff --git a/docker-compose.yml b/docker-compose.yml
index 5068f43..10fdf4c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,9 +9,13 @@ services:
     restart: unless-stopped
     ports:
       - "80:80"
+      - "443:443"
     volumes:
       - ./docker/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
       - ./docker/nginx/conf.d:/etc/nginx/conf.d:ro
+      - certbot-etc:/etc/letsencrypt
+      - certbot-var:/var/lib/letsencrypt
+      - webroot:/var/www/html
     depends_on:
       - backend
 
@@ -30,5 +34,19 @@ services:
     ports:
       - "8000:8000"
 
+  certbot:
+    image: certbot/certbot
+    container_name: certbot
+    volumes:
+      - certbot-etc:/etc/letsencrypt
+      - certbot-var:/var/lib/letsencrypt
+      - webroot:/var/www/html
+    depends_on:
+      - frontend
+    command: certonly --webroot --webroot-path=/var/www/html --email admin@itformhelp.ru --agree-tos --no-eff-email --staging -d itformhelp.ru -d www.itformhelp.ru
+
 volumes:
-  sqlite_data:
\ No newline at end of file
+  sqlite_data:
+  certbot-etc:
+  certbot-var:
+  webroot:
\ No newline at end of file
diff --git a/docker/nginx/conf.d/default.conf b/docker/nginx/conf.d/default.conf
index 64e1129..1ce0908 100644
--- a/docker/nginx/conf.d/default.conf
+++ b/docker/nginx/conf.d/default.conf
@@ -1,7 +1,39 @@
 server {
     listen 80;
+    listen [::]:80;
     server_name itformhelp.ru www.itformhelp.ru;
     
+    location ~ /.well-known/acme-challenge {
+        allow all;
+        root /var/www/html;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name itformhelp.ru www.itformhelp.ru;
+    
+    ssl_certificate /etc/letsencrypt/live/itformhelp.ru/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/itformhelp.ru/privkey.pem;
+    
+    # SSL configuration
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+
+    # Modern configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (uncomment if you're sure)
+    # add_header Strict-Transport-Security "max-age=63072000" always;
+
     root /usr/share/nginx/html;
     index index.html;