diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..f1f2912
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,18 @@
+# Never bake secrets or runtime state into the image.
+config.json
+ca/
+
+# Python runtime artifacts
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+.venv/
+venv/
+*.egg-info/
+
+# Development / OS clutter
+.git/
+.gitignore
+.vscode/
+*.log
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..b9471df
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,17 @@
+FROM python:3.13-slim
+
+WORKDIR /app
+
+# Install dependencies first (layer-cached until requirements.txt changes).
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy source — config.json and ca/ are intentionally excluded (.dockerignore)
+# and mounted at runtime so secrets are never baked into the image.
+COPY . .
+
+EXPOSE 8085 1080
+
+# --host 0.0.0.0 is required inside a container so the proxy is reachable
+# from outside. The value in config.json is ignored for the host binding.
+CMD ["python", "main.py", "--host", "0.0.0.0"]
diff --git a/README.md b/README.md
index c029448..9335aab 100644
--- a/README.md
+++ b/README.md
@@ -309,6 +309,47 @@ By default, the proxy only listens on `127.0.0.1` (localhost), meaning only your
 
 ---
 
+## Docker (Optional)
+
+If you prefer running the proxy in a container instead of managing a Python environment, Docker is supported.
+
+**Requirements:** [Docker](https://docs.docker.com/get-docker/) and [Docker Compose](https://docs.docker.com/compose/)
+
+### Setup
+
+1. Copy and fill in your config:
+   ```bash
+   cp config.example.json config.json
+   # Edit config.json — set your script_id and auth_key
+   ```
+
+2. Build and start:
+   ```bash
+   docker compose up -d
+   ```
+
+The container automatically listens on `0.0.0.0`, so both ports are reachable from the host:
+- `127.0.0.1:8085` — HTTP proxy
+- `127.0.0.1:1080` — SOCKS5 proxy
+
+### CA Certificate in Docker
+
+On first run, the container generates `ca/ca.crt` into the `./ca` volume on your host. Install it in your browser manually — see [Step 6](#step-6-install-the-ca-certificate-required-for-https) above. Running `--install-cert` inside the container has no effect on the host OS certificate store.
+
+### Useful Commands
+
+```bash
+docker compose up -d          # Start in background
+docker compose logs -f        # Follow logs
+docker compose restart        # Restart after config change
+docker compose down           # Stop and remove container
+docker compose build          # Rebuild image after code change
+```
+
+> **`config.json` is mounted read-only** into the container and is never baked into the image, so your secrets stay on the host.
+
+---
+
 ## Modes Overview
 
 This project is centered on the **Apps Script** relay (free, no VPS needed). For destinations that block Google egress, you can optionally chain an edge exit node (Cloudflare Workers, Deno Deploy, or your own VPS).
@@ -494,6 +535,8 @@ MasterHttpRelayVPN/
 ├── start.bat / start.sh       # One-click launcher (venv + deps + wizard + run)
 ├── config.example.json        # Copy to config.json and fill in your values
 ├── requirements.txt           # Python dependencies
+├── Dockerfile                 # Container image definition
+├── docker-compose.yml         # Compose config: ports, volumes, restart policy
 ├── apps_script/
 │   ├── Code.gs                # The relay script you deploy to Google Apps Script
 │   ├── cloudflare_worker.js   # Exit node template for Cloudflare Workers
diff --git a/README_FA.md b/README_FA.md
index 7829de6..17589fd 100644
--- a/README_FA.md
+++ b/README_FA.md
@@ -260,7 +260,46 @@ json
 **در سایر دستگاه‌ها:** آن‌ها را طوری پیکربندی کنید که از آدرس IP کامپیوتر شما در شبکه محلی (که در لاگ راه‌اندازی نمایش داده می‌شود) و پورت 8085 به عنوان پروکسی HTTP استفاده کنند.
 
 ---
+## Docker (اختیاری)
 
+اگر ترجیح می‌دهید پروکسی را در یک container اجرا کنید، Docker پشتیبانی می‌شود.
+
+**پیش‌نیاز:** [Docker](https://docs.docker.com/get-docker/) و [Docker Compose](https://docs.docker.com/compose/)
+
+### راه‌اندازی
+
+۱. فایل config را کپی و تکمیل کنید:
+   ```bash
+   cp config.example.json config.json
+   # script_id و auth_key را پر کنید
+   ```
+
+۲. Build و start کنید:
+   ```bash
+   docker compose up -d
+   ```
+
+Container به‌طور خودکار روی `0.0.0.0` گوش می‌دهد، پس هر دو پورت از host قابل دسترس هستند:
+- `127.0.0.1:8085` — HTTP proxy
+- `127.0.0.1:1080` — SOCKS5 proxy
+
+### گواهی CA در Docker
+
+در اولین اجرا، container فایل `ca/ca.crt` را داخل volume مربوط به `./ca` روی host می‌سازد. آن را به صورت دستی در مرورگر نصب کنید — مرحله ۶ را ببینید. اجرای `--install-cert` داخل container تأثیری روی cert store سیستم host ندارد.
+
+### دستورهای مفید
+
+```bash
+docker compose up -d          # اجرا در پس‌زمینه
+docker compose logs -f        # دنبال کردن لاگ
+docker compose restart        # ری‌استارت بعد از تغییر config
+docker compose down           # توقف و حذف container
+docker compose build          # بازسازی image بعد از تغییر کد
+```
+
+> **فایل `config.json` به صورت read-only** داخل container mount می‌شود و هرگز داخل image قرار نمی‌گیرد، پس اطلاعات شما روی host باقی می‌ماند.
+
+---
 ## تنظیمات اصلی
 
 | تنظیم | توضیح |
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..66c21e9
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,27 @@
+name: masterhttprelayvpn
+
+services:
+  proxy:
+    build: .
+    container_name: masterhttprelayvpn
+    restart: unless-stopped
+
+    ports:
+      - "8085:8085" # HTTP proxy
+      - "1080:1080" # SOCKS5 proxy
+
+    volumes:
+      # Mount your config.json so secrets stay outside the image.
+      - ./config.json:/app/config.json:ro
+
+      # Persist the MITM CA certificate across container restarts.
+      # On first run the container generates ca/ca.crt and ca/ca.key here.
+      - ./ca:/app/ca
+
+    networks:
+      - proxy-net
+
+networks:
+  proxy-net:
+    name: masterhttprelayvpn-net
+    driver: bridge