diff --git a/sites/protected-directory-of-site/docker-compose.yml b/sites/protected-directory-of-site/docker-compose.yml
new file mode 100644
index 0000000..2c8c53a
--- /dev/null
+++ b/sites/protected-directory-of-site/docker-compose.yml
@@ -0,0 +1,44 @@
+version: "3.9"
+
+networks:
+  traefik_proxy:
+    external: true
+
+services:
+  private_static:
+    image: nginx:alpine
+    container_name: private_static
+    restart: unless-stopped
+    networks:
+      - traefik_proxy
+
+    # Host-visible content
+    volumes:
+      - ./html:/usr/share/nginx/html:ro
+
+    labels:
+      - "traefik.enable=true"
+
+      # =========================
+      # HTTP → HTTPS redirect
+      # =========================
+      # Catch http://example.com/private[...] and redirect to https://
+      - "traefik.http.routers.private-http.rule=Host(`example.com`) && PathPrefix(`/private`)"
+      - "traefik.http.routers.private-http.entrypoints=web"
+      - "traefik.http.routers.private-http.middlewares=private-https-redirect"
+      - "traefik.http.middlewares.private-https-redirect.redirectscheme.scheme=https"
+
+      # =========================
+      # HTTPS router (protected)
+      # =========================
+      # Serve static files at https://example.com/private[...]
+      - "traefik.http.routers.private-https.rule=Host(`example.com`) && PathPrefix(`/private`)"
+      - "traefik.http.routers.private-https.entrypoints=websecure"
+      - "traefik.http.routers.private-https.tls.certresolver=letsencrypt"
+
+      # Optional: set higher priority if you have a general example.com router
+      - "traefik.http.routers.private-https.priority=20"
+
+      # Require Authelia auth before serving anything under /private
+      - "traefik.http.routers.private-https.middlewares=authelia-auth@file"
+
diff --git a/sites/protected-static-site/docker-compose.yml b/sites/protected-static-site/docker-compose.yml
new file mode 100644
index 0000000..4d742f8
--- /dev/null
+++ b/sites/protected-static-site/docker-compose.yml
@@ -0,0 +1,41 @@
+version: "3.9"
+
+networks:
+  traefik_proxy:
+    external: true
+
+services:
+  protected_static:
+    image: nginx:alpine
+    container_name: protected_static
+    restart: unless-stopped
+    networks:
+      - traefik_proxy
+
+    # Bind-mounted static content stored natively on the host
+    volumes:
+      - ./html:/usr/share/nginx/html:ro
+
+    labels:
+      - "traefik.enable=true"
+
+      # --------------------------
+      # HTTP → HTTPS redirect
+      # --------------------------
+      - "traefik.http.routers.psite-http.rule=Host(`secure.example.com`)"
+      - "traefik.http.routers.psite-http.entrypoints=web"
+      - "traefik.http.routers.psite-http.middlewares=psite-https-redirect"
+      - "traefik.http.middlewares.psite-https-redirect.redirectscheme.scheme=https"
+
+      # --------------------------
+      # HTTPS router
+      # --------------------------
+      - "traefik.http.routers.psite-https.rule=Host(`secure.example.com`)"
+      - "traefik.http.routers.psite-https.entrypoints=websecure"
+      - "traefik.http.routers.psite-https.tls.certresolver=letsencrypt"
+
+      # --------------------------
+      # Authelia protection
+      # --------------------------
+      - "traefik.http.routers.psite-https.middlewares=authelia-auth@file"
+