diff --git a/nginx/kvm-nginx.conf b/nginx/kvm-nginx.conf
new file mode 100644
index 0000000..ea5d472
--- /dev/null
+++ b/nginx/kvm-nginx.conf
@@ -0,0 +1,57 @@
+upstream kvm_backend {
+    server 127.0.0.1:8004;
+}
+
+upstream kvm_frontend {
+    # 前端机器 IP，根据实际情况修改
+    server 172.16.30.94:8006;
+}
+
+server {
+    listen 80;
+    server_name _;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name _;
+
+    # 自签名 SSL 证书（内网用）
+    ssl_certificate /etc/nginx/ssl/server.crt;
+    ssl_certificate_key /etc/nginx/ssl/server.key;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+
+    # 静态文件代理到前端机器
+    location / {
+        proxy_pass http://kvm_frontend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
+    # API 代理到后端
+    location /api/ {
+        proxy_pass http://kvm_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_read_timeout 300s;
+    }
+
+    # 健康检查
+    location /health {
+        proxy_pass http://kvm_backend;
+    }
+
+    # WebSocket (VNC 控制台)
+    location /ws/ {
+        proxy_pass http://kvm_backend;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+    }
+}