diff --git a/.dockerignore b/.dockerignore
index 9b754f7..6deb67c 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -3,4 +3,5 @@
 
 # Allow only docker duild files
 !Dockerfile.*
-!*.sh
\ No newline at end of file
+!*.sh
+!*.tpl
\ No newline at end of file
diff --git a/Dockerfile.amd64 b/Dockerfile.amd64
index b27e6ae..db9eee8 100644
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@@ -18,14 +18,16 @@ RUN apk update && apk add bash nginx openssl curl socat jq moreutils
 RUN cd /root; curl -sSL "https://github.com/acmesh-official/acme.sh/archive/refs/tags/2.9.0.tar.gz"|tar zxvf -
 RUN cd /root; mv acme.sh-2.9.0 .acme.sh
 
-ADD run.sh         /run.sh
-ADD server-ltx.sh  /server-ltx.sh
-ADD server-ltt.sh  /server-ltt.sh
-ADD server-lttw.sh /server-lttw.sh
-ADD server-mtt.sh  /server-mtt.sh
-ADD server-mttw.sh /server-mttw.sh
-ADD server-ttt.sh  /server-ttt.sh
-ADD server-tttw.sh /server-tttw.sh
+COPY site-ssl-grpc.conf.tpl /etc/nginx/http.d/
+ADD run.sh                  /run.sh
+ADD server-ltx.sh           /server-ltx.sh
+ADD server-ltt.sh           /server-ltt.sh
+ADD server-lttw.sh          /server-lttw.sh
+ADD server-mtt.sh           /server-mtt.sh
+ADD server-mttw.sh          /server-mttw.sh
+ADD server-ttt.sh           /server-ttt.sh
+ADD server-tttw.sh          /server-tttw.sh
+ADD server-gttn.sh          /server-gttn.sh
 
 RUN chmod 755 /*.sh
 
diff --git a/Dockerfile.arm b/Dockerfile.arm
index df4299d..b9be6e5 100644
--- a/Dockerfile.arm
+++ b/Dockerfile.arm
@@ -18,14 +18,16 @@ RUN apk update && apk add bash nginx openssl curl socat jq moreutils
 RUN cd /root; curl -sSL "https://github.com/acmesh-official/acme.sh/archive/refs/tags/2.9.0.tar.gz"|tar zxvf -
 RUN cd /root; mv acme.sh-2.9.0 .acme.sh
 
-ADD run.sh         /run.sh
-ADD server-ltx.sh  /server-ltx.sh
-ADD server-ltt.sh  /server-ltt.sh
-ADD server-lttw.sh /server-lttw.sh
-ADD server-mtt.sh  /server-mtt.sh
-ADD server-mttw.sh /server-mttw.sh
-ADD server-ttt.sh  /server-ttt.sh
-ADD server-tttw.sh /server-tttw.sh
+COPY site-ssl-grpc.conf.tpl /etc/nginx/http.d/
+ADD run.sh                  /run.sh
+ADD server-ltx.sh           /server-ltx.sh
+ADD server-ltt.sh           /server-ltt.sh
+ADD server-lttw.sh          /server-lttw.sh
+ADD server-mtt.sh           /server-mtt.sh
+ADD server-mttw.sh          /server-mttw.sh
+ADD server-ttt.sh           /server-ttt.sh
+ADD server-tttw.sh          /server-tttw.sh
+ADD server-gttn.sh          /server-gttn.sh
 
 RUN chmod 755 /*.sh
 
diff --git a/Dockerfile.arm64 b/Dockerfile.arm64
index 8039fa7..6257aab 100644
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@@ -18,14 +18,16 @@ RUN apk update && apk add bash nginx openssl curl socat jq moreutils
 RUN cd /root; curl -sSL "https://github.com/acmesh-official/acme.sh/archive/refs/tags/2.9.0.tar.gz"|tar zxvf -
 RUN cd /root; mv acme.sh-2.9.0 .acme.sh
 
-ADD run.sh         /run.sh
-ADD server-ltx.sh  /server-ltx.sh
-ADD server-ltt.sh  /server-ltt.sh
-ADD server-lttw.sh /server-lttw.sh
-ADD server-mtt.sh  /server-mtt.sh
-ADD server-mttw.sh /server-mttw.sh
-ADD server-ttt.sh  /server-ttt.sh
-ADD server-tttw.sh /server-tttw.sh
+COPY site-ssl-grpc.conf.tpl /etc/nginx/http.d/
+ADD run.sh                  /run.sh
+ADD server-ltx.sh           /server-ltx.sh
+ADD server-ltt.sh           /server-ltt.sh
+ADD server-lttw.sh          /server-lttw.sh
+ADD server-mtt.sh           /server-mtt.sh
+ADD server-mttw.sh          /server-mttw.sh
+ADD server-ttt.sh           /server-ttt.sh
+ADD server-tttw.sh          /server-tttw.sh
+ADD server-gttn.sh          /server-gttn.sh
 
 RUN chmod 755 /*.sh
 
diff --git a/run.sh b/run.sh
index 64d6082..6a7df4a 100755
--- a/run.sh
+++ b/run.sh
@@ -6,22 +6,23 @@ XCONF=/tmp/server-xray.json
 
 usage() {
     echo "server-xray --<ltx|ltt|lttw|mtt|mttw|ttt> <options> [-r|--request-domain <domain-name>] [-c|--cert-path <cert-path-root>] [-k|--hook <hook-url>]"
-    echo "    -k|--hook <hook-url>              [Optional] DDNS update or notifing URL to be hit. Multiple allowed"
-    echo "    -r|--request-domain <domain-name> [Optional] Domain name to request for letsencrypt cert. Multiple allowed"
-    echo "    -c|--cert-path <cert-path-root>   [Optional] Reading TLS certs from folder <cert-path-root>/<domain-name>/. Multiple allowed"
-    echo "    --ltx  <VLESS-TCP-XTLS option>    p=1443,d=domain0.com,u=uuid[:level[:email]][,f=[fallback-host]:fb-port:[fb-path]]"
-    echo "    --ltt  <VLESS-TCP-TLS option>     p=2443,d=domain1.com,u=uuid[:level[:email]][,f=[fallback-host]:fb-port:[fb-path]]"
-    echo "    --lttw <VLESS-TCP-TLS-WS option>  p=3443,d=domain2.com,u=uuid[:level[:email]][,f=[fallback-host]:fb-port:[fb-path]],w=/webpath"
-    echo "    --mtt  <VMESS-TCP-TLS option>     p=4443,d=domain3.com,u=uuid[:level[:email]][,f=[fallback-host]:fb-port:[fb-path]]"
-    echo "    --mttw <VMESS-TCP-TLS-WS option>  p=5443,d=domain4.com,u=uuid[:level[:email]][,f=[fallback-host]:fb-port:[fb-path]],w=/webpath"
-    echo "    --ttt  <TROJAN-TCP-TLS option>    p=6443,d=domain5.com,u=passwd[:email][,f=[fallback-host]:fb-port:[fb-path]]"
-    echo "    --tttw <TROJAN-TCP-TLS-WS option> p=7443,d=domain5.com,u=passwd[:email][,f=[fallback-host]:fb-port:[fb-path]],w=/webpath"
-#   echo "    --ssa  <Shadowsocks-AEAD option>  port=8443,user=password1:method1[,user=password2:method2]"
-#   echo "    --sst  <Shadowsocks-TCP option>   port=9443,user=passwd,method=xxxx"
-    echo "    --stdin                           Read XRay config from stdin instead of auto generation"
+    echo "    -k|--hook <hook-url>                  [Optional] DDNS update or notifing URL to be hit. Multiple allowed"
+    echo "    -r|--request-domain <domain-name>     [Optional] Domain name to request for letsencrypt cert. Multiple allowed"
+    echo "    -c|--cert-path <cert-path-root>       [Optional] Reading TLS certs from folder <cert-path-root>/<domain-name>/. Multiple allowed"
+    echo "    --ltx  <VLESS-TCP-XTLS option>        p=443,d=domain0.com,u=uuid[:level[:email]][,f=[fallback-host]:fb-port:[fb-path]]"
+    echo "    --ltt  <VLESS-TCP-TLS option>         p=1443,d=domain1.com,u=uuid[:level[:email]][,f=[fallback-host]:fb-port:[fb-path]]"
+    echo "    --lttw <VLESS-TCP-TLS-WS option>      p=2443,d=domain2.com,u=uuid[:level[:email]][,f=[fallback-host]:fb-port:[fb-path]],w=/webpath"
+    echo "    --mtt  <VMESS-TCP-TLS option>         p=3443,d=domain3.com,u=uuid[:level[:email]][,f=[fallback-host]:fb-port:[fb-path]]"
+    echo "    --mttw <VMESS-TCP-TLS-WS option>      p=4443,d=domain4.com,u=uuid[:level[:email]][,f=[fallback-host]:fb-port:[fb-path]],w=/webpath"
+    echo "    --ttt  <TROJAN-TCP-TLS option>        p=5443,d=domain5.com,u=passwd[:email][,f=[fallback-host]:fb-port:[fb-path]]"
+    echo "    --tttw <TROJAN-TCP-TLS-WS option>     p=6443,d=domain5.com,u=passwd[:email][,f=[fallback-host]:fb-port:[fb-path]],w=/webpath"
+    echo "    --gttn <gRPC-TCP-TLS-NGINX option>    p=7443,d=domain0.com,u=uuid[:level[:email]],s=svcname,g=grpcport"
+#   echo "    --ssa  <Shadowsocks-AEAD option>      port=8443,user=password1:method1[,user=password2:method2]"
+#   echo "    --sst  <Shadowsocks-TCP option>       port=9443,user=passwd,method=xxxx"
+    echo "    --stdin                               Read XRay config from stdin instead of auto generation"
 }
 
-TEMP=`getopt -o k:r:c:d --long hook:,request-domain:,cert-path:,ltx:,ltt:,lttw:,mtt:,mttw:,ttt:,tttw:,ssa:,sst:stdin,debug -n "$0" -- $@`
+TEMP=`getopt -o k:r:c:d --long hook:,request-domain:,cert-path:,ltx:,ltt:,lttw:,mtt:,mttw:,ttt:,tttw:,gttn:,ssa:,sst:stdin,debug -n "$0" -- $@`
 if [ $? != 0 ] ; then usage; exit 1 ; fi
 
 eval set -- "$TEMP"
@@ -43,7 +44,8 @@ while true ; do
             DEBUG=1
             shift 1
             ;;
-        --ltx|--ltt|--lttw|--mtt|--mttw|--ttt|--tttw)
+        --ltx|--ltt|--lttw|--mtt|--mttw|--ttt|--tttw|--gttn)
+            if [ "$1" = "--gttn" ]; then NGINX=1; fi
             SVC=`echo $1|tr -d '\-\-'`
             SVCMD+=("$DIR/server-${SVC}.sh $2")
             shift 2
@@ -114,12 +116,13 @@ if [ -n "${SVCMD}" ]; then
             exit 1
         fi
     done
-    if [ "${DEBUG}" = 1 ]; then
+    if [ "${DEBUG}" = "1" ]; then
         cat $XCONF |jq '.log.loglevel |="debug"' |sponge $XCONF
         echo
         cat $XCONF
         echo
     fi
+    if [ "${NGINX}" = "1" ]; then nginx; fi
     exec /usr/local/bin/xray -c $XCONF
 else
     if [ "${STDINCONF}" = "1" ]; then
diff --git a/server-gttn.sh b/server-gttn.sh
new file mode 100755
index 0000000..d930cd7
--- /dev/null
+++ b/server-gttn.sh
@@ -0,0 +1,146 @@
+#!/bin/bash
+
+usage() {
+    echo "Usage: server-gttn <xconf=xray-config-file>,<certpath=cert-path-root>,<port=443>,<domain=mydomain.com>,<user=xxx-xxx[:0[:a@mail.com]]>,<service=svcname>,<gport=65443>"
+}
+
+options=(`echo $1 |tr ',' ' '`)
+for option in "${options[@]}"
+do
+    kv=(`echo $option |tr '=' ' '`)
+    case "${kv[0]}" in
+        x|xconf)
+            xconf="${kv[1]}"
+            ;;
+        c|certpath)
+            certpath+=("${kv[1]}")
+            ;;
+        p|port)
+            port="${kv[1]}"
+            ;;
+        d|domain)
+            domain="${kv[1]}"
+            ;;
+        u|user)
+            xuser+=("${kv[1]}")
+            ;;
+        g|gport)
+            gport="${kv[1]}"
+            ;;
+        s|service)
+            service="${kv[1]}"
+            ;;
+    esac
+done
+
+if [ -z "${certpath}" ]; then
+    echo "Error: certpath undefined."
+    usage
+    exit 1
+fi
+
+if [ -z "${xconf}" ]; then
+    echo "Error: xconf undefined."
+    usage
+    exit 1
+fi
+
+if [ -z "${port}" ]; then
+    echo "Error: port undefined."
+    usage
+    exit 1
+fi
+
+if [ -z "${gport}" ]; then
+    echo "Error: gport undefined."
+    usage
+    exit 1
+fi
+
+if [ -z "${domain}" ]; then
+    echo "Error: domain undefined."
+    usage
+    exit 1
+fi
+
+if [ -z "${xuser}" ]; then
+    echo "Error: user undefined."
+    usage
+    exit 1
+fi
+
+XCONF=$xconf
+cat $XCONF |jq --arg gport "${gport}" '.inbounds +=[{"port":($gport|tonumber), "protocol":"vless", "settings":{"clients":[]}}]' |sponge $XCONF
+
+for xu in "${xuser[@]}"
+do
+    IFS=':'
+    uopt=(${xu})
+    uopt=(${uopt[@]})
+
+    if [ -z "${uopt[0]}" ]; then
+        echo "Incorrect user format: ${xu}"
+        echo "Correct user format: user=<uuid>[:level:email]"
+        echo "Like: user=805b2209-c26f-48d6-ba52-07b7d894f962:0:me@g.cn"
+        echo "Like: user=805b2209-c26f-48d6-ba52-07b7d894f962::me@g.cn"
+        echo "Like: user=805b2209-c26f-48d6-ba52-07b7d894f962:0"
+        echo "Like: user=805b2209-c26f-48d6-ba52-07b7d894f962"
+        exit 1
+    fi
+    if [ -z "${uopt[1]}" ]; then
+        uopt[1]=0
+    fi
+    if [ -z "${uopt[2]}" ]; then
+        uopt[2]="nobody@g.cn"
+    fi
+    cat $XCONF |jq --arg gport "${gport}" --arg uid "${uopt[0]}" --arg level "${uopt[1]}" --arg email "${uopt[2]}" \
+    '( .inbounds[] | select(.port == ($gport|tonumber)) | .settings.clients ) += [ {"id":$uid, "level":($level|tonumber), "email":$email} ] ' \
+    |sponge $XCONF
+done
+
+cat $XCONF |jq --arg gport "${gport}" \
+'( .inbounds[] | select(.port == ($gport|tonumber)) | .settings.decryption ) += "none" ' \
+|sponge $XCONF
+
+cat $XCONF |jq --arg gport "${gport}" --arg service "${service}" \
+'( .inbounds[] | select(.port == ($gport|tonumber)) | .streamSettings ) += {"network":"grpc", "grpcSettings":{"serviceName":$service} } ' \
+|sponge $XCONF
+
+for certroot in "${certpath[@]}"
+do
+    if [ -f "${certroot}/${domain}/fullchain.cer" ] && [ -f "${certroot}/${domain}/${domain}.key" ]; then
+        fullchain="${certroot}/${domain}/fullchain.cer"
+        prvkey="${certroot}/${domain}/${domain}.key"
+        break
+    fi
+done
+
+if [ ! -f "${fullchain}" ] || [ ! -f "${prvkey}" ]; then
+    echo "TLS cert missing?"
+    echo "Abort."
+    exit 2
+fi
+
+# Running as root to enable low port listening. Necessary for Fargate or k8s.
+sed -i 's/^user nginx;$/user root;/g' /etc/nginx/nginx.conf
+mkdir -p /run/nginx/
+
+cd /etc/nginx/http.d/
+
+if [ -f /etc/nginx/http.d/default.conf ]; then
+    mv default.conf default.conf.disable
+fi
+
+TPL="site-ssl-grpc.conf.tpl"
+
+ESC_CERTFILE=$(printf '%s\n' "${fullchain}" | sed -e 's/[]\/$*.^[]/\\&/g')
+ESC_PRVKEYFILE=$(printf '%s\n' "${prvkey}" | sed -e 's/[]\/$*.^[]/\\&/g')
+ESC_GSVC=$(printf '%s\n' "${service}" | sed -e 's/[]\/$*.^[]/\\&/g')
+cat ${TPL} \
+    | sed "s/CERTFILE/${ESC_CERTFILE}/g" \
+    | sed "s/PRVKEYFILE/${ESC_PRVKEYFILE}/g" \
+    | sed "s/NGDOMAIN/${domain}/g" \
+    | sed "s/NGPORT/${port}/g" \
+    | sed "s/GPORT/${gport}/g" \
+    | sed "s/GSVC/${ESC_GSVC}/g" \
+    >site-xray.conf
diff --git a/site-ssl-grpc.conf.tpl b/site-ssl-grpc.conf.tpl
new file mode 100644
index 0000000..ffd78be
--- /dev/null
+++ b/site-ssl-grpc.conf.tpl
@@ -0,0 +1,25 @@
+server {
+    listen                  NGPORT ssl http2;
+    listen                  [::]:NGPORT ssl http2;
+    server_name             NGDOMAIN;
+    ssl_certificate         CERTFILE;
+    ssl_certificate_key     PRVKEYFILE;
+    ssl_protocols           TLSv1.2 TLSv1.3;
+    ssl_ciphers             HIGH:!aNULL:!MD5;
+
+    client_header_timeout   1071906480m;
+    keepalive_timeout       1071906480m;
+
+    location / {
+        return 404;
+    }
+    location GSVC {
+        if ($content_type !~ "application/grpc") {
+            return 404;
+        }
+		client_max_body_size    0;
+		client_body_timeout     1071906480m;
+		grpc_read_timeout       1071906480m;
+		grpc_pass               grpc://127.0.0.1:GPORT;
+    }
+}
\ No newline at end of file