253 changed files with 1431 additions and 2674 deletions
--- a/.github/workflows/build-publish-dispatch.yml
+++ b/.github/workflows/build-publish-dispatch.yml
@ -1,85 +0,0 @@
 name: Build and publish Docker images on demand
 on:
  workflow_dispatch:
    inputs:
      image_tag:
        description: "Image tag"
        type: string
        required: true
 jobs:
  multiarch-build:
    name: Build and publish ${{ matrix.base }} image with tag ${{ inputs.image_tag }}
    strategy:
      matrix:
        base: [alpine, debian]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Retrieve nginx-proxy version
        id: nginx-proxy_version
        run: echo "VERSION=$(git describe --tags)" >> "$GITHUB_OUTPUT"
      - name: Retrieve docker-gen version
        id: docker-gen_version
        run: sed -n -e 's;^FROM nginxproxy/docker-gen:\([0-9.]*\).*;VERSION=\1;p' Dockerfile.${{ matrix.base }} >> "$GITHUB_OUTPUT"
      - name: Get Docker tags
        id: docker_meta
        uses: docker/metadata-action@v5
        with:
          images: |
            nginxproxy/nginx-proxy
          tags: |
            type=raw,value=${{ inputs.image_tag }},enable=${{ matrix.base == 'debian' }}
            type=raw,value=${{ inputs.image_tag }},suffix=-alpine,enable=${{ matrix.base == 'alpine' }}
          labels: |
            org.opencontainers.image.authors=Nicolas Duchon <nicolas.duchon@gmail.com> (@buchdag), Jason Wilder
            org.opencontainers.image.version=${{ steps.nginx-proxy_version.outputs.VERSION }}
          flavor: |
            latest=false
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push the image
        id: docker_build
        uses: docker/build-push-action@v6
        with:
          context: .
          file: Dockerfile.${{ matrix.base }}
          build-args: |
            NGINX_PROXY_VERSION=${{ steps.nginx-proxy_version.outputs.VERSION }}
            DOCKER_GEN_VERSION=${{ steps.docker-gen_version.outputs.VERSION }}
          platforms: linux/amd64,linux/arm64,linux/s390x,linux/arm/v7
          sbom: true
          push: true
          provenance: mode=max
          tags: ${{ steps.docker_meta.outputs.tags }}
          labels: ${{ steps.docker_meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
      - name: Images digests
        run: echo ${{ steps.docker_build.outputs.digest }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -25,10 +25,10 @@ jobs:
    steps:
      - uses: actions/checkout@v4
-      - name: Set up Python 3.12
+      - name: Set up Python 3.9
        uses: actions/setup-python@v5
        with:
-          python-version: 3.12
+          python-version: 3.9
      - name: Install dependencies
        run: |
@ -36,9 +36,6 @@ jobs:
          pip install -r python-requirements.txt
        working-directory: test/requirements
      - name: Pull nginx:alpine image
        run: docker pull nginx:alpine
      - name: Build Docker web server image
        run: make build-webserver
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,3 @@
 **/__pycache__/
 **/.cache/
 .idea/
 wip
--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@ -1,9 +1,9 @@
-FROM docker.io/nginxproxy/docker-gen:0.14.5 AS docker-gen
+FROM docker.io/nginxproxy/docker-gen:0.14.2 AS docker-gen
 FROM docker.io/nginxproxy/forego:0.18.2 AS forego
 # Build the final image
-FROM docker.io/library/nginx:1.27.3-alpine
+FROM docker.io/library/nginx:1.27.1-alpine
 ARG NGINX_PROXY_VERSION
 # Add DOCKER_GEN_VERSION environment variable because 
--- a/Dockerfile.debian
+++ b/Dockerfile.debian
@ -1,9 +1,9 @@
-FROM docker.io/nginxproxy/docker-gen:0.14.5-debian AS docker-gen
+FROM docker.io/nginxproxy/docker-gen:0.14.2-debian AS docker-gen
 FROM docker.io/nginxproxy/forego:0.18.2-debian AS forego
 # Build the final image
-FROM docker.io/library/nginx:1.27.3
+FROM docker.io/library/nginx:1.27.1
 ARG NGINX_PROXY_VERSION
 # Add DOCKER_GEN_VERSION environment variable because 
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 [![Test](https://github.com/nginx-proxy/nginx-proxy/actions/workflows/test.yml/badge.svg)](https://github.com/nginx-proxy/nginx-proxy/actions/workflows/test.yml)
 [![GitHub release](https://img.shields.io/github/v/release/nginx-proxy/nginx-proxy)](https://github.com/nginx-proxy/nginx-proxy/releases)
-[![nginx 1.27.3](https://img.shields.io/badge/nginx-1.27.3-brightgreen.svg?logo=nginx)](https://nginx.org/en/CHANGES)
+[![nginx 1.27.1](https://img.shields.io/badge/nginx-1.27.1-brightgreen.svg?logo=nginx)](https://nginx.org/en/CHANGES)
 [![Docker Image Size](https://img.shields.io/docker/image-size/nginxproxy/nginx-proxy?sort=semver)](https://hub.docker.com/r/nginxproxy/nginx-proxy "Click to view the image on Docker Hub")
 [![Docker stars](https://img.shields.io/docker/stars/nginxproxy/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy "DockerHub")
 [![Docker pulls](https://img.shields.io/docker/pulls/nginxproxy/nginx-proxy.svg)](https://hub.docker.com/r/nginxproxy/nginx-proxy "DockerHub")
@ -20,17 +20,7 @@ docker run --detach \
    --volume /var/run/docker.sock:/tmp/docker.sock:ro \
    nginxproxy/nginx-proxy:1.6
 ```
-docker-compose
+
 ```docker-compose
 services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy
    restart: always
    ports:
      - "80:80"
    volumes:
      - "/var/run/docker.sock:/tmp/docker.sock"
 ```
 Then start any containers (here an nginx container) you want proxied with an env var `VIRTUAL_HOST=subdomain.yourdomain.com`
 ```console
@ -39,12 +29,7 @@ docker run --detach \
    --env VIRTUAL_HOST=foo.bar.com \
    nginx
 ```
-docker-compose
+
 ```docker-compose
    environment:
      - VIRTUAL_HOST=git.patachina.casacam.net
      - VIRTUAL_PORT=3000
 ```
 Provided your DNS is setup to resolve `foo.bar.com` to the host running nginx-proxy, a request to `http://foo.bar.com` will then be routed to a container with the `VIRTUAL_HOST` env var set to `foo.bar.com` (in this case, the **your-proxied-app** container).
 The containers being proxied must :
@ -74,19 +59,12 @@ This image is based on the nginx:alpine image.
 docker pull nginxproxy/nginx-proxy:1.6-alpine
 ```
-> [!IMPORTANT]
+#### :warning: a note on `latest` and `alpine`:
->
+
-> #### A note on `latest` and `alpine`:
+It is not recommended to use the `latest` (`nginxproxy/nginx-proxy`, `nginxproxy/nginx-proxy:latest`) or `alpine` (`nginxproxy/nginx-proxy:alpine`) tag for production setups.
->
+
-> It is not recommended to use the `latest` (`nginxproxy/nginx-proxy`, `nginxproxy/nginx-proxy:latest`) or `alpine` (`nginxproxy/nginx-proxy:alpine`) tag for production setups.
+[Those tags point](https://hub.docker.com/r/nginxproxy/nginx-proxy/tags) to the latest commit in the `main` branch. They do not carry any promise of stability, and using them will probably put your nginx-proxy setup at risk of experiencing uncontrolled updates to non backward compatible versions (or versions with breaking changes). You should always specify the version you want to use explicitly to ensure your setup doesn't break when the image is updated.
 >
 > [Those tags point](https://hub.docker.com/r/nginxproxy/nginx-proxy/tags) to the latest commit in the `main` branch. They do not carry any promise of stability, and using them will probably put your nginx-proxy setup at risk of experiencing uncontrolled updates to non backward compatible versions (or versions with breaking changes). You should always specify the version you want to use explicitly to ensure your setup doesn't break when the image is updated.
 ### Additional documentation
 Please check the [docs section](https://github.com/nginx-proxy/nginx-proxy/tree/main/docs).
 ### Powered by 
 [![GoLand logo](https://resources.jetbrains.com/storage/products/company/brand/logos/GoLand_icon.svg)](https://www.jetbrains.com/go/)
 [![PyCharm logo](https://resources.jetbrains.com/storage/products/company/brand/logos/PyCharm_icon.svg)](https://www.jetbrains.com/pycharm/)
--- a/docker-compose-separate-containers.yml
+++ b/docker-compose-separate-containers.yml
@ -1,5 +1,4 @@
-volumes:
+version: "2"
  nginx_conf:
 services:
  nginx:
@ -8,15 +7,17 @@ services:
    ports:
      - "80:80"
    volumes:
-      - nginx_conf:/etc/nginx/conf.d:ro
+      - /etc/nginx/conf.d
  dockergen:
    image: nginxproxy/docker-gen
-    command: -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
+    command: -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl
      /etc/nginx/conf.d/default.conf
    volumes_from:
      - nginx
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl
      - nginx_conf:/etc/nginx/conf.d
  whoami:
    image: jwilder/whoami
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,3 +1,5 @@
 version: "2"
 services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy
--- a/docs/README.md
+++ b/docs/README.md
@ -56,7 +56,7 @@ For each host defined into `VIRTUAL_HOST`, the associated virtual port is retrie
 ### Multiple ports
-If your container expose more than one service on different ports and those services need to be proxied, you'll need to use the `VIRTUAL_HOST_MULTIPORTS` environment variable. This variable takes virtual host, path, port and dest definition in YAML (or JSON) form, and completely override the `VIRTUAL_HOST`, `VIRTUAL_PORT`, `VIRTUAL_PROTO`, `VIRTUAL_PATH` and `VIRTUAL_DEST` environment variables on this container.
+If your container expose more than one service on different ports and those services need to be proxied, you'll need to use the `VIRTUAL_HOST_MULTIPORTS` environment variable. This variable takes virtual host, path, port and dest definition in YAML (or JSON) form, and completely override the `VIRTUAL_HOST`, `VIRTUAL_PORT`, `VIRTUAL_PATH` and `VIRTUAL_DEST` environment variables on this container.
 The YAML syntax should be easier to write on Docker compose files, while the JSON syntax can be used for CLI invocation.
@ -66,20 +66,18 @@ The expected format is the following:
 hostname:
  path:
    port: int
    proto: string
    dest: string
 ```
-For each hostname entry, `path`, `port`, `proto` and `dest` are optional and are assigned default values when missing:
+For each hostname entry, `path`, `port` and `dest` are optional and are assigned default values when missing:
 - `path` = "/"
 - `port` = default port
 - `proto` = "http"
 - `dest` = ""
-#### Multiple ports routed to different hostnames
+The following examples use an hypothetical container running services on port 80, 8000 and 9000:
-The following example use an hypothetical container running services over HTTP on port 80, 8000 and 9000:
+#### Multiple ports routed to different hostnames
 ```yaml
 services:
@ -113,14 +111,12 @@ services:
 This would result in the following proxy config:
- `www.example.org` -> `multiport-container:80` over `HTTP`
+- `www.example.org` -> `multiport-container:80`
- `service1.example.org` -> `multiport-container:8000` over `HTTP`
+- `service1.example.org` -> `multiport-container:8000`
- `service2.example.org` -> `multiport-container:9000` over `HTTP`
+- `service2.example.org` -> `multiport-container:9000`
 #### Multiple ports routed to same hostname and different paths
 The following example use an hypothetical container running services over HTTP on port 80 and 8000 and over HTTPS on port 9443:
 ```yaml
 services:
  multiport-container:
@ -134,12 +130,11 @@ services:
            port: 8000
            dest: "/"
          "/service2":
-            port: 9443
+            port: 9000
            proto: "https"
            dest: "/"
-# port and dest are not specified on the / path, so this path is routed to the
+# port and dest are not specified on the / path, so this path is routed
-# default port with the default dest value (empty string) and default proto (http)
+# to the default port with the default dest value (empty string)
 # JSON equivalent:
 #     VIRTUAL_HOST_MULTIPORTS: |-
@ -147,16 +142,16 @@ services:
 #         "www.example.org": {
 #           "/": {},
 #           "/service1": { "port": 8000, "dest": "/" },
-#           "/service2": { "port": 9443, "proto": "https", "dest": "/" }
+#           "/service2": { "port": 9000, "dest": "/" }
 #         }
 #       }
 ```
 This would result in the following proxy config:
- `www.example.org` -> `multiport-container:80` over `HTTP`
+- `www.example.org` -> `multiport-container:80`
- `www.example.org/service1` -> `multiport-container:8000` over `HTTP`
+- `www.example.org/service1` -> `multiport-container:8000`
- `www.example.org/service2` -> `multiport-container:9443` over `HTTPS`
+- `www.example.org/service2` -> `multiport-container:9000`
 ⬆️ [back to table of contents](#table-of-contents)
@ -167,8 +162,7 @@ It is also possible to specify multiple paths with regex locations like `VIRTUAL
 The full request URI will be forwarded to the serving container in the `X-Original-URI` header.
-> [!NOTE]
+**NOTE**: Your application needs to be able to generate links starting with `VIRTUAL_PATH`. This can be achieved by it being natively on this path or having an option to prepend this path. The application does not need to expect this path in the request.
 > Your application needs to be able to generate links starting with `VIRTUAL_PATH`. This can be achieved by it being natively on this path or having an option to prepend this path. The application does not need to expect this path in the request.
 ### VIRTUAL_DEST
@ -187,9 +181,8 @@ In this example, the incoming request `http://example.tld/app1/foo` will be prox
 ### Per-VIRTUAL_PATH location configuration
 The same options as from [Per-VIRTUAL_HOST location configuration](#Per-VIRTUAL_HOST-location-configuration) are available on a `VIRTUAL_PATH` basis.
-The only difference is that the filename gets an additional block `HASH=$(echo -n $VIRTUAL_PATH | sha1sum | awk '{ print $1 }')`. This is the sha1-hash of the `VIRTUAL_PATH` (no newline). This is done for filename sanitization purposes.
+The only difference is that the filename gets an additional block `HASH=$(echo -n $VIRTUAL_PATH | sha1sum | awk '{ print $1 }')`. This is the sha1-hash of the `VIRTUAL_PATH` (no newline). This is done filename sanitization purposes.
-
+The used filename is `${VIRTUAL_HOST}_${HASH}_location`
 The used filename is `${VIRTUAL_HOST}_${PATH_HASH}_location`, or when `VIRTUAL_HOST` is a regex, `${VIRTUAL_HOST_HASH}_${PATH_HASH}_location`.
 The filename of the previous example would be `example.tld_8610f6c344b4096614eab6e09d58885349f42faf_location`.
@ -248,7 +241,7 @@ Proxyed containers running in host network mode **must** use the [`VIRTUAL_PORT`
 If you allow traffic from the public internet to access your `nginx-proxy` container, you may want to restrict some containers to the internal network only, so they cannot be accessed from the public internet. On containers that should be restricted to the internal network, you should set the environment variable `NETWORK_ACCESS=internal`. By default, the _internal_ network is defined as `127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16`. To change the list of networks considered internal, mount a file on the `nginx-proxy` at `/etc/nginx/network_internal.conf` with these contents, edited to suit your needs:
-```nginx
+```Nginx
 # These networks are considered "internal"
 allow 127.0.0.0/8;
 allow 10.0.0.0/8;
@ -261,7 +254,6 @@ deny all;
 When internal-only access is enabled, external clients will be denied with an `HTTP 403 Forbidden`
 > [!NOTE]
 > If there is a load-balancer / reverse proxy in front of `nginx-proxy` that hides the client IP (example: AWS Application/Elastic Load Balancer), you will need to use the nginx `realip` module (already installed) to extract the client's IP from the HTTP request headers. Please see the [nginx realip module configuration](http://nginx.org/en/docs/http/ngx_http_realip_module.html) for more details. This configuration can be added to a new config file and mounted in `/etc/nginx/conf.d/`.
 ⬆️ [back to table of contents](#table-of-contents)
@ -272,8 +264,7 @@ When internal-only access is enabled, external clients will be denied with an `H
 If you would like the reverse proxy to connect to your backend using HTTPS instead of HTTP, set `VIRTUAL_PROTO=https` on the backend container.
-> [!NOTE]
+> Note: If you use `VIRTUAL_PROTO=https` and your backend container exposes port 80 and 443, `nginx-proxy` will use HTTPS on port 80. This is almost certainly not what you want, so you should also include `VIRTUAL_PORT=443`.
 > If you use `VIRTUAL_PROTO=https` and your backend container exposes port 80 and 443, `nginx-proxy` will use HTTPS on port 80. This is almost certainly not what you want, so you should also include `VIRTUAL_PORT=443`.
 ### uWSGI Upstream
@ -289,9 +280,12 @@ If you use fastcgi,you can set `VIRTUAL_ROOT=xxx` for your root directory
 ### Upstream Server HTTP Load Balancing Support
 > **Warning**
 > This feature is experimental. The behavior may change (or the feature may be removed entirely) without warning in a future release, even if the release is not a new major version. If you use this feature, or if you would like to use this feature but you require changes to it first, please [provide feedback in #2195](https://github.com/nginx-proxy/nginx-proxy/discussions/2195). Once we have collected enough feedback we will promote this feature to officially supported.
 If you have multiple containers with the same `VIRTUAL_HOST` and `VIRTUAL_PATH` settings, nginx will spread the load across all of them. To change the load balancing algorithm from nginx's default (round-robin), set the `com.github.nginx-proxy.nginx-proxy.loadbalance` label on one or more of your application containers to the desired load balancing directive. See the [`ngx_http_upstream_module` documentation](https://nginx.org/en/docs/http/ngx_http_upstream_module.html) for available directives.
-> [!NOTE]
+> **Note**
 >
 > - Don't forget the terminating semicolon (`;`).
 > - If you are using Docker Compose, remember to escape any dollar sign (`$`) characters (`$` becomes `$$`).
@ -308,7 +302,6 @@ services:
      - /var/run/docker.sock:/tmp/docker.sock:ro
    environment:
      HTTPS_METHOD: nohttps
  myapp:
    image: jwilder/whoami
    expose:
@ -324,7 +317,10 @@ services:
 ### Upstream Server HTTP Keep-Alive Support
-By default `nginx-proxy` will enable HTTP keep-alive between itself and backend server(s) and set the maximum number of idle connections to twice the number of servers listed in the corresponding `upstream{}` block, [per nginx recommendation](https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/#no-keepalives). To manually set the maximum number of idle connections or disable HTTP keep-alive entirely, use the `com.github.nginx-proxy.nginx-proxy.keepalive` label on the server's container (setting it to `disabled` will disable HTTP keep-alive).
+> **Warning**
 > This feature is experimental. The behavior may change (or the feature may be removed entirely) without warning in a future release, even if the release is not a new major version. If you use this feature, or if you would like to use this feature but you require changes to it first, please [provide feedback in #2194](https://github.com/nginx-proxy/nginx-proxy/discussions/2194). Once we have collected enough feedback we will promote this feature to officially supported.
 To enable HTTP keep-alive between `nginx-proxy` and backend server(s), set the `com.github.nginx-proxy.nginx-proxy.keepalive` label on the server's container either to `auto` or to the desired maximum number of idle connections. The `auto` setting will dynamically set the maximum number of idle connections to twice the number of servers listed in the corresponding `upstream{}` block, [per nginx recommendation](https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/#no-keepalives).
 See the [nginx keepalive documentation](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive) and the [Docker label documentation](https://docs.docker.com/config/labels-custom-metadata/) for details.
@ -332,7 +328,7 @@ See the [nginx keepalive documentation](https://nginx.org/en/docs/http/ngx_http_
 ## Basic Authentication Support
-In order to be able to secure your virtual host, you have to create a file named as its equivalent `VIRTUAL_HOST` variable (or if using a regex `VIRTUAL_HOST`, as the sha1 hash of the regex) in directory
+In order to be able to secure your virtual host, you have to create a file named as its equivalent `VIRTUAL_HOST` variable in directory
 `/etc/nginx/htpasswd/{$VIRTUAL_HOST}`
 ```console
@ -409,7 +405,7 @@ docker run --detach \
 ## SSL Support
-SSL is supported using single host, wildcard and SAN certificates using naming conventions for certificates or optionally [specifying a cert name as an environment variable](#san-certificates).
+SSL is supported using single host, wildcard and SNI certificates using naming conventions for certificates or optionally specifying a cert name (for SNI) as an environment variable.
 To enable SSL:
@ -437,8 +433,7 @@ By default nginx-proxy generates location blocks to handle ACME HTTP Challenge.
 To use custom `dhparam.pem` files per-virtual-host, the files should be named after the virtual host with a `dhparam` suffix and `.pem` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a `foo.bar.com.dhparam.pem` file in the `/etc/nginx/certs` directory.
-> [!WARNING]
+> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 4096 bits for A+ security. Some older clients (like Java 6 and 7) do not support DH keys with over 1024 bits. In order to support these clients, you must provide your own `dhparam.pem`.
 > The default generated `dhparam.pem` key is 4096 bits for A+ security. Some older clients (like Java 6 and 7) do not support DH keys with over 1024 bits. In order to support these clients, you must provide your own `dhparam.pem`.
 In the separate container setup, no pre-generated key will be available and neither the [nginxproxy/docker-gen](https://hub.docker.com/r/nginxproxy/docker-gen) image, nor the offical [nginx](https://registry.hub.docker.com/_/nginx/) image will provide one. If you still want A+ security in a separate container setup, you should mount an RFC7919 DH key file to the nginx container at `/etc/nginx/dhparam/dhparam.pem`.
@ -450,12 +445,9 @@ docker run -e DHPARAM_SKIP=true ....
 ### Wildcard Certificates
-Wildcard certificates and keys should be named after the parent domain name with a `.crt` and `.key` extension. For example:
+Wildcard certificates and keys should be named after the domain name with a `.crt` and `.key` extension. For example `VIRTUAL_HOST=foo.bar.com` would use cert name `bar.com.crt` and `bar.com.key`.
- `VIRTUAL_HOST=foo.bar.com` would use cert name `bar.com.crt` and `bar.com.key` if `foo.bar.com.crt` and `foo.bar.com.key` are not available
+### SNI
 - `VIRTUAL_HOST=sub.foo.bar.com` use cert name `foo.bar.com.crt` and `foo.bar.com.key` if `sub.foo.bar.com.crt` and `sub.foo.bar.com.key` are not available, but won't use `bar.com.crt` and `bar.com.key`.
 ### SAN Certificates
 If your certificate(s) supports multiple domain names, you can start a container with `CERT_NAME=<name>` to identify the certificate to be used. For example, a certificate for `*.foo.com` and `*.bar.com` could be named `shared.crt` and `shared.key`. A container running with `VIRTUAL_HOST=foo.bar.com` and `CERT_NAME=shared` will then use this shared cert.
@ -467,10 +459,7 @@ To enable OCSP Stapling for a domain, `nginx-proxy` looks for a PEM certificate
 The default SSL cipher configuration is based on the [Mozilla intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29) version 5.0 which should provide compatibility with clients back to Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9. Note that the DES-based TLS ciphers were removed for security. The configuration also enables HSTS, PFS, OCSP stapling and SSL session caches. Currently TLS 1.2 and 1.3 are supported.
-If you don't require backward compatibility, you can use the [Mozilla modern profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) profile instead by including the environment variable `SSL_POLICY=Mozilla-Modern` to the nginx-proxy container or to your container. This profile is compatible with clients back to Firefox 63, Android 10.0, Chrome 70, Edge 75, Java 11, OpenSSL 1.1.1, Opera 57, and Safari 12.1.
+If you don't require backward compatibility, you can use the [Mozilla modern profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) profile instead by including the environment variable `SSL_POLICY=Mozilla-Modern` to the nginx-proxy container or to your container. This profile is compatible with clients back to Firefox 63, Android 10.0, Chrome 70, Edge 75, Java 11, OpenSSL 1.1.1, Opera 57, and Safari 12.1. Note that this profile is **not** compatible with any version of Internet Explorer.
 > [!NOTE]
 > This profile is **not** compatible with any version of Internet Explorer.
 Complete list of policies available through the `SSL_POLICY` environment variable, including the [AWS ELB Security Policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies) and [AWS Classic ELB security policies](https://docs.aws.amazon.com/fr_fr/elasticloadbalancing/latest/classic/elb-security-policy-table.html):
@ -491,7 +480,6 @@ Complete list of policies available through the `SSL_POLICY` environment variabl
      <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility" target="_blank">
        <code>Mozilla-Old</code>
      </a>
      (this policy should use a 1024 bits DH key for compatibility but this container provides a 4096 bits key. The <a href="#diffie-hellman-groups">Diffie-Hellman Groups</a> section details different methods of bypassing this, either globally or per virtual-host.)
    </li>
  </ul>
 </details>
@ -574,91 +562,54 @@ Complete list of policies available through the `SSL_POLICY` environment variabl
 </details>
 </br>
 Note that the `Mozilla-Old` policy should use a 1024 bits DH key for compatibility but this container provides a 4096 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing this, either globally or per virtual-host.
 The default behavior for the proxy when port 80 and 443 are exposed is as follows:
 - If a virtual host has a usable cert, port 80 will redirect to 443 for that virtual host so that HTTPS is always preferred when available.
- If the virtual host does not have a usable cert, but `default.crt` and `default.key` exist, those will be used as the virtual host's certificate.
+- If the virtual host does not have a usable cert, but `default.crt` and `default.key` exist, those will be used as the virtual host's certificate and the client browser will receive a 500 error.
- If the virtual host does not have a usable cert, and `default.crt` and `default.key` do not exist, or if the virtual host is configured not to trust the default certificate, SSL handshake will be rejected (see [Default and Missing Certificate](#default-and-missing-certificate) below).
+- If the virtual host does not have a usable cert, and `default.crt` and `default.key` do not exist, TLS negotiation will fail (see [Missing Certificate](#missing-certificate) below).
 The redirection from HTTP to HTTPS use by default a [`301`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301) response for every HTTP methods (except `CONNECT` and `TRACE` which are disabled on nginx). If you wish to use a custom redirection response for the `OPTIONS`, `POST`, `PUT`, `PATCH` and `DELETE` HTTP methods, you can either do it globally with the environment variable `NON_GET_REDIRECT` on the proxy container or per virtual host with the `com.github.nginx-proxy.nginx-proxy.non-get-redirect` label on proxied containers. Valid values are [`307`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307) and [`308`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308).
 To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`). You can also disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with `HTTPS_METHOD=nohttps`. `HTTPS_METHOD` can be specified on each container for which you want to override the default behavior or on the proxy container to set it globally. If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS) is disabled to prevent HTTPS users from being redirected by the client. If you cannot get to the HTTP site after changing this setting, your browser has probably cached the HSTS policy and is automatically redirecting you back to HTTPS. You will need to clear your browser's HSTS cache or use an incognito window / different browser.
 By default, [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) is enabled with `max-age=31536000` for HTTPS sites. You can disable HSTS with the environment variable `HSTS=off` or use a custom HSTS configuration like `HSTS=max-age=31536000; includeSubDomains; preload`.
-> [!WARNING]
+_WARNING_: HSTS will force your users to visit the HTTPS version of your site for the `max-age` time - even if they type in `http://` manually. The only way to get to an HTTP site after receiving an HSTS response is to clear your browser's HSTS cache.
 > HSTS will force your users to visit the HTTPS version of your site for the max-age time - even if they type in http:// manually. The only way to get to an HTTP site after receiving an HSTS response is to clear your browser's HSTS cache.
-### Default and Missing Certificate
+### Missing Certificate
-If no matching certificate is found for a given virtual host, nginx-proxy will configure nginx to use the default certificate (`default.crt` with `default.key`).
+If no matching certificate is found for a given virtual host, nginx-proxy will:
-If the default certificate is also missing, nginx-proxy will:
+- configure nginx to use the default certificate (`default.crt` with `default.key`) and return a 500 error for HTTPS,
 - force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`.
  If this switch to HTTP is not wanted set `ENABLE_HTTP_ON_MISSING_CERT=false` (default is `true`).
- force enable HTTP; i.e. `HTTPS_METHOD` will switch to `noredirect` if it was set to `nohttp` or `redirect`. If this switch to HTTP is not wanted set `ENABLE_HTTP_ON_MISSING_CERT=false` (default is `true`).
+If the default certificate is also missing, nginx-proxy will configure nginx to accept HTTPS connections but fail the TLS negotiation. Client browsers will render a TLS error page. As of March 2023, web browsers display the following error messages:
 - configure nginx to reject the SSL handshake for this vhost. Client browsers will render a TLS error page. As of October 2024, web browsers display the following error messages:
-#### Chrome:
+- Chrome:
-> This site can’t be reached
+  > This site can't provide a secure connection
->
+  >
-> The web page at https://example.test/ might be temporarily down or it may have moved permanently to a new web address.
+  > example.test sent an invalid response.
->
+  >
-> `ERR_SSL_UNRECOGNIZED_NAME_ALERT`
+  > Try running Connectivity Diagnostics.
  >
  > `ERR_SSL_PROTOCOL_ERROR`
-#### Firefox:
+- Firefox:
-> Secure Connection Failed
+  > Secure Connection Failed
->
+  >
-> An error occurred during a connection to example.test. SSL peer has no certificate for the requested DNS name.
+  > An error occurred during a connection to example.test.
->
+  > Peer reports it experienced an internal error.
-> Error code: `SSL_ERROR_UNRECOGNIZED_NAME_ALERT`
+  >
->
+  > Error code: `SSL_ERROR_INTERNAL_ERROR_ALERT` "TLS error".
 > - The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
 > - Please contact the website owners to inform them of this problem.
 #### Safari:
 > Safari Can't Open the Page
 >
 > Safari can't open the page "https://example.test" because Safari can't establish a secure connection to the server "example.test".
 > [!NOTE]
 > Prior to version `1.7`, nginx-proxy never trusted the default certificate: when the default certificate was present, virtual hosts that did not have a usable per-virtual-host cert used the default cert but always returned a 500 error over HTTPS. If you want to restore this behaviour, you can do it globally by setting the enviroment variable `TRUST_DEFAULT_CERT` to `false` on the proxy container, or per-virtual-host by setting the label `com.github.nginx-proxy.nginx-proxy.trust-default-cert`to `false` on a proxied container.
 ### Certificate selection
 Summarizing all the above informations, nginx-proxy will select the certificate for a given virtual host using the following sequence:
 1. if `CERT_NAME` is used, nginx-proxy will use the corresponding certificate if it exists (eg `foor.bar.com` → `CERT_NAME.crt`), or disable HTTPS for this virtual host if it does not. See [SAN certificates](#san-certificates).
 2. if a certificate exactly matching the virtual host hostname exist, nginx-proxy will use it (eg `foo.bar.com` → `foo.bar.com.crt`).
 3. if the virtual host hostname is a subdomain (eg `foo.bar.com` but not `bar.com`) and a certificate exactly matching its parent domain exist , nginx-proxy will use it (eg `foor.bar.com` → `bar.com.crt`). See [wildcard certificates](#wildcard-certificates).
 4. if the default certificate (`default.crt`) exist and is trusted, nginx-proxy will use it (eg `foor.bar.com` → `default.crt`). See [default and missing certificate](#default-and-missing-certificate).
 5. if the default certificate does not exist or isn't trusted, nginx-proxy will disable HTTPS for this virtual host (eg `foor.bar.com` → no HTTPS).
 > [!IMPORTANT]
 > Using `CERT_NAME` take precedence over the certificate selection process, meaning nginx-proxy will not auto select a correct certificate in step 2 trough 5 if `CERT_NAME` was used with an incorrect value or without corresponding certificate.
 > [!NOTE]
 > In all the above cases, if a private key file corresponding to the selected certificate (eg `foo.bar.com.key` for the `foor.bar.com.crt` certificate) does not exist, HTTPS will be disabled for this virtual host.
 ⬆️ [back to table of contents](#table-of-contents)
 ## IPv6 Support
-### IPv6 Docker Networks
+You can activate the IPv6 support for the nginx-proxy container by passing the value `true` to the `ENABLE_IPV6` environment variable:
 nginx-proxy support both IPv4 and IPv6 on Docker networks.
 By default nginx-proxy will prefer IPv4: if a container can be reached over both IPv4 and IPv6, only its IPv4 will be used.
 This can be changed globally by setting the environment variable `PREFER_IPV6_NETWORK` to `true` on the proxy container: with this setting the proxy will only use IPv6 for containers that can be reached over both IPv4 and IPv6.
 IPv4 and IPv6 are never both used at the same time on containers that use both IP stacks to avoid artificially inflating the effective round robin weight of those containers.
 ### Listening on IPv6
 By default the nginx-proxy container will only listen on IPv4. To enable listening on IPv6 too, set the `ENABLE_IPV6` environment variable to `true`:
 ```console
 docker run -d -p 80:80 -e ENABLE_IPV6=true -v /var/run/docker.sock:/tmp/docker.sock:ro nginxproxy/nginx-proxy
@ -688,7 +639,7 @@ More reading on the potential TCP head-of-line blocking issue with HTTP/2: [HTTP
 ### HTTP/3 support
-> [!WARNING]
+> **Warning**
 > HTTP/3 support [is still considered experimental in nginx](https://www.nginx.com/blog/binary-packages-for-preview-nginx-quic-http3-implementation/) and as such is considered experimental in nginx-proxy too and is disabled by default. [Feedbacks for the HTTP/3 support are welcome in #2271.](https://github.com/nginx-proxy/nginx-proxy/discussions/2271)
 HTTP/3 use the QUIC protocol over UDP (unlike HTTP/1.1 and HTTP/2 which work over TCP), so if you want to use HTTP/3 you'll have to explicitely publish the 443/udp port of the proxy in addition to the 443/tcp port:
@ -740,7 +691,7 @@ If you need to configure Nginx beyond what is possible using environment variabl
 If you want to replace the default proxy settings for the nginx container, add a configuration file at `/etc/nginx/proxy.conf`. A file with the default settings would look like this:
-```nginx
+```Nginx
 # HTTP 1.1 support
 proxy_http_version 1.1;
 proxy_set_header Host $http_host;
@ -758,8 +709,7 @@ proxy_set_header X-Original-URI $request_uri;
 proxy_set_header Proxy "";
 ```
-> [!IMPORTANT]
+**_NOTE_**: If you provide this file it will replace the defaults; you may want to check the [nginx.tmpl](https://github.com/nginx-proxy/nginx-proxy/blob/main/nginx.tmpl) file to make sure you have all of the needed options.
 > If you provide this file it will replace the defaults; you may want to check the [nginx.tmpl](https://github.com/nginx-proxy/nginx-proxy/blob/main/nginx.tmpl) file to make sure you have all of the needed options.
 ### Proxy-wide
@ -775,227 +725,57 @@ RUN { \
    } > /etc/nginx/conf.d/my_proxy.conf
 ```
-Or it can be done by mounting in your custom configuration in your `docker run` command or your Docker Compose file:
+Or it can be done by mounting in your custom configuration in your `docker run` command:
 ```nginx
 # content of the my_proxy.conf file
 server_tokens off;
 client_max_body_size 100m;
 ```
 <details>
  <summary>Docker CLI</summary>
 ```console
-docker run --detach \
+docker run -d -p 80:80 -p 443:443 -v /path/to/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro -v /var/run/docker.sock:/tmp/docker.sock:ro nginxproxy/nginx-proxy
  --name nginx-proxy \
  --publish 80:80 \
  --publish 443:443 \
  --volume /var/run/docker.sock:/tmp/docker.sock:ro \
  --volume /path/to/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro \
  nginxproxy/nginx-proxy
 ```
 </details>
 <details>
  <summary>Docker Compose file</summary>
 ```yaml
 services:
  proxy:
    image: nginxproxy/nginx-proxy
    container_name: nginx-proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - /path/to/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro
 ```
 </details>
 ### Per-VIRTUAL_HOST
-To add settings on a per-`VIRTUAL_HOST` basis, add your configuration file under `/etc/nginx/vhost.d`. Unlike in the proxy-wide case, which allows multiple config files with any name ending in `.conf`, the per-`VIRTUAL_HOST` file must be named exactly after the `VIRTUAL_HOST`, or if `VIRTUAL_HOST` is a regex, after the sha1 hash of the regex.
+To add settings on a per-`VIRTUAL_HOST` basis, add your configuration file under `/etc/nginx/vhost.d`. Unlike in the proxy-wide case, which allows multiple config files with any name ending in `.conf`, the per-`VIRTUAL_HOST` file must be named exactly after the `VIRTUAL_HOST`.
 In order to allow virtual hosts to be dynamically configured as backends are added and removed, it makes the most sense to mount an external directory as `/etc/nginx/vhost.d` as opposed to using derived images or mounting individual configuration files.
 For example, if you have a virtual host named `app.example.com`, you could provide a custom configuration for that host as follows:
-1. create your virtual host config file:
+```console
-
+docker run -d -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro nginxproxy/nginx-proxy
-```nginx
+{ echo 'server_tokens off;'; echo 'client_max_body_size 100m;'; } > /path/to/vhost.d/app.example.com
 # content of the custom-vhost-config.conf file
 client_max_body_size 100m;
 ```
-2. mount it to `/etc/nginx/vhost.d/app.example.com`:
+If you are using multiple hostnames for a single container (e.g. `VIRTUAL_HOST=example.com,www.example.com`), the virtual host configuration file must exist for each hostname. If you would like to use the same configuration for multiple virtual host names, you can use a symlink:
 <details>
  <summary>Docker CLI</summary>
 ```console
-docker run --detach \
+{ echo 'server_tokens off;'; echo 'client_max_body_size 100m;'; } > /path/to/vhost.d/www.example.com
-  --name nginx-proxy \
+ln -s /path/to/vhost.d/www.example.com /path/to/vhost.d/example.com
  --publish 80:80 \
  --publish 443:443 \
  --volume /var/run/docker.sock:/tmp/docker.sock:ro \
  --volume /path/to/custom-vhost-config.conf:/etc/nginx/vhost.d/app.example.com:ro \
  nginxproxy/nginx-proxy
 ```
 </details>
 <details>
  <summary>Docker Compose file</summary>
 ```yaml
 services:
  proxy:
    image: nginxproxy/nginx-proxy
    container_name: nginx-proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - /path/to/custom-vhost-config.conf:/etc/nginx/vhost.d/app.example.com:ro
 ```
 </details>
 If you are using multiple hostnames for a single container (e.g. `VIRTUAL_HOST=example.com,www.example.com`), the virtual host configuration file must exist for each hostname:
 <details>
  <summary>Docker CLI</summary>
 ```console
 docker run --detach \
  --name nginx-proxy \
  --publish 80:80 \
  --publish 443:443 \
  --volume /path/to/custom-vhost-config.conf:/etc/nginx/vhost.d/example.com:ro \
  --volume /path/to/custom-vhost-config.conf:/etc/nginx/vhost.d/www.example.com:ro \
  --volume /var/run/docker.sock:/tmp/docker.sock:ro \
  nginxproxy/nginx-proxy
 ```
 </details>
 <details>
  <summary>Docker Compose file</summary>
 ```yaml
 services:
  proxy:
    image: nginxproxy/nginx-proxy
    container_name: nginx-proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - /path/to/custom-vhost-config.conf:/etc/nginx/vhost.d/example.com:ro
      - /path/to/custom-vhost-config.conf:/etc/nginx/vhost.d/www.example.com:ro
 ```
 </details>
 ### Per-VIRTUAL_HOST default configuration
-If you want most of your virtual hosts to use a default single configuration and then override on a few specific ones, add those settings to the `/etc/nginx/vhost.d/default` file. This file will be used on any virtual host which does not have a [per-VIRTUAL_HOST file](#per-virtual_host) associated with it.
+If you want most of your virtual hosts to use a default single configuration and then override on a few specific ones, add those settings to the `/etc/nginx/vhost.d/default` file. This file will be used on any virtual host which does not have a `/etc/nginx/vhost.d/{VIRTUAL_HOST}` file associated with it.
 ### Per-VIRTUAL_HOST location configuration
-To add settings to the "location" block on a per-`VIRTUAL_HOST` basis, add your configuration file under `/etc/nginx/vhost.d` just like the per-`VIRTUAL_HOST` section except with the suffix `_location` (like this section, if your `VIRTUAl_HOST` is a regex, use the sha1 hash of the regex instead, with the suffix `_location` appended).
+To add settings to the "location" block on a per-`VIRTUAL_HOST` basis, add your configuration file under `/etc/nginx/vhost.d` just like the previous section except with the suffix `_location`.
 For example, if you have a virtual host named `app.example.com` and you have configured a proxy_cache `my-cache` in another custom file, you could tell it to use a proxy cache as follows:
-1. create your virtual host location config file:
+```console
-
+docker run -d -p 80:80 -p 443:443 -v /path/to/vhost.d:/etc/nginx/vhost.d:ro -v /var/run/docker.sock:/tmp/docker.sock:ro nginxproxy/nginx-proxy
-```nginx
+{ echo 'proxy_cache my-cache;'; echo 'proxy_cache_valid  200 302  60m;'; echo 'proxy_cache_valid  404 1m;' } > /path/to/vhost.d/app.example.com_location
 # content of the custom-vhost-location-config.conf file
 proxy_cache my-cache;
 proxy_cache_valid 200 302 60m;
 proxy_cache_valid 404 1m;
 ```
-2. mount it to `/etc/nginx/vhost.d/app.example.com_location`:
+If you are using multiple hostnames for a single container (e.g. `VIRTUAL_HOST=example.com,www.example.com`), the virtual host configuration file must exist for each hostname. If you would like to use the same configuration for multiple virtual host names, you can use a symlink:
 <details>
  <summary>Docker CLI</summary>
 ```console
-docker run --detach \
+{ echo 'proxy_cache my-cache;'; echo 'proxy_cache_valid  200 302  60m;'; echo 'proxy_cache_valid  404 1m;' } > /path/to/vhost.d/app.example.com_location
-  --name nginx-proxy \
+ln -s /path/to/vhost.d/www.example.com /path/to/vhost.d/example.com
  --publish 80:80 \
  --publish 443:443 \
  --volume /var/run/docker.sock:/tmp/docker.sock:ro \
  --volume /path/to/custom-vhost-location-config.conf:/etc/nginx/vhost.d/app.example.com_location:ro \
  nginxproxy/nginx-proxy
 ```
 </details>
 <details>
  <summary>Docker Compose file</summary>
 ```yaml
 services:
  proxy:
    image: nginxproxy/nginx-proxy
    container_name: nginx-proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - /path/to/custom-vhost-location-config.conf:/etc/nginx/vhost.d/app.example.com_location:ro
 ```
 </details>
 If you are using multiple hostnames for a single container (e.g. `VIRTUAL_HOST=example.com,www.example.com`), the virtual host configuration file must exist for each hostname:
 <details>
  <summary>Docker CLI</summary>
 ```console
 docker run --detach \
  --name nginx-proxy \
  --publish 80:80 \
  --publish 443:443 \
  --volume /var/run/docker.sock:/tmp/docker.sock:ro \
  --volume /path/to/custom-vhost-location-config.conf:/etc/nginx/vhost.d/example.com_location:ro \
  --volume /path/to/custom-vhost-location-config.conf:/etc/nginx/vhost.d/www.example.com_location:ro \
  nginxproxy/nginx-proxy
 ```
 </details>
 <details>
  <summary>Docker Compose file</summary>
 ```yaml
 services:
  proxy:
    image: nginxproxy/nginx-proxy
    container_name: nginx-proxy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - /path/to/custom-vhost-location-config.conf:/etc/nginx/vhost.d/example.com_location:ro
      - /path/to/custom-vhost-location-config.conf:/etc/nginx/vhost.d/www.example.com_location:ro
 ```
 </details>
 ### Per-VIRTUAL_HOST location default configuration
-If you want most of your virtual hosts to use a default single `location` block configuration and then override on a few specific ones, add those settings to the `/etc/nginx/vhost.d/default_location` file. This file will be used on any virtual host which does not have a [Per-VIRTUAL_HOST location file](#per-virtual_host-location-configuration) associated with it.
+If you want most of your virtual hosts to use a default single `location` block configuration and then override on a few specific ones, add those settings to the `/etc/nginx/vhost.d/default_location` file. This file will be used on any virtual host which does not have a `/etc/nginx/vhost.d/{VIRTUAL_HOST}_location` file associated with it.
 ### Overriding `location` blocks
@ -1005,7 +785,7 @@ The `${VIRTUAL_HOST}_${PATH_HASH}_location`, `${VIRTUAL_HOST}_location`, and `de
 /etc/nginx/vhost.d/${VIRTUAL_HOST}_${PATH_HASH}_location_override
 ```
-where `${VIRTUAL_HOST}` is the name of the virtual host (the `VIRTUAL_HOST` environment variable), or the sha1 hash of `VIRTUAL_HOST` when it's a regex, and `${PATH_HASH}` is the SHA-1 hash of the path, as [described above](#per-virtual_path-location-configuration).
+where `${VIRTUAL_HOST}` is the name of the virtual host (the `VIRTUAL_HOST` environment variable) and `${PATH_HASH}` is the SHA-1 hash of the path, as [described above](#per-virtual_path-location-configuration).
 For convenience, the `_${PATH_HASH}` part can be omitted if the path is `/`:
@ -1017,7 +797,7 @@ When an override file exists, the `location` block that is normally created by `
 You are responsible for providing a suitable `location` block in your override file as required for your service. By default, `nginx-proxy` uses the `VIRTUAL_HOST` name as the upstream name for your application's Docker container; see [here](#unhashed-vs-sha1-upstream-names) for details. As an example, if your container has a `VIRTUAL_HOST` value of `app.example.com`, then to override the location block for `/` you would create a file named `/etc/nginx/vhost.d/app.example.com_location_override` that contains something like this:
-```nginx
+```
 location / {
    proxy_pass http://app.example.com;
 }
@ -1040,8 +820,7 @@ docker run --detach \
    nginxproxy/nginx-proxy
 ```
-> [!NOTE]
+Note that this will not replace your own services error pages.
 > This will not replace your own services error pages.
 ⬆️ [back to table of contents](#table-of-contents)
@ -1096,8 +875,7 @@ docker run --detach \
    nginxproxy/nginx-proxy
 ```
-> [!NOTE]
+Please note that TCP and UDP stream are not core features of nginx-proxy, so the above is provided as an example only, without any guarantee.
 > TCP and UDP stream are not core features of nginx-proxy, so the above is provided as an example only, without any guarantee.
 ⬆️ [back to table of contents](#table-of-contents)
@ -1105,8 +883,7 @@ docker run --detach \
 By default the nginx configuration `upstream` blocks will use this block's corresponding hostname as a predictable name. However, this can cause issues in some setups (see [this issue](https://github.com/nginx-proxy/nginx-proxy/issues/1162)). In those cases you might want to switch to SHA1 names for the `upstream` blocks by setting the `SHA1_UPSTREAM_NAME` environment variable to `true` on the nginx-proxy container.
-> [!NOTE]
+Please note that using regular expressions in `VIRTUAL_HOST` will always result in a corresponding `upstream` block with an SHA1 name.
 > Using regular expressions in `VIRTUAL_HOST` will always result in a corresponding `upstream` block with an SHA1 name.
 ⬆️ [back to table of contents](#table-of-contents)
@ -1157,6 +934,8 @@ docker run -e VIRTUAL_HOST=foo.bar.com  ...
 ## Docker Compose
 ```yaml
 version: "2"
 services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy
@ -1197,7 +976,7 @@ docker exec <nginx-proxy-instance> nginx -T
 Pay attention to the `upstream` definition blocks, which should look like this:
-```nginx
+```Nginx
 # foo.example.com
 upstream foo.example.com {
 	## Can be connected with "my_network" network
@ -1217,114 +996,6 @@ The effective `Port` is retrieved by order of precedence:
 1. From the container's exposed port if there is only one
 1. From the default port 80 when none of the above methods apply
 ### Debug endpoint
 The debug endpoint can be enabled:
 - globally by setting the `DEBUG_ENDPOINT` environment variable to `true` on the nginx-proxy container.
 - per container by setting the `com.github.nginx-proxy.nginx-proxy.debug-endpoint` label to `true` on a proxied container.
 Enabling it will expose the endpoint at `<your.domain.tld>/nginx-proxy-debug`.
 Querying the debug endpoint will show the global config, along with the virtual host and per path configs in JSON format.
 ```yaml
 services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy
    ports:
      - "80:80"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
    environment:
      DEBUG_ENDPOINT: "true"
  test:
    image: nginx
    environment:
      VIRTUAL_HOST: test.nginx-proxy.tld
 ```
 (on the CLI, using [`jq`](https://jqlang.github.io/jq/) to format the output of `curl` is recommended)
 ```console
 curl -s -H "Host: test.nginx-proxy.tld" localhost/nginx-proxy-debug | jq
 ```
 ```json
 {
  "global": {
    "acme_http_challenge": "true",
    "default_cert_ok": false,
    "default_host": null,
    "default_root_response": "404",
    "enable_access_log": true,
    "enable_debug_endpoint": "true",
    "enable_http2": "true",
    "enable_http3": "false",
    "enable_http_on_missing_cert": "true",
    "enable_ipv6": false,
    "enable_json_logs": false,
    "external_http_port": "80",
    "external_https_port": "443",
    "hsts": "max-age=31536000",
    "https_method": "redirect",
    "log_format": null,
    "log_format_escape": null,
    "nginx_proxy_version": "1.6.3",
    "resolvers": "127.0.0.11",
    "sha1_upstream_name": false,
    "ssl_policy": "Mozilla-Intermediate",
    "trust_downstream_proxy": true
  },
  "request": {
    "host": "test.nginx-proxy.tld",
    "http2": "",
    "http3": "",
    "https": "",
    "ssl_cipher": "",
    "ssl_protocol": ""
  },
  "vhost": {
    "acme_http_challenge_enabled": true,
    "acme_http_challenge_legacy": false,
    "cert": "",
    "cert_ok": false,
    "default": false,
    "enable_debug_endpoint": true,
    "hostname": "test.nginx-proxy.tld",
    "hsts": "max-age=31536000",
    "http2_enabled": true,
    "http3_enabled": false,
    "https_method": "noredirect",
    "is_regexp": false,
    "paths": {
      "/": {
        "dest": "",
        "keepalive": "disabled",
        "network_tag": "external",
        "ports": {
          "legacy": [
            {
              "Name": "wip-test-1"
            }
          ]
        },
        "proto": "http",
        "upstream": "test.nginx-proxy.tld"
      }
    },
    "server_tokens": "",
    "ssl_policy": "",
    "upstream_name": "test.nginx-proxy.tld",
    "vhost_root": "/var/www/public"
  }
 }
 ```
 > [!WARNING]
 > Please be aware that the debug endpoint work by rendering the JSON response straight to the nginx configuration in plaintext. nginx has an upper limit on the size of the configuration files it can parse, so only activate it when needed, and preferably on a per container basis if your setup has a large number of virtual hosts.
 ⬆️ [back to table of contents](#table-of-contents)
 ## Contributing
--- a/nginx.tmpl
+++ b/nginx.tmpl
@ -1,47 +1,25 @@
 # nginx-proxy{{ if $.Env.NGINX_PROXY_VERSION }} version : {{ $.Env.NGINX_PROXY_VERSION }}{{ end }}
 {{- /*
-     * Global values. Values are stored in this map rather than in individual
+     * Global values.  Values are stored in this map rather than in individual
     * global variables so that the values can be easily passed to embedded
-     * templates (Go templates cannot access variables outside of their own
+     * templates.  (Go templates cannot access variables outside of their own
-     * scope) and displayed in the debug endpoint output.
+     * scope.)
     */}}
 {{- $globals := dict }}
 {{- $_ := set $globals "containers" $ }}
 {{- $_ := set $globals "Env" $.Env }}
 {{- $_ := set $globals "Docker" $.Docker }}
 {{- $_ := set $globals "CurrentContainer" (where $globals.containers "ID" $globals.Docker.CurrentContainerID | first) }}
-
+{{- $_ := set $globals "default_cert_ok" (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
-{{- $config := dict }}
+{{- $_ := set $globals "external_http_port" (coalesce $globals.Env.HTTP_PORT "80") }}
-{{- $_ := set $config "nginx_proxy_version" $.Env.NGINX_PROXY_VERSION }}
+{{- $_ := set $globals "external_https_port" (coalesce $globals.Env.HTTPS_PORT "443") }}
-{{- $_ := set $config "default_cert_ok" (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
+{{- $_ := set $globals "sha1_upstream_name" (parseBool (coalesce $globals.Env.SHA1_UPSTREAM_NAME "false")) }}
-{{- $_ := set $config "external_http_port" ($globals.Env.HTTP_PORT | default "80") }}
+{{- $_ := set $globals "default_root_response" (coalesce $globals.Env.DEFAULT_ROOT "404") }}
-{{- $_ := set $config "external_https_port" ($globals.Env.HTTPS_PORT | default "443") }}
+{{- $_ := set $globals "trust_downstream_proxy" (parseBool (coalesce $globals.Env.TRUST_DOWNSTREAM_PROXY "true")) }}
-{{- $_ := set $config "sha1_upstream_name" ($globals.Env.SHA1_UPSTREAM_NAME | default "false" | parseBool) }}
+{{- $_ := set $globals "access_log" (or (and (not $globals.Env.DISABLE_ACCESS_LOGS) "access_log /var/log/nginx/access.log vhost;") "") }}
-{{- $_ := set $config "default_root_response" ($globals.Env.DEFAULT_ROOT | default "404") }}
+{{- $_ := set $globals "enable_ipv6" (parseBool (coalesce $globals.Env.ENABLE_IPV6 "false")) }}
-{{- $_ := set $config "trust_default_cert" ($globals.Env.TRUST_DEFAULT_CERT | default "true") }}
+{{- $_ := set $globals "ssl_policy" (or ($globals.Env.SSL_POLICY) "Mozilla-Intermediate") }}
 {{- $_ := set $config "trust_downstream_proxy" ($globals.Env.TRUST_DOWNSTREAM_PROXY | default "true" | parseBool) }}
 {{- $_ := set $config "enable_access_log" ($globals.Env.DISABLE_ACCESS_LOGS | default "false" | parseBool | not) }}
 {{- $_ := set $config "enable_ipv6" ($globals.Env.ENABLE_IPV6 | default "false" | parseBool) }}
 {{- $_ := set $config "prefer_ipv6_network" ($globals.Env.PREFER_IPV6_NETWORK | default "false" | parseBool) }}
 {{- $_ := set $config "ssl_policy" ($globals.Env.SSL_POLICY | default "Mozilla-Intermediate") }}
 {{- $_ := set $config "enable_debug_endpoint" ($globals.Env.DEBUG_ENDPOINT | default "false") }}
 {{- $_ := set $config "hsts" ($globals.Env.HSTS | default "max-age=31536000") }}
 {{- $_ := set $config "acme_http_challenge" ($globals.Env.ACME_HTTP_CHALLENGE_LOCATION | default "true") }}
 {{- $_ := set $config "enable_http2" ($globals.Env.ENABLE_HTTP2 | default "true") }}
 {{- $_ := set $config "enable_http3" ($globals.Env.ENABLE_HTTP3 | default "false") }}
 {{- $_ := set $config "enable_http_on_missing_cert" ($globals.Env.ENABLE_HTTP_ON_MISSING_CERT | default "true") }}
 {{- $_ := set $config "https_method" ($globals.Env.HTTPS_METHOD | default "redirect") }}
 {{- $_ := set $config "non_get_redirect" ($globals.Env.NON_GET_REDIRECT | default "301") }}
 {{- $_ := set $config "default_host" $globals.Env.DEFAULT_HOST }}
 {{- $_ := set $config "resolvers" $globals.Env.RESOLVERS }}
 {{- /* LOG_JSON is a shorthand that sets logging defaults to JSON format */}}
 {{- $_ := set $config "enable_json_logs" ($globals.Env.LOG_JSON | default "false" | parseBool) }}
 {{- $_ := set $config "log_format" $globals.Env.LOG_FORMAT }}
 {{- $_ := set $config "log_format_escape" $globals.Env.LOG_FORMAT_ESCAPE }}
 {{- $_ := set $globals "config" $config }}
 {{- $_ := set $globals "vhosts" (dict) }}
 {{- $_ := set $globals "networks" (dict) }}
 # Networks available to the container running docker-gen (which are assumed to
@ -78,8 +56,7 @@
     * The return value will be added to the dot dict with key "ip".
     */}}
 {{- define "container_ip" }}
-    {{- $ipv4 := "" }}
+    {{- $ip := "" }}
    {{- $ipv6 := "" }}
    #     networks:
    {{- range sortObjectsByKeysAsc $.container.Networks "Name" }}
        {{- /*
@ -94,17 +71,17 @@
            {{- /* Handle containers in host nework mode */}}
            {{- if (index $.globals.networks "host") }}
    #         both container and proxy are in host network mode, using localhost IP
-                {{- $ipv4 = "127.0.0.1" }}
+                {{- $ip = "127.0.0.1" }}
                {{- continue }}
            {{- end }}
            {{- range sortObjectsByKeysAsc $.globals.CurrentContainer.Networks "Name" }}
                {{- if and . .Gateway (not .Internal) }}
    #         container is in host network mode, using {{ .Name }} gateway IP
-                    {{- $ipv4 = .Gateway }}
+                    {{- $ip = .Gateway }}
                    {{- break }}
                {{- end }}
            {{- end }}
-            {{- if $ipv4 }}
+            {{- if $ip }}
                {{- continue }}
            {{- end }}
        {{- end }}
@ -114,41 +91,26 @@
        {{- end }}
        {{- /*
             * Do not emit multiple `server` directives for this container if it
-             * is reachable over multiple networks or multiple IP stacks. This avoids 
+             * is reachable over multiple networks.  This avoids accidentally
-             * accidentally inflating the effective round-robin weight of a server due
+             * inflating the effective round-robin weight of a server due to the
-             * to the redundant upstream addresses that nginx sees as belonging to
+             * redundant upstream addresses that nginx sees as belonging to
             * distinct servers.
             */}}
-        {{- if or $ipv4 $ipv6 }}
+        {{- if $ip }}
    #         {{ .Name }} (ignored; reachable but redundant)
            {{- continue }}
        {{- end }}
    #         {{ .Name }} (reachable)
        {{- if and . .IP }}
-            {{- $ipv4 = .IP }}
+            {{- $ip = .IP }}
-        {{- end }}
+        {{- else }}
-        {{- if and . .GlobalIPv6Address }}
+    #             /!\ No IP for this network!
            {{- $ipv6 = .GlobalIPv6Address }}
        {{- end }}
        {{- if and (empty $ipv4) (empty $ipv6) }}
    #             /!\ No IPv4 or IPv6 for this network!
        {{- end }}
    {{- else }}
    #         (none)
    {{- end }}
-    {{ if and $ipv6 $.globals.config.prefer_ipv6_network }}
+    #     IP address: {{ if $ip }}{{ $ip }}{{ else }}(none usable){{ end }}
-    #     IPv4 address: {{ if $ipv4 }}{{ $ipv4 }} (ignored; reachable but IPv6 prefered){{ else }}(none usable){{ end }}
+    {{- $_ := set $ "ip" $ip }}
    #     IPv6 address: {{ $ipv6 }}
        {{- $_ := set $ "ip" (printf "[%s]" $ipv6) }}
    {{- else }}
    #     IPv4 address: {{ if $ipv4 }}{{ $ipv4 }}{{ else }}(none usable){{ end }}
    #     IPv6 address: {{ if $ipv6 }}{{ $ipv6 }}{{ if $ipv4 }} (ignored; reachable but IPv4 prefered){{ end }}{{ else }}(none usable){{ end }}
        {{- if $ipv4 }}
            {{- $_ := set $ "ip" $ipv4 }}
        {{- else if $ipv6}}
            {{- $_ := set $ "ip" (printf "[%s]" $ipv6) }}
        {{- end }}
    {{- end }}
 {{- end }}
 {{- /*
@ -166,7 +128,7 @@
    #     exposed ports (first ten):{{ range $index, $address := (sortObjectsByKeysAsc $.container.Addresses "Port") }}{{ if lt $index 10 }} {{ $address.Port }}/{{ $address.Proto }}{{ end }}{{ else }} (none){{ end }}
    {{- $default_port := when (eq (len $.container.Addresses) 1) (first $.container.Addresses).Port "80" }}
    #     default port: {{ $default_port }}
-    {{- $port := eq $.port "default" | ternary $default_port $.port }}
+    {{- $port := when (eq $.port "default") $default_port (when (eq $.port "legacy") (or $.container.Env.VIRTUAL_PORT $default_port) $.port) }}
    #     using port: {{ $port }}
    {{- $addr_obj := where $.container.Addresses "Port" $port | first }}
    {{- if and $addr_obj $addr_obj.HostPort }}
@ -193,7 +155,7 @@
    ssl_prefer_server_ciphers off;
    {{- else if eq .ssl_policy "Mozilla-Old" }}
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:@SECLEVEL=0';
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
    {{- else if eq .ssl_policy "AWS-TLS13-1-3-2021-06" }}
    ssl_protocols TLSv1.3;
@ -222,11 +184,11 @@
    ssl_prefer_server_ciphers on;
    {{- else if eq .ssl_policy "AWS-TLS13-1-1-2021-06" }}
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:@SECLEVEL=0';
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
    ssl_prefer_server_ciphers on;
    {{- else if eq .ssl_policy "AWS-TLS13-1-0-2021-06" }}
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:@SECLEVEL=0';
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
    ssl_prefer_server_ciphers on;
    {{- else if eq .ssl_policy "AWS-FS-1-2-Res-2020-10" }}
    ssl_protocols TLSv1.2;
@ -242,11 +204,11 @@
    ssl_prefer_server_ciphers on;
    {{- else if eq .ssl_policy "AWS-FS-1-1-2019-08" }}
    ssl_protocols TLSv1.1 TLSv1.2;
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:@SECLEVEL=0';
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA';
    ssl_prefer_server_ciphers on;
    {{- else if eq .ssl_policy "AWS-FS-2018-06" }}
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:@SECLEVEL=0';
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA';
    ssl_prefer_server_ciphers on;
    {{- else if eq .ssl_policy "AWS-TLS-1-2-Ext-2018-06" }}
    ssl_protocols TLSv1.2;
@ -258,23 +220,23 @@
    ssl_prefer_server_ciphers on;
    {{- else if eq .ssl_policy "AWS-TLS-1-1-2017-01" }}
    ssl_protocols TLSv1.1 TLSv1.2;
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:@SECLEVEL=0';
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
    ssl_prefer_server_ciphers on;
    {{- else if eq .ssl_policy "AWS-2016-08" }}
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:@SECLEVEL=0';
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
    ssl_prefer_server_ciphers on;
    {{- else if eq .ssl_policy "AWS-2015-05" }}
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA:@SECLEVEL=0';
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
    {{- else if eq .ssl_policy "AWS-2015-03" }}
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:@SECLEVEL=0';
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
    {{- else if eq .ssl_policy "AWS-2015-02" }}
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:@SECLEVEL=0';
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA';
    ssl_prefer_server_ciphers on;
    {{- end }}
 {{- end }}
@ -327,7 +289,7 @@
        auth_basic "Restricted {{ .Host }}{{ .Path }}";
        auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s_%s" .Host (sha1 .Path)) }};
        {{- else if (exists (printf "/etc/nginx/htpasswd/%s" .Host)) }}
-        auth_basic "Restricted {{ .HostIsRegexp | ternary "access" .Host }}";
+        auth_basic "Restricted {{ .Host }}";
        auth_basic_user_file {{ (printf "/etc/nginx/htpasswd/%s" .Host) }};
        {{- end }}
@ -382,76 +344,22 @@ upstream {{ $vpath.upstream }} {
 }
 {{- end }}
 {{- /* debug "endpoint" location template */}}
 {{- define "debug_location" }}
    {{- $debug_paths := dict }}
    {{- range $path, $vpath := .VHost.paths }}
        {{- $tmp_ports := dict }}
        {{- range $port, $containers := $vpath.ports }}
            {{- $tmp_containers := list }}
            {{- range $container := $containers }}
                {{- $tmp_containers = dict "Name" $container.Name | append $tmp_containers }}
            {{- end }}
            {{- $_ := set $tmp_ports $port $tmp_containers }}
        {{- end }}
        {{- $debug_vpath := deepCopy $vpath | merge (dict "ports" $tmp_ports) }}
        {{- $_ := set $debug_paths $path $debug_vpath }}
    {{- end }}
    {{- $debug_vhost := deepCopy .VHost }}
    {{- /* If it's a regexp, do not render the Hostname to the response to avoid rendering config breaking characters */}}
    {{- $_ := set $debug_vhost "hostname" (.VHost.is_regexp | ternary "Hostname is a regexp and unsafe to include in the debug response." .Hostname) }}
    {{- $_ := set $debug_vhost "paths" $debug_paths }}
    {{- $debug_response := dict
        "global" .GlobalConfig
        "request" (dict
            "host" "$host"
            "https" "$https"
            "http2" "$http2"
            "http3" "$http3"
            "ssl_cipher" "$ssl_cipher"
            "ssl_protocol" "$ssl_protocol"
        )
        "vhost" $debug_vhost
    }}
    {{- /*
         * The maximum line length in an nginx config is 4096 characters.
         * If we're nearing this limit (with headroom for the rest
         * of the directive), strip vhost.paths from the response.
         */}}
    {{- if gt (toJson $debug_response | len) 4000 }}
        {{- $_ := unset $debug_vhost "paths" }}
        {{- $_ := set $debug_response "warning" "Virtual paths configuration for this hostname is too large and has been stripped from response." }}
    {{- end }}
    location  /nginx-proxy-debug {
        default_type application/json;
        return 200 '{{ toJson $debug_response }}{{ "\\n" }}';
    }
 {{- end }}
 {{- define "access_log" }}
    {{- when .Enable "access_log /var/log/nginx/access.log vhost;" "" }}
 {{- end }}
 # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
 # scheme used to connect to this server
 map $http_x_forwarded_proto $proxy_x_forwarded_proto {
-    default {{ if $globals.config.trust_downstream_proxy }}$http_x_forwarded_proto{{ else }}$scheme{{ end }};
+    default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_proto{{ else }}$scheme{{ end }};
    '' $scheme;
 }
 map $http_x_forwarded_host $proxy_x_forwarded_host {
-    default {{ if $globals.config.trust_downstream_proxy }}$http_x_forwarded_host{{ else }}$host{{ end }};
+    default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_host{{ else }}$host{{ end }};
    '' $host;
 }
 # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
 # server port the client connected to
 map $http_x_forwarded_port $proxy_x_forwarded_port {
-    default {{ if $globals.config.trust_downstream_proxy }}$http_x_forwarded_port{{ else }}$server_port{{ end }};
+    default {{ if $globals.trust_downstream_proxy }}$http_x_forwarded_port{{ else }}$server_port{{ end }};
    '' $server_port;
 }
@ -512,38 +420,27 @@ gzip_types text/plain text/css application/javascript application/json applicati
     * LOG_FORMAT_ESCAPE sets the escape part of the log format
     * LOG_FORMAT        sets the log format
     */}}
-{{- $logEscape := $globals.config.log_format_escape | default "default" | printf "escape=%s" }}
+{{- $logEscape := printf "escape=%s" (or $globals.Env.LOG_FORMAT_ESCAPE "default") }}
-{{- $logFormat := $globals.config.log_format | default `$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_addr"` }}
+{{- $logFormat := or $globals.Env.LOG_FORMAT `$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_addr"` }}
-{{- if $globals.config.enable_json_logs }}
+{{- if parseBool (or $globals.Env.LOG_JSON "false") }}
    {{- /* LOG_JSON is a shorthand
        * that sets logging defaults to JSON format
        */}}
 # JSON Logging enabled (via LOG_JSON env variable)
-    {{- $logEscape = $globals.config.log_format_escape | default "json" | printf "escape=%s" }}
+    {{- $logEscape = printf "escape=%s" (or $globals.Env.LOG_FORMAT_ESCAPE "json") }}
-    {{- $logFormat = $globals.config.log_format | default `{"time_local":"$time_iso8601","client_ip":"$http_x_forwarded_for","remote_addr":"$remote_addr","request":"$request","status":"$status","body_bytes_sent":"$body_bytes_sent","request_time":"$request_time","upstream_response_time":"$upstream_response_time","upstream_addr":"$upstream_addr","http_referrer":"$http_referer","http_user_agent":"$http_user_agent","request_id":"$request_id"}` }}
+    {{- $logFormat = or $globals.Env.LOG_FORMAT `{"time_local":"$time_iso8601","client_ip":"$http_x_forwarded_for","remote_addr":"$remote_addr","request":"$request","status":"$status","body_bytes_sent":"$body_bytes_sent","request_time":"$request_time","upstream_response_time":"$upstream_response_time","upstream_addr":"$upstream_addr","http_referrer":"$http_referer","http_user_agent":"$http_user_agent","request_id":"$request_id"}` }}
 {{- end }}
-log_format vhost {{ $logEscape }} '{{ $logFormat }}';
+log_format vhost {{ $logEscape }} '{{ or $globals.Env.LOG_FORMAT $logFormat }}';
 access_log off;
-{{- /* Lower the SSL policy of the http context
+{{- template "ssl_policy" (dict "ssl_policy" $globals.ssl_policy) }}
    * if at least one vhost use a TLSv1 or TLSv1.1 policy
    * so TLSv1 and TLSv1.1 can be enabled on those vhosts
    */}}
 {{- $httpContextSslPolicy := $globals.config.ssl_policy }}
 {{- $inUseSslPolicies := groupByKeys $globals.containers "Env.SSL_POLICY" }}
 {{- range $tls1Policy := list "AWS-TLS13-1-1-2021-06" "AWS-TLS13-1-0-2021-06" "AWS-FS-1-1-2019-08" "AWS-FS-2018-06" "AWS-TLS-1-1-2017-01" "AWS-2016-08" "AWS-2015-05" "AWS-2015-03" "AWS-2015-02" "Mozilla-Old" }}
    {{- if has $tls1Policy $inUseSslPolicies }}
 # Using Mozilla-Old SSL policy on the http context to allow TLSv1 and TLSv1.1
        {{- $httpContextSslPolicy = "Mozilla-Old" }}
        {{- break }}
    {{- end }}
 {{- end }}
 {{- template "ssl_policy" (dict "ssl_policy" $httpContextSslPolicy) }}
 error_log /dev/stderr;
-{{- if $globals.config.resolvers }}
+{{- if $globals.Env.RESOLVERS }}
-resolver {{ $globals.config.resolvers }};
+resolver {{ $globals.Env.RESOLVERS }};
 {{- end }}
 {{- if (exists "/etc/nginx/proxy.conf") }}
@ -581,8 +478,8 @@ proxy_set_header Proxy "";
    {{- end }}
    {{- range $hostname, $vhost := $parsedVhosts }}
-        {{- $vhost_data := get $globals.vhosts $hostname | default (dict) }}
+        {{- $vhost_data := when (hasKey $globals.vhosts $hostname) (get $globals.vhosts $hostname) (dict) }}
-        {{- $paths := $vhost_data.paths | default (dict) }}
+        {{- $paths := coalesce $vhost_data.paths (dict) }}
        {{- if (empty $vhost) }}
            {{ $vhost = dict "/" (dict) }}
@ -590,34 +487,24 @@ proxy_set_header Proxy "";
        {{- range $path, $vpath := $vhost }}
            {{- if (empty $vpath) }}
-                {{- $vpath = dict
+                {{- $vpath = dict "dest" "" "port" "default" }}
                    "dest" ""
                    "port" "default"
                    "proto" "http"
                }}
            {{- end }}
-
+            {{- $dest := coalesce $vpath.dest "" }}
-            {{- $dest := $vpath.dest | default "" }}
+            {{- $port := when (hasKey $vpath "port") (toString $vpath.port) "default" }}
-            {{- $port := $vpath.port | default "default" | toString }}
+            {{- $path_data := when (hasKey $paths $path) (get $paths $path) (dict) }}
-            {{- $proto := $vpath.proto | default "http" }}
+            {{- $path_ports := when (hasKey $path_data "ports") (get $path_data "ports") (dict) }}
-
+            {{- $path_port_containers := when (hasKey $path_ports $port) (get $path_ports $port) (list) }}
-            {{- $path_data := get $paths $path | default (dict) }}
+            {{- $path_port_containers = concat $path_port_containers $containers }}
            {{- $path_ports := $path_data.ports | default (dict) }}
            {{- $path_port_containers := get $path_ports $port | default (list) | concat $containers }}
            {{- $_ := set $path_ports $port $path_port_containers }}
            {{- $_ := set $path_data "ports" $path_ports }}
            {{- if (not (hasKey $path_data "dest")) }}
                {{- $_ := set $path_data "dest" $dest }}
            {{- end }}
            {{- if (not (hasKey $path_data "proto")) }}
                {{- $_ := set $path_data "proto" $proto }}
            {{- end }}
            {{- $_ := set $paths $path $path_data }}
        {{- end }}
        {{- $_ := set $vhost_data "paths" $paths }}
        {{- $is_regexp := hasPrefix "~" $hostname }}
        {{- $_ := set $vhost_data "upstream_name" (when (or $is_regexp $globals.sha1_upstream_name) (sha1 $hostname) $hostname) }}
        {{- $_ := set $globals.vhosts $hostname $vhost_data }}
    {{- end }}
 {{- end }}
@ -642,62 +529,55 @@ proxy_set_header Proxy "";
        {{- continue }}
    {{- end }}
-    {{- $vhost_data := get $globals.vhosts $hostname | default (dict) }}
+    {{- $vhost_data := when (hasKey $globals.vhosts $hostname) (get $globals.vhosts $hostname) (dict) }}
-    {{- $paths := $vhost_data.paths | default (dict) }}
+    {{- $paths := coalesce $vhost_data.paths (dict) }}
    {{- $tmp_paths := groupByWithDefault $containers "Env.VIRTUAL_PATH" "/" }}
    {{- range $path, $containers := $tmp_paths }}
-        {{- $dest := groupByKeys $containers "Env.VIRTUAL_DEST" | first | default "" }}
+        {{- $dest := or (first (groupByKeys $containers "Env.VIRTUAL_DEST")) "" }}
-        {{- $proto := groupByKeys $containers "Env.VIRTUAL_PROTO" | first | default "http" | trim }}
+        {{- $port := "legacy" }}
-
+        {{- $path_data := when (hasKey $paths $path) (get $paths $path) (dict) }}
-        {{- $path_data := get $paths $path | default (dict) }}
+        {{- $path_ports := when (hasKey $path_data "ports") (get $path_data "ports") (dict) }}
-        {{- $path_ports := $path_data.ports | default (dict) }}
+        {{- $path_port_containers := when (hasKey $path_ports $port) (get $path_ports $port) (list) }}
-        {{- range $port, $containers := groupByWithDefault $containers "Env.VIRTUAL_PORT" "default" }}
+        {{- $path_port_containers = concat $path_port_containers $containers }}
-            {{- $path_port_containers := get $path_ports $port | default (list) | concat $containers }}
+        {{- $_ := set $path_ports $port $path_port_containers }}
            {{- $_ := set $path_ports $port $path_port_containers }}
        {{- end }}
        {{- $_ := set $path_data "ports" $path_ports }}
        {{- if (not (hasKey $path_data "dest")) }}
            {{- $_ := set $path_data "dest" $dest }}
        {{- end }}
        {{- if (not (hasKey $path_data "proto")) }}
            {{- $_ := set $path_data "proto" $proto }}
        {{- end }}
        {{- $_ := set $paths $path $path_data }}
    {{- end }}
    {{- $_ := set $vhost_data "paths" $paths }}
    {{- $is_regexp := hasPrefix "~" $hostname }}
    {{- $_ := set $vhost_data "upstream_name" (when (or $is_regexp $globals.sha1_upstream_name) (sha1 $hostname) $hostname) }}
    {{- $_ := set $globals.vhosts $hostname $vhost_data }}
 {{- end }}
 {{- /* Loop over $globals.vhosts and update it with the remaining informations about each vhost. */}}
 {{- range $hostname, $vhost_data := $globals.vhosts }}
    {{- $is_regexp := hasPrefix "~" $hostname }}
    {{- $upstream_name := or $is_regexp $globals.config.sha1_upstream_name | ternary (sha1 $hostname) $hostname }}
    {{- $vhost_containers := list }}
    {{- range $path, $vpath_data := $vhost_data.paths }}
        {{- $vpath_containers := list }}
        {{- range $port, $vport_containers := $vpath_data.ports }}
            {{ $vpath_containers = concat $vpath_containers $vport_containers }}
        {{- end }}
        {{- /* Get the VIRTUAL_PROTO defined by containers w/ the same vhost-vpath, falling back to "http". */}}
        {{- $proto := trim (or (first (groupByKeys $vpath_containers "Env.VIRTUAL_PROTO")) "http") }}
        {{- /* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external". */}}
-        {{- $network_tag := groupByKeys $vpath_containers "Env.NETWORK_ACCESS" | first | default "external" }}
+        {{- $network_tag := or (first (groupByKeys $vpath_containers "Env.NETWORK_ACCESS")) "external" }}
-        {{- $loadbalance := groupByLabel $vpath_containers "com.github.nginx-proxy.nginx-proxy.loadbalance" | keys | first }}
+        {{- $loadbalance := first (keys (groupByLabel $vpath_containers "com.github.nginx-proxy.nginx-proxy.loadbalance")) }}
-        {{- $keepalive := groupByLabel $vpath_containers "com.github.nginx-proxy.nginx-proxy.keepalive" | keys | first | default "auto" }}
+        {{- $keepalive := coalesce (first (keys (groupByLabel $vpath_containers "com.github.nginx-proxy.nginx-proxy.keepalive"))) "disabled" }}
-        {{- $upstream := $upstream_name }}
+        {{- $upstream := $vhost_data.upstream_name }}
        {{- if (not (eq $path "/")) }}
            {{- $sum := sha1 $path }}
            {{- $upstream = printf "%s-%s" $upstream $sum }}
        {{- end }}
        {{- $_ := set $vpath_data "proto" $proto }}
        {{- $_ := set $vpath_data "network_tag" $network_tag }}
        {{- $_ := set $vpath_data "upstream" $upstream }}
        {{- $_ := set $vpath_data "loadbalance" $loadbalance }}
@ -707,42 +587,23 @@ proxy_set_header Proxy "";
        {{ $vhost_containers = concat $vhost_containers $vpath_containers }}
    {{- end }}
-    {{- $userIdentifiedCert := groupByKeys $vhost_containers "Env.CERT_NAME" | first }}
+    {{- $certName := first (groupByKeys $vhost_containers "Env.CERT_NAME") }}
-    
+    {{- $vhostCert := closest (dir "/etc/nginx/certs") (printf "%s.crt" $hostname) }}
-    {{- $vhostCert := "" }}
+    {{- $vhostCert = trimSuffix ".crt" $vhostCert }}
-    {{- if exists (printf "/etc/nginx/certs/%s.crt" $hostname) }}
+    {{- $vhostCert = trimSuffix ".key" $vhostCert }}
-        {{- $vhostCert = $hostname }}
+    {{- $cert := or $certName $vhostCert }}
    {{- end }}
    {{- $parentVhostCert := "" }}
    {{- if gt ($hostname | sprigSplit "." | len) 2 }}
        {{- $parentHostname := ($hostname | sprigSplitn "." 2)._1 }}
        {{- if exists (printf "/etc/nginx/certs/%s.crt" $parentHostname) }}
            {{- $parentVhostCert = $parentHostname }}
        {{- end }}
    {{- end }}
    {{- $trust_default_cert := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.trust-default-cert" | keys | first | default $globals.config.trust_default_cert | parseBool }}
    {{- $defaultCert := and $trust_default_cert $globals.config.default_cert_ok | ternary "default" "" }}
    {{- $cert := or $userIdentifiedCert $vhostCert $parentVhostCert $defaultCert }}
    {{- $cert_ok := and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert)) }}
-    {{- $enable_debug_endpoint := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.debug-endpoint" | keys | first | default $globals.config.enable_debug_endpoint | parseBool }}
+    {{- $default := eq $globals.Env.DEFAULT_HOST $hostname }}
-    {{- $default := eq $globals.config.default_host $hostname }}
+    {{- $https_method := or (first (groupByKeys $vhost_containers "Env.HTTPS_METHOD")) $globals.Env.HTTPS_METHOD "redirect" }}
-    {{- $https_method := groupByKeys $vhost_containers "Env.HTTPS_METHOD" | first | default $globals.config.https_method }}
+    {{- $enable_http_on_missing_cert := parseBool (or (first (groupByKeys $vhost_containers "Env.ENABLE_HTTP_ON_MISSING_CERT")) $globals.Env.ENABLE_HTTP_ON_MISSING_CERT "true") }}
-    {{- $enable_http_on_missing_cert := groupByKeys $vhost_containers "Env.ENABLE_HTTP_ON_MISSING_CERT" | first | default $globals.config.enable_http_on_missing_cert | parseBool }}
+    {{- /* When the certificate is missing we want to ensure that HTTP is enabled; hence switching from 'nohttp' or 'redirect' to 'noredirect' */}}
-    {{- /* When no trusted certs (default and/or vhost) are present we want to ensure that HTTP is enabled; hence switching from 'nohttp' or 'redirect' to 'noredirect' */}}
+    {{- if (and $enable_http_on_missing_cert (not $cert_ok) (or (eq $https_method "nohttp") (eq $https_method "redirect"))) }}
    {{- $https_method_disable_http := list "nohttp" "redirect" | has $https_method }}
    {{- if and $https_method_disable_http (not $cert_ok) $enable_http_on_missing_cert }}
        {{- $https_method = "noredirect" }}
    {{- end }}
-    {{- $non_get_redirect := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.non-get-redirect" | keys | first | default $globals.config.non_get_redirect }}
+    {{- $http2_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable"))) $globals.Env.ENABLE_HTTP2 "true")}}
-    
+    {{- $http3_enabled := parseBool (or (first (keys (groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable"))) $globals.Env.ENABLE_HTTP3 "false")}}
-    {{- $http2_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http2.enable" | keys | first | default $globals.config.enable_http2 | parseBool }}
+    {{- $acme_http_challenge := or (first (groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION")) $globals.Env.ACME_HTTP_CHALLENGE_LOCATION "true" }}
    {{- $http3_enabled := groupByLabel $vhost_containers "com.github.nginx-proxy.nginx-proxy.http3.enable" | keys | first | default $globals.config.enable_http3 | parseBool }}
    {{- $acme_http_challenge := groupByKeys $vhost_containers "Env.ACME_HTTP_CHALLENGE_LOCATION" | first | default $globals.config.acme_http_challenge }}
    {{- $acme_http_challenge_legacy := eq $acme_http_challenge "legacy" }}
    {{- $acme_http_challenge_enabled := false }}
    {{- if (not $acme_http_challenge_legacy) }}
@ -750,34 +611,29 @@ proxy_set_header Proxy "";
    {{- end }}
    {{- /* Get the SERVER_TOKENS defined by containers w/ the same vhost, falling back to "". */}}
-    {{- $server_tokens := groupByKeys $vhost_containers "Env.SERVER_TOKENS" | first | default "" | trim }}
+    {{- $server_tokens := trim (or (first (groupByKeys $vhost_containers "Env.SERVER_TOKENS")) "") }}
    {{- /* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to empty string (use default). */}}
-    {{- $ssl_policy := groupByKeys $vhost_containers "Env.SSL_POLICY" | first | default "" }}
+    {{- $ssl_policy := or (first (groupByKeys $vhost_containers "Env.SSL_POLICY")) "" }}
    {{- /* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000". */}}
-    {{- $hsts := groupByKeys $vhost_containers "Env.HSTS" | first | default $globals.config.hsts }}
+    {{- $hsts := or (first (groupByKeys $vhost_containers "Env.HSTS")) (or $globals.Env.HSTS "max-age=31536000") }}
    {{- /* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
-    {{- $vhost_root := groupByKeys $vhost_containers "Env.VIRTUAL_ROOT" | first | default "/var/www/public" }}
+    {{- $vhost_root := or (first (groupByKeys $vhost_containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
    {{- $vhost_data = merge $vhost_data (dict
        "cert" $cert
        "cert_ok" $cert_ok
        "enable_debug_endpoint" $enable_debug_endpoint
        "default" $default
        "hsts" $hsts
        "https_method" $https_method
        "non_get_redirect" $non_get_redirect
        "http2_enabled" $http2_enabled
        "http3_enabled" $http3_enabled
        "is_regexp" $is_regexp
        "acme_http_challenge_legacy" $acme_http_challenge_legacy
        "acme_http_challenge_enabled" $acme_http_challenge_enabled
        "server_tokens" $server_tokens
        "ssl_policy" $ssl_policy
        "trust_default_cert" $trust_default_cert
        "upstream_name" $upstream_name
        "vhost_root" $vhost_root
    ) }}
    {{- $_ := set $globals.vhosts $hostname $vhost_data }}
@ -827,35 +683,43 @@ proxy_set_header Proxy "";
 server {
    server_name _; # This is just an invalid value which will never trigger on a real hostname.
    server_tokens off;
-    {{ template "access_log" (dict "Enable" $globals.config.enable_access_log) }}
+    {{ $globals.access_log }}
    http2 on;
        {{- if $fallback_http }}
-    listen {{ $globals.config.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
+    listen {{ $globals.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
-                {{- if $globals.config.enable_ipv6 }}
+                {{- if $globals.enable_ipv6 }}
-    listen [::]:{{ $globals.config.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
+    listen [::]:{{ $globals.external_http_port }}; {{- /* Do not add `default_server` (see comment above). */}}
                {{- end }}
        {{- end }}
        {{- if $fallback_https }}
-    listen {{ $globals.config.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
+    listen {{ $globals.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
-            {{- if $globals.config.enable_ipv6 }}
+            {{- if $globals.enable_ipv6 }}
-    listen [::]:{{ $globals.config.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
+    listen [::]:{{ $globals.external_https_port }} ssl; {{- /* Do not add `default_server` (see comment above). */}}
            {{- end }}
            {{- if $http3_enabled }}
    http3 on;
-    listen {{ $globals.config.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
+    listen {{ $globals.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
-                {{- if $globals.config.enable_ipv6 }}
+                {{- if $globals.enable_ipv6 }}
-    listen [::]:{{ $globals.config.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
+    listen [::]:{{ $globals.external_https_port }} quic reuseport; {{- /* Do not add `default_server` (see comment above). */}}
                {{- end }}
            {{- end }}
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
        {{- end }}
-        {{- if $globals.config.default_cert_ok }}
+        {{- if $globals.default_cert_ok }}
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
        {{- else }}
-    # No default certificate found, so reject SSL handshake;
+    # No default.crt certificate found for this vhost, so force nginx to emit a
-    ssl_reject_handshake on;
+    # TLS error if the client connects via https.
    {{- /* See the comment in the main `server` directive for rationale. */}}
    ssl_ciphers aNULL;
    set $empty "";
    ssl_certificate data:$empty;
    ssl_certificate_key data:$empty;
    if ($https) {
        return 444;
    }
        {{- end }}
        {{- if (exists "/usr/share/nginx/html/errors/50x.html") }}
@ -886,10 +750,10 @@ server {
        {{- if $vhost.server_tokens }}
    server_tokens {{ $vhost.server_tokens }};
        {{- end }}
-    {{ template "access_log" (dict "Enable" $globals.config.enable_access_log) }}
+    {{ $globals.access_log }}
-    listen {{ $globals.config.external_http_port }} {{ $default_server }};
+    listen {{ $globals.external_http_port }} {{ $default_server }};
-        {{- if $globals.config.enable_ipv6 }}
+        {{- if $globals.enable_ipv6 }}
-    listen [::]:{{ $globals.config.external_http_port }} {{ $default_server }};
+    listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
        {{- end }}
        {{- if (or $vhost.acme_http_challenge_legacy $vhost.acme_http_challenge_enabled) }}
@ -903,54 +767,30 @@ server {
        break;
    }
        {{- end }}
        {{- if $vhost.enable_debug_endpoint }}
            {{ template "debug_location" (dict "GlobalConfig" $globals.config "Hostname" $hostname "VHost" $vhost) }}
        {{- end }}
    location / {
-        {{- $redirect_uri := "https://$host$request_uri" }}
+        {{- if eq $globals.external_https_port "443" }}
-        {{- if ne $globals.config.external_https_port "443" }}
+        return 301 https://$host$request_uri;
-            {{- $redirect_uri = printf "https://$host:%s$request_uri" $globals.config.external_https_port }}
+        {{- else }}
-        {{- end}}
+        return 301 https://$host:{{ $globals.external_https_port }}$request_uri;
-        if ($request_method ~ (OPTIONS|POST|PUT|PATCH|DELETE)) {
+        {{- end }}
            return {{ $vhost.non_get_redirect }} {{ $redirect_uri }};
        }
        return 301 {{ $redirect_uri }};
    }
 }
    {{- end }}
 server {
    {{- if $vhost.is_regexp }}
        {{- if or
            (printf "/etc/nginx/vhost.d/%s" $hostname | exists)
            (printf "/etc/nginx/vhost.d/%s_location" $hostname | exists)
            (printf "/etc/nginx/vhost.d/%s_location_override" $hostname | exists)
            (printf "/etc/nginx/htpasswd/%s" $hostname | exists)
        }}
    # https://github.com/nginx-proxy/nginx-proxy/issues/2529#issuecomment-2437609249
    # Support for vhost config file(s) named like a regexp ({{ $hostname }}) has been removed from nginx-proxy.
    # Please name your vhost config file(s) with the sha1 of the regexp instead ({{ $hostname }} -> {{ sha1 $hostname }}) :
    # - /etc/nginx/vhost.d/{{ sha1 $hostname }}
    # - /etc/nginx/vhost.d/{{ sha1 $hostname }}_location
    # - /etc/nginx/vhost.d/{{ sha1 $hostname }}_location_override
    # - /etc/nginx/htpasswd/{{ sha1 $hostname }}
        {{- end }}
    {{- end }}
    server_name {{ $hostname }};
    {{- if $vhost.server_tokens }}
    server_tokens {{ $vhost.server_tokens }};
    {{- end }}
-    {{ template "access_log" (dict "Enable" $globals.config.enable_access_log) }}
+    {{ $globals.access_log }}
    {{- if $vhost.http2_enabled }}
    http2 on;
    {{- end }}
    {{- if or (eq $vhost.https_method "nohttps") (eq $vhost.https_method "noredirect") }}
-    listen {{ $globals.config.external_http_port }} {{ $default_server }};
+    listen {{ $globals.external_http_port }} {{ $default_server }};
-        {{- if $globals.config.enable_ipv6 }}
+        {{- if $globals.enable_ipv6 }}
-    listen [::]:{{ $globals.config.external_http_port }} {{ $default_server }};
+    listen [::]:{{ $globals.external_http_port }} {{ $default_server }};
        {{- end }}
        {{- if (and (eq $vhost.https_method "noredirect") $vhost.acme_http_challenge_enabled) }}
@ -964,17 +804,17 @@ server {
        {{- end }}
    {{- end }}
    {{- if ne $vhost.https_method "nohttps" }}
-    listen {{ $globals.config.external_https_port }} ssl {{ $default_server }};
+    listen {{ $globals.external_https_port }} ssl {{ $default_server }};
-        {{- if $globals.config.enable_ipv6 }}
+        {{- if $globals.enable_ipv6 }}
-    listen [::]:{{ $globals.config.external_https_port }} ssl {{ $default_server }};
+    listen [::]:{{ $globals.external_https_port }} ssl {{ $default_server }};
        {{- end }}
        {{- if $vhost.http3_enabled }}
    http3 on;
-    add_header alt-svc 'h3=":{{ $globals.config.external_https_port }}"; ma=86400;';
+    add_header alt-svc 'h3=":{{ $globals.external_https_port }}"; ma=86400;';
-    listen {{ $globals.config.external_https_port }} quic {{ $default_server }};
+    listen {{ $globals.external_https_port }} quic {{ $default_server }};
-            {{- if $globals.config.enable_ipv6 }}
+            {{- if $globals.enable_ipv6 }}
-    listen [::]:{{ $globals.config.external_https_port }} quic {{ $default_server }};
+    listen [::]:{{ $globals.external_https_port }} quic {{ $default_server }};
            {{- end }}
        {{- end }}
@ -1005,40 +845,54 @@ server {
    }
    add_header Strict-Transport-Security $sts_header always;
            {{- end }}
-        {{- else if not $vhost.trust_default_cert | and $globals.config.default_cert_ok }}
+        {{- else if $globals.default_cert_ok }}
-    # No certificate found for this vhost, and the default certificate isn't trusted, so reject SSL handshake.
+    # No certificate found for this vhost, so use the default certificate and
-    ssl_reject_handshake on;
+    # return an error code if the user connects via https.
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
    if ($https) {
        return 500;
    }
        {{- else }}
-    # No certificate for this vhost nor default certificate found, so reject SSL handshake.
+    # No certificate found for this vhost, so force nginx to emit a TLS error if
-    ssl_reject_handshake on;
+    # the client connects via https.
            {{- /*
                 * The alternative is to not provide an https server for this
                 * vhost, which would either cause the user to see the wrong
                 * vhost (if there is another vhost with a certificate) or a
                 * connection refused error (if there is no other vhost with a
                 * certificate).  A TLS error is easier to troubleshoot, and is
                 * safer than serving the wrong vhost.  Also see
                 * <https://serverfault.com/a/1044022>.
                 */}}
    ssl_ciphers aNULL;
    set $empty "";
    ssl_certificate data:$empty;
    ssl_certificate_key data:$empty;
    if ($https) {
        return 444;
    }
        {{- end }}
    {{- end }}
-    {{- $vhostFileName :=  $vhost.is_regexp | ternary (sha1 $hostname) $hostname }}
+    {{- if (exists (printf "/etc/nginx/vhost.d/%s" $hostname)) }}
-
+    include {{ printf "/etc/nginx/vhost.d/%s" $hostname }};
    {{- if (exists (printf "/etc/nginx/vhost.d/%s" $vhostFileName)) }}
    include {{ printf "/etc/nginx/vhost.d/%s" $vhostFileName }};
    {{- else if (exists "/etc/nginx/vhost.d/default") }}
    include /etc/nginx/vhost.d/default;
    {{- end }}
    {{- if $vhost.enable_debug_endpoint }}
        {{ template "debug_location" (dict "GlobalConfig" $globals.config "Hostname" $hostname "VHost" $vhost) }}
    {{- end }}
    {{- range $path, $vpath := $vhost.paths }}
        {{- template "location" (dict
            "Path" $path
-            "Host" $vhostFileName
+            "Host" $hostname
            "HostIsRegexp" $vhost.is_regexp
            "VhostRoot" $vhost.vhost_root
            "VPath" $vpath
        ) }}
    {{- end }}
-    {{- if and (not (contains $vhost.paths "/")) (ne $globals.config.default_root_response "none")}}
+    {{- if and (not (contains $vhost.paths "/")) (ne $globals.default_root_response "none")}}
    location / {
-        return {{ $globals.config.default_root_response }};
+        return {{ $globals.default_root_response }};
    }
    {{- end }}
 }
--- a/test/README.md
+++ b/test/README.md
@ -57,39 +57,13 @@ This test suite uses [pytest](http://doc.pytest.org/en/latest/). The [conftest.p
 ### docker_compose fixture
-When using the `docker_compose` fixture in a test, pytest will try to start the [Docker Compose](https://docs.docker.com/compose/) services corresponding to the current test module, based on the test module filename.
+When using the `docker_compose` fixture in a test, pytest will try to find a yml file named after your test module filename. For instance, if your test module is `test_example.py`, then the `docker_compose` fixture will try to load a `test_example.yml` [docker compose file](https://docs.docker.com/compose/compose-file/).
-By default, if your test module file is `test/test_subdir/test_example.py`, then the `docker_compose` fixture will try to load the following files, [merging them](https://docs.docker.com/reference/compose-file/merge/) in this order:
+Once the docker compose file found, the fixture will remove all containers, run `docker compose up`, and finally your test will be executed.
-1. `test/compose.base.yml`
+The fixture will run the _docker compose_ command with the `-f` option to load the given compose file. So you can test your docker compose file syntax by running it yourself with:
 2. `test/test_subdir/compose.base.override.yml` (if it exists)
 3. `test/test_subdir/test_example.yml`
-The fixture will run the _docker compose_ command with the `-f` option to load the given compose files. So you can test your docker compose file syntax by running it yourself with:
+    docker compose -f test_example.yml up -d
    docker compose -f test/compose.base.yml -f test/test_subdir/test_example.yml up -d
 The first file contains the base configuration of the nginx-proxy container common to most tests:
 ```yaml
 services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy:test
    container_name: nginx-proxy
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
    ports:
      - "80:80"
      - "443:443"
 ```
 The second optional file allow you to override this base configuration for all test modules in a subfolder.
 The third file contains the services and overrides specific to a given test module.
 This automatic merge can be bypassed by using a file named `test_example.base.yml` (instead of `test_example.yml`). When this file exist, it will be the only one used by the test and no merge with other compose files will automatically occur.
 The `docker_compose` fixture also set the `PYTEST_MODULE_PATH` environment variable to the absolute path of the current test module directory, so it can be used to mount files or directory relatives to the current test.
 In the case you are running pytest from within a docker container, the `docker_compose` fixture will make sure the container running pytest is attached to all docker networks. That way, your test will be able to reach any of them.
@ -97,10 +71,7 @@ In your tests, you can use the `docker_compose` variable to query and command th
 Also this fixture alters the way the python interpreter resolves domain names to IP addresses in the following ways:
-Any domain name containing the substring `nginx-proxy` will resolve to `127.0.0.1` if the tests are executed on a Darwin (macOS) system, otherwise the IP address of the container that was created from the `nginxproxy/nginx-proxy:test` image.
+Any domain name containing the substring `nginx-proxy` will resolve to the IP address of the container that was created from the `nginxproxy/nginx-proxy:test` image. So all the following domain names will resolve to the nginx-proxy container in tests:
 So, in tests, all the following domain names will resolve to either localhost or the nginx-proxy container's IP:
 - `nginx-proxy`
 - `nginx-proxy.com`
 - `www.nginx-proxy.com`
@ -109,16 +80,14 @@ So, in tests, all the following domain names will resolve to either localhost or
 - `whatever.nginx-proxyooooooo`
 - ...
-Any domain name ending with `XXX.container.docker` will resolve to `127.0.0.1` if the tests are executed on a Darwin (macOS) system, otherwise the IP address of the container named `XXX`.
+Any domain name ending with `XXX.container.docker` will resolve to the IP address of the XXX container.
 So, on a non-Darwin system:
 - `web1.container.docker` will resolve to the IP address of the `web1` container
 - `f00.web1.container.docker` will resolve to the IP address of the `web1` container
 - `anything.whatever.web2.container.docker` will resolve to the IP address of the `web2` container
 Otherwise, domain names are resoved as usual using your system DNS resolver.
 ### nginxproxy fixture
 The `nginxproxy` fixture will provide you with a replacement for the python [requests](https://pypi.python.org/pypi/requests/) module. This replacement will just repeat up to 30 times a requests if it receives the HTTP error 404 or 502. This error occurs when you try to send queries to nginx-proxy too early after the container creation.
--- a/test/certs/create_server_certificate.sh
+++ b/test/certs/create_server_certificate.sh
@ -24,7 +24,7 @@ fi
 # Create a nginx container (which conveniently provides the `openssl` command)
 ###############################################################################
-CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.27.3)
+CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.27.1)
 # Configure openssl
 docker exec $CONTAINER bash -c '
 	mkdir -p /ca/{certs,crl,private,newcerts} 2>/dev/null
--- a/test/conftest.py
+++ b/test/conftest.py
@ -1,35 +1,28 @@
 import contextlib
 import logging
 import os
 import pathlib
 import platform
 import re
 import shlex
 import socket
 import subprocess
 import time
-from io import StringIO
+from typing import List
 from typing import Iterator, List, Optional
 import backoff
-import docker.errors
+import docker
 import pytest
 import requests
-from _pytest.fixtures import FixtureRequest
+from _pytest._code.code import ReprExceptionInfo
-from docker import DockerClient
+from distutils.version import LooseVersion
 from docker.models.containers import Container
-from docker.models.networks import Network
+from requests.packages.urllib3.util.connection import HAS_IPV6
 from packaging.version import Version
 from requests import Response
 from urllib3.util.connection import HAS_IPV6
 logging.basicConfig(level=logging.INFO)
 logging.getLogger('backoff').setLevel(logging.INFO)
 logging.getLogger('DNS').setLevel(logging.DEBUG)
 logging.getLogger('requests.packages.urllib3.connectionpool').setLevel(logging.WARN)
-CA_ROOT_CERTIFICATE = pathlib.Path(__file__).parent.joinpath("certs/ca-root.crt")
+CA_ROOT_CERTIFICATE = os.path.join(os.path.dirname(__file__), 'certs/ca-root.crt')
 PYTEST_RUNNING_IN_CONTAINER = os.environ.get('PYTEST_RUNNING_IN_CONTAINER') == "1"
 FORCE_CONTAINER_IPV6 = False  # ugly global state to consider containers' IPv6 address instead of IPv4
@ -47,9 +40,8 @@ test_container = 'nginx-proxy-pytest'
 #
 ###############################################################################
@contextlib.contextmanager
-def ipv6(force_ipv6: bool = True):
+def ipv6(force_ipv6=True):
    """
    Meant to be used as a context manager to force IPv6 sockets:
@ -67,19 +59,19 @@ def ipv6(force_ipv6: bool = True):
    FORCE_CONTAINER_IPV6 = False
-class RequestsForDocker:
+class requests_for_docker(object):
    """
    Proxy for calling methods of the requests module.
-    When an HTTP response failed due to HTTP Error 404 or 502, retry a few times.
+    When a HTTP response failed due to HTTP Error 404 or 502, retry a few times.
    Provides method `get_conf` to extract the nginx-proxy configuration content.
    """
    def __init__(self):
        self.session = requests.Session()
-        if CA_ROOT_CERTIFICATE.is_file():
+        if os.path.isfile(CA_ROOT_CERTIFICATE):
-            self.session.verify = CA_ROOT_CERTIFICATE.as_posix()
+            self.session.verify = CA_ROOT_CERTIFICATE
    @staticmethod
-    def get_nginx_proxy_container() -> Container:
+    def get_nginx_proxy_containers() -> List[Container]:
        """
        Return list of containers
        """
@ -88,69 +80,69 @@ class RequestsForDocker:
            pytest.fail("Too many running nginxproxy/nginx-proxy:test containers", pytrace=False)
        elif len(nginx_proxy_containers) == 0:
            pytest.fail("No running nginxproxy/nginx-proxy:test container", pytrace=False)
-        return nginx_proxy_containers.pop()
+        return nginx_proxy_containers
-    def get_conf(self) -> bytes:
+    def get_conf(self):
        """
        Return the nginx config file
        """
-        nginx_proxy_container = self.get_nginx_proxy_container()
+        nginx_proxy_containers = self.get_nginx_proxy_containers()
-        return get_nginx_conf_from_container(nginx_proxy_container)
+        return get_nginx_conf_from_container(nginx_proxy_containers[0])
    def get_ip(self) -> str:
        """
        Return the nginx container ip address
        """
-        nginx_proxy_container = self.get_nginx_proxy_container()
+        nginx_proxy_containers = self.get_nginx_proxy_containers()
-        return container_ip(nginx_proxy_container)
+        return container_ip(nginx_proxy_containers[0])
-    def get(self, *args, **kwargs) -> Response:
+    def get(self, *args, **kwargs):
        with ipv6(kwargs.pop('ipv6', False)):
            @backoff.on_predicate(backoff.constant, lambda r: r.status_code in (404, 502), interval=.3, max_tries=30, jitter=None)
-            def _get(*_args, **_kwargs):
+            def _get(*args, **kwargs):
-                return self.session.get(*_args, **_kwargs)
+                return self.session.get(*args, **kwargs)
            return _get(*args, **kwargs)
-    def post(self, *args, **kwargs) -> Response:
+    def post(self, *args, **kwargs):
        with ipv6(kwargs.pop('ipv6', False)):
            @backoff.on_predicate(backoff.constant, lambda r: r.status_code in (404, 502), interval=.3, max_tries=30, jitter=None)
-            def _post(*_args, **_kwargs):
+            def _post(*args, **kwargs):
-                return self.session.post(*_args, **_kwargs)
+                return self.session.post(*args, **kwargs)
            return _post(*args, **kwargs)
-    def put(self, *args, **kwargs) -> Response:
+    def put(self, *args, **kwargs):
        with ipv6(kwargs.pop('ipv6', False)):
            @backoff.on_predicate(backoff.constant, lambda r: r.status_code in (404, 502), interval=.3, max_tries=30, jitter=None)
-            def _put(*_args, **_kwargs):
+            def _put(*args, **kwargs):
-                return self.session.put(*_args, **_kwargs)
+                return self.session.put(*args, **kwargs)
            return _put(*args, **kwargs)
-    def head(self, *args, **kwargs) -> Response:
+    def head(self, *args, **kwargs):
        with ipv6(kwargs.pop('ipv6', False)):
            @backoff.on_predicate(backoff.constant, lambda r: r.status_code in (404, 502), interval=.3, max_tries=30, jitter=None)
-            def _head(*_args, **_kwargs):
+            def _head(*args, **kwargs):
-                return self.session.head(*_args, **_kwargs)
+                return self.session.head(*args, **kwargs)
            return _head(*args, **kwargs)
-    def delete(self, *args, **kwargs) -> Response:
+    def delete(self, *args, **kwargs):
        with ipv6(kwargs.pop('ipv6', False)):
            @backoff.on_predicate(backoff.constant, lambda r: r.status_code in (404, 502), interval=.3, max_tries=30, jitter=None)
-            def _delete(*_args, **_kwargs):
+            def _delete(*args, **kwargs):
-                return self.session.delete(*_args, **_kwargs)
+                return self.session.delete(*args, **kwargs)
            return _delete(*args, **kwargs)
-    def options(self, *args, **kwargs) -> Response:
+    def options(self, *args, **kwargs):
        with ipv6(kwargs.pop('ipv6', False)):
            @backoff.on_predicate(backoff.constant, lambda r: r.status_code in (404, 502), interval=.3, max_tries=30, jitter=None)
-            def _options(*_args, **_kwargs):
+            def _options(*args, **kwargs):
-                return self.session.options(*_args, **_kwargs)
+                return self.session.options(*args, **kwargs)
            return _options(*args, **kwargs)
    def __getattr__(self, name):
        return getattr(requests, name)
-def container_ip(container: Container) -> str:
+def container_ip(container: Container):
    """
    return the IP address of a container.
@ -179,7 +171,7 @@ def container_ip(container: Container) -> str:
        return net_info[network_name]["IPAddress"]
-def container_ipv6(container: Container) -> str:
+def container_ipv6(container):
    """
    return the IPv6 address of a container.
    """
@ -196,7 +188,7 @@ def container_ipv6(container: Container) -> str:
    return net_info[network_name]["GlobalIPv6Address"]
-def nginx_proxy_dns_resolver(domain_name: str) -> Optional[str]:
+def nginx_proxy_dns_resolver(domain_name):
    """
    if "nginx-proxy" if found in host, return the ip address of the docker container
    issued from the docker image nginxproxy/nginx-proxy:test.
@ -208,21 +200,21 @@ def nginx_proxy_dns_resolver(domain_name: str) -> Optional[str]:
    if 'nginx-proxy' in domain_name:
        nginxproxy_containers = docker_client.containers.list(filters={"status": "running", "ancestor": "nginxproxy/nginx-proxy:test"})
        if len(nginxproxy_containers) == 0:
-            log.warning(f"no container found from image nginxproxy/nginx-proxy:test while resolving {domain_name!r}")
+            log.warn(f"no container found from image nginxproxy/nginx-proxy:test while resolving {domain_name!r}")
            exited_nginxproxy_containers = docker_client.containers.list(filters={"status": "exited", "ancestor": "nginxproxy/nginx-proxy:test"})
            if len(exited_nginxproxy_containers) > 0:
                exited_nginxproxy_container_logs = exited_nginxproxy_containers[0].logs()
-                log.warning(f"nginxproxy/nginx-proxy:test container might have exited unexpectedly. Container logs: " + "\n" + exited_nginxproxy_container_logs.decode())
+                log.warn(f"nginxproxy/nginx-proxy:test container might have exited unexpectedly. Container logs: " + "\n" + exited_nginxproxy_container_logs.decode())
-            return None
+            return
        nginxproxy_container = nginxproxy_containers[0]
        ip = container_ip(nginxproxy_container)
        log.info(f"resolving domain name {domain_name!r} as IP address {ip} of nginx-proxy container {nginxproxy_container.name}")
        return ip
-def docker_container_dns_resolver(domain_name: str) -> Optional[str]:
+def docker_container_dns_resolver(domain_name):
    """
-    if domain name is of the form "XXX.container.docker" or "anything.XXX.container.docker",
+    if domain name is of the form "XXX.container.docker" or "anything.XXX.container.docker", return the ip address of the docker container
-    return the ip address of the docker container named XXX.
+    named XXX.
    :return: IP or None
    """
@ -232,15 +224,15 @@ def docker_container_dns_resolver(domain_name: str) -> Optional[str]:
    match = re.search(r'(^|.+\.)(?P<container>[^.]+)\.container\.docker$', domain_name)
    if not match:
        log.debug(f"{domain_name!r} does not match")
-        return None
+        return
    container_name = match.group('container')
    log.debug(f"looking for container {container_name!r}")
    try:
        container = docker_client.containers.get(container_name)
    except docker.errors.NotFound:
-        log.warning(f"container named {container_name!r} not found while resolving {domain_name!r}")
+        log.warn(f"container named {container_name!r} not found while resolving {domain_name!r}")
-        return None
+        return
    log.debug(f"container {container.name!r} found ({container.short_id})")
    ip = container_ip(container)
@ -252,10 +244,7 @@ def monkey_patch_urllib_dns_resolver():
    """
    Alter the behavior of the urllib DNS resolver so that any domain name
    containing substring 'nginx-proxy' will resolve to the IP address
-    of the container created from image 'nginxproxy/nginx-proxy:test',
+    of the container created from image 'nginxproxy/nginx-proxy:test'.
    or to 127.0.0.1 on Darwin.
    see https://docs.docker.com/desktop/features/networking/#i-want-to-connect-to-a-container-from-the-host
    """
    prv_getaddrinfo = socket.getaddrinfo
    dns_cache = {}
@ -263,18 +252,13 @@ def monkey_patch_urllib_dns_resolver():
        logging.getLogger('DNS').debug(f"resolving domain name {repr(args)}")
        _args = list(args)
-        # Fail early when querying IP directly, and it is forced ipv6 when not supported,
+        # Fail early when querying IP directly and it is forced ipv6 when not supported,
        # Otherwise a pytest container not using the host network fails to pass `test_raw-ip-vhost`.
        if FORCE_CONTAINER_IPV6 and not HAS_IPV6:
            pytest.skip("This system does not support IPv6")
        # custom DNS resolvers
-        ip = None
+        ip = nginx_proxy_dns_resolver(args[0])
        # Docker Desktop can't route traffic directly to Linux containers.
        if platform.system() == "Darwin":
            ip = "127.0.0.1"
        if ip is None:
            ip = nginx_proxy_dns_resolver(args[0])
        if ip is None:
            ip = docker_container_dns_resolver(args[0])
        if ip is not None:
@ -290,12 +274,19 @@ def monkey_patch_urllib_dns_resolver():
    socket.getaddrinfo = new_getaddrinfo
    return prv_getaddrinfo
 def restore_urllib_dns_resolver(getaddrinfo_func):
    socket.getaddrinfo = getaddrinfo_func
-def get_nginx_conf_from_container(container: Container) -> bytes:
+def remove_all_containers():
    for container in docker_client.containers.list(all=True):
        if PYTEST_RUNNING_IN_CONTAINER and container.name == test_container:
            continue  # pytest is running within a Docker container, so we do not want to remove that particular container
        logging.info(f"removing container {container.name}")
        container.remove(v=True, force=True)
 def get_nginx_conf_from_container(container):
    """
    return the nginx /etc/nginx/conf.d/default.conf file content from a container
    """
@ -310,40 +301,20 @@ def get_nginx_conf_from_container(container: Container) -> bytes:
        return conffile.read()
-def __prepare_and_execute_compose_cmd(compose_files: List[str], project_name: str, cmd: str):
+def docker_compose_up(compose_file='docker-compose.yml'):
-    """
+    logging.info(f'{DOCKER_COMPOSE} -f {compose_file} up -d')
    Prepare and execute the Docker Compose command with the provided compose files and project name.
    """
    compose_cmd = StringIO()
    compose_cmd.write(DOCKER_COMPOSE)
    compose_cmd.write(f" --project-name {project_name}")
    for compose_file in compose_files:
        compose_cmd.write(f" --file {compose_file}")
    compose_cmd.write(f" {cmd}")
    logging.info(compose_cmd.getvalue())
    try:
-        subprocess.check_output(shlex.split(compose_cmd.getvalue()), stderr=subprocess.STDOUT)
+        subprocess.check_output(shlex.split(f'{DOCKER_COMPOSE} -f {compose_file} up -d'), stderr=subprocess.STDOUT)
    except subprocess.CalledProcessError as e:
-        pytest.fail(f"Error while running '{compose_cmd.getvalue()}':\n{e.output}", pytrace=False)
+        pytest.fail(f"Error while runninng '{DOCKER_COMPOSE} -f {compose_file} up -d':\n{e.output}", pytrace=False)
-def docker_compose_up(compose_files: List[str], project_name: str):
+def docker_compose_down(compose_file='docker-compose.yml'):
-    """
+    logging.info(f'{DOCKER_COMPOSE} -f {compose_file} down -v')
-    Execute compose up --detach with the provided compose files and project name.
+    try:
-    """
+        subprocess.check_output(shlex.split(f'{DOCKER_COMPOSE} -f {compose_file} down -v'), stderr=subprocess.STDOUT)
-    if compose_files is None or len(compose_files) == 0:
+    except subprocess.CalledProcessError as e:
-        pytest.fail(f"No compose file passed to docker_compose_up", pytrace=False)
+        pytest.fail(f"Error while runninng '{DOCKER_COMPOSE} -f {compose_file} down -v':\n{e.output}", pytrace=False)
    __prepare_and_execute_compose_cmd(compose_files, project_name, cmd="up --detach")
 def docker_compose_down(compose_files: List[str], project_name: str):
    """
    Execute compose down --volumes with the provided compose files and project name.
    """
    if compose_files is None or len(compose_files) == 0:
        pytest.fail(f"No compose file passed to docker_compose_up", pytrace=False)
    __prepare_and_execute_compose_cmd(compose_files, project_name, cmd="down --volumes")
 def wait_for_nginxproxy_to_be_ready():
@ -362,50 +333,35 @@ def wait_for_nginxproxy_to_be_ready():
@pytest.fixture
-def docker_compose_files(request: FixtureRequest) -> List[str]:
+def docker_compose_file(request):
-    """Fixture returning the docker compose files to consider:
+    """Fixture naming the docker compose file to consider.
-    If a YAML file exists with the same name as the test module (with the `.py` extension
+    If a YAML file exists with the same name as the test module (with the `.py` extension replaced
-    replaced with `.base.yml`, ie `test_foo.py`-> `test_foo.base.yml`) and in the same
+    with `.yml` or `.yaml`), use that.  Otherwise, use `docker-compose.yml` in the same directory
-    directory as the test module, use only that file.
+    as the test module.
    Otherwise, merge the following files in this order:
    - the `compose.base.yml` file in the parent `test` directory.
    - if present in the same directory as the test module, the `compose.base.override.yml` file.
    - the YAML file named after the current test module (ie `test_foo.py`-> `test_foo.yml`)
    Tests can override this fixture to specify a custom location.
    """
-    compose_files: List[str] = []
+    test_module_dir = os.path.dirname(request.module.__file__)
-    test_module_path = pathlib.Path(request.module.__file__).parent
+    yml_file = os.path.join(test_module_dir, request.module.__name__ + '.yml')
    yaml_file = os.path.join(test_module_dir, request.module.__name__ + '.yaml')
    default_file = os.path.join(test_module_dir, 'docker-compose.yml')
-    module_base_file = test_module_path.joinpath(f"{request.module.__name__}.base.yml")
+    if os.path.isfile(yml_file):
-    if module_base_file.is_file():
+        docker_compose_file = yml_file
-        return [module_base_file.as_posix()]
+    elif os.path.isfile(yaml_file):
        docker_compose_file = yaml_file
    else:
        docker_compose_file = default_file
-    global_base_file = test_module_path.parent.joinpath("compose.base.yml")
+    if not os.path.isfile(docker_compose_file):
-    if global_base_file.is_file():
+        logging.error("Could not find any docker compose file named either '{0}.yml', '{0}.yaml' or 'docker-compose.yml'".format(request.module.__name__))
        compose_files.append(global_base_file.as_posix())
-    module_base_override_file = test_module_path.joinpath("compose.base.override.yml")
+    logging.debug(f"using docker compose file {docker_compose_file}")
-    if module_base_override_file.is_file():
+    return docker_compose_file
        compose_files.append(module_base_override_file.as_posix())
    module_compose_file = test_module_path.joinpath(f"{request.module.__name__}.yml")
    if module_compose_file.is_file():
        compose_files.append(module_compose_file.as_posix())
    if not module_base_file.is_file() and not module_compose_file.is_file():
        logging.error(
            f"Could not find any docker compose file named '{module_base_file.name}' or '{module_compose_file.name}'"
        )
    logging.debug(f"using docker compose files {compose_files}")
    return compose_files
-def connect_to_network(network: Network) -> Optional[Network]:
+def connect_to_network(network):
    """
    If we are running from a container, connect our container to the given network
@ -415,8 +371,8 @@ def connect_to_network(network: Network) -> Optional[Network]:
        try:
            my_container = docker_client.containers.get(test_container)
        except docker.errors.NotFound:
-            logging.warning(f"container {test_container} not found")
+            logging.warn(f"container {test_container} not found")
-            return None
+            return
        # figure out our container networks
        my_networks = list(my_container.attrs["NetworkSettings"]["Networks"].keys())
@ -433,7 +389,7 @@ def connect_to_network(network: Network) -> Optional[Network]:
            return network
-def disconnect_from_network(network: Network = None):
+def disconnect_from_network(network=None):
    """
    If we are running from a container, disconnect our container from the given network.
@ -443,7 +399,7 @@ def disconnect_from_network(network: Network = None):
        try:
            my_container = docker_client.containers.get(test_container)
        except docker.errors.NotFound:
-            logging.warning(f"container {test_container} not found")
+            logging.warn(f"container {test_container} not found")
            return
        # figure out our container networks
@ -455,7 +411,7 @@ def disconnect_from_network(network: Network = None):
            network.disconnect(my_container)
-def connect_to_all_networks() -> List[Network]:
+def connect_to_all_networks():
    """
    If we are running from a container, connect our container to all current docker networks.
@ -471,34 +427,31 @@ def connect_to_all_networks() -> List[Network]:
 class DockerComposer(contextlib.AbstractContextManager):
    def __init__(self):
-        self._networks = None
+        self._docker_compose_file = None
        self._docker_compose_files = None
        self._project_name = None
    def __exit__(self, *exc_info):
        self._down()
    def _down(self):
-        if self._docker_compose_files is None:
+        if self._docker_compose_file is None:
            return
        for network in self._networks:
            disconnect_from_network(network)
-        docker_compose_down(self._docker_compose_files, self._project_name)
+        docker_compose_down(self._docker_compose_file)
        self._docker_compose_file = None
        self._project_name = None
-    def compose(self, docker_compose_files: List[str], project_name: str):
+    def compose(self, docker_compose_file):
-        if docker_compose_files == self._docker_compose_files and project_name == self._project_name:
+        if docker_compose_file == self._docker_compose_file:
            return
        self._down()
-        if docker_compose_files is None or project_name is None:
+        if docker_compose_file is None:
            return
-        docker_compose_up(docker_compose_files, project_name)
+        remove_all_containers()
        docker_compose_up(docker_compose_file)
        self._networks = connect_to_all_networks()
        wait_for_nginxproxy_to_be_ready()
        time.sleep(3)  # give time to containers to be ready
-        self._docker_compose_files = docker_compose_files
+        self._docker_compose_file = docker_compose_file
        self._project_name = project_name
 ###############################################################################
@ -509,14 +462,14 @@ class DockerComposer(contextlib.AbstractContextManager):
@pytest.fixture(scope="module")
-def docker_composer() -> Iterator[DockerComposer]:
+def docker_composer():
    with DockerComposer() as d:
        yield d
@pytest.fixture
-def ca_root_certificate() -> str:
+def ca_root_certificate():
-    return CA_ROOT_CERTIFICATE.as_posix()
+    return CA_ROOT_CERTIFICATE
@pytest.fixture
@ -527,38 +480,25 @@ def monkey_patched_dns():
@pytest.fixture
-def docker_compose(
+def docker_compose(monkey_patched_dns, docker_composer, docker_compose_file):
-        request: FixtureRequest,
+    """Ensures containers described in a docker compose file are started.
-        monkeypatch,
+
-        monkey_patched_dns,
+    A custom docker compose file name can be specified by overriding the `docker_compose_file`
-        docker_composer,
+    fixture.
-        docker_compose_files
+
-) -> Iterator[DockerClient]:
+    Also, in the case where pytest is running from a docker container, this fixture makes sure
    our container will be attached to all the docker networks.
    """
-    Ensures containers necessary for the test module are started in a compose project,
+    docker_composer.compose(docker_compose_file)
    and set the environment variable `PYTEST_MODULE_PATH` to the test module's parent folder.
    A list of custom docker compose files path can be specified by overriding
    the `docker_compose_file` fixture.
    Also, in the case where pytest is running from a docker container, this fixture
    makes sure our container will be attached to all the docker networks.
    """
    pytest_module_path = pathlib.Path(request.module.__file__).parent
    monkeypatch.setenv("PYTEST_MODULE_PATH", pytest_module_path.as_posix())
    project_name = request.module.__name__
    docker_composer.compose(docker_compose_files, project_name)
    yield docker_client
-@pytest.fixture
+@pytest.fixture()
-def nginxproxy() -> Iterator[RequestsForDocker]:
+def nginxproxy():
    """
    Provides the `nginxproxy` object that can be used in the same way the requests module is:
-    r = nginxproxy.get("https://foo.com")
+    r = nginxproxy.get("http://foo.com")
    The difference is that in case an HTTP requests has status code 404 or 502 (which mostly
    indicates that nginx has just reloaded), we retry up to 30 times the query.
@ -567,11 +507,11 @@ def nginxproxy() -> Iterator[RequestsForDocker]:
    made against containers to use the containers IPv6 address when set to `True`. If IPv6 is not
    supported by the system or docker, that particular test will be skipped.
    """
-    yield RequestsForDocker()
+    yield requests_for_docker()
-@pytest.fixture
+@pytest.fixture()
-def acme_challenge_path() -> str:
+def acme_challenge_path():
    """
    Provides fake Let's Encrypt ACME challenge path used in certain tests
    """
@ -583,13 +523,14 @@ def acme_challenge_path() -> str:
 #
 ###############################################################################
-# pytest hook to display additional stuff in test report
+# pytest hook to display additionnal stuff in test report
 def pytest_runtest_logreport(report):
    if report.failed:
-        test_containers = docker_client.containers.list(all=True, filters={"ancestor": "nginxproxy/nginx-proxy:test"})
+        if isinstance(report.longrepr, ReprExceptionInfo):
-        for container in test_containers:
+            test_containers = docker_client.containers.list(all=True, filters={"ancestor": "nginxproxy/nginx-proxy:test"})
-            report.longrepr.addsection('nginx-proxy logs', container.logs().decode())
+            for container in test_containers:
-            report.longrepr.addsection('nginx-proxy conf', get_nginx_conf_from_container(container).decode())
+                report.longrepr.addsection('nginx-proxy logs', container.logs())
                report.longrepr.addsection('nginx-proxy conf', get_nginx_conf_from_container(container))
 # Py.test `incremental` marker, see http://stackoverflow.com/a/12579625/107049
@ -616,5 +557,5 @@ try:
 except docker.errors.ImageNotFound:
    pytest.exit("The docker image 'nginxproxy/nginx-proxy:test' is missing")
-if Version(docker.__version__) < Version("7.0.0"):
+if LooseVersion(docker.__version__) < LooseVersion("5.0.0"):
-    pytest.exit("This test suite is meant to work with the python docker module v7.0.0 or later")
+    pytest.exit("This test suite is meant to work with the python docker module v5.0.0 or later")
--- a/test/pytest.sh
+++ b/test/pytest.sh
@ -3,7 +3,7 @@
 #                                                                             #
 # This script is meant to run the test suite from a Docker container.         #
 #                                                                             #
-# This is useful when you want to run the test suite from Mac or             #
+# This is usefull when you want to run the test suite from Mac or             #
 # Docker Toolbox.                                                             #
 #                                                                             #
 ###############################################################################
--- a/test/requirements/Dockerfile-nginx-proxy-tester
+++ b/test/requirements/Dockerfile-nginx-proxy-tester
@ -1,4 +1,4 @@
-FROM python:3.12
+FROM python:3.9
 ENV PYTEST_RUNNING_IN_CONTAINER=1
@ -10,13 +10,14 @@ RUN apt-get update \
  && apt-get install -y \
    ca-certificates \
    curl \
    gnupg \
  && install -m 0755 -d /etc/apt/keyrings \
-  && curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
+  && curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
-  && chmod a+r /etc/apt/keyrings/docker.asc
+  && chmod a+r /etc/apt/keyrings/docker.gpg
 # Add the Docker repository to Apt sources
 RUN echo \
-  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
+  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  tee /etc/apt/sources.list.d/docker.list > /dev/null
--- a/test/requirements/python-requirements.txt
+++ b/test/requirements/python-requirements.txt
@ -1,6 +1,4 @@
 backoff==2.2.1
 docker==7.1.0
-packaging==24.2
+pytest==8.3.2
 pytest==8.3.4
 requests==2.32.3
 urllib3==2.3.0
--- a/test/requirements/web/webserver.py
+++ b/test/requirements/web/webserver.py
@ -28,7 +28,7 @@ class Handler(http.server.SimpleHTTPRequestHandler):
        self.send_header("Content-Type", "text/plain")
        self.end_headers()
-        if len(response_body):
+        if (len(response_body)):
            self.wfile.write(response_body.encode())
 if __name__ == '__main__':
--- a/test/stress_tests/README.md
+++ b/test/stress_tests/README.md
@ -0,0 +1 @@
 This directory contains tests that showcase scenarios known to break the expected behavior of nginx-proxy.
--- a/test/stress_tests/test_unreachable_network/README.md
+++ b/test/stress_tests/test_unreachable_network/README.md
--- a/test/stress_tests/test_unreachable_network/docker-compose.yml
+++ b/test/stress_tests/test_unreachable_network/docker-compose.yml
@ -1,12 +1,17 @@
 version: "2"
 networks:
  netA:
  netB:
 services:
-  nginx-proxy:
+  reverseproxy:
    container_name: reverseproxy
    networks:
      - netA
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
  webA:
    networks:
@ -15,7 +20,7 @@ services:
    expose:
      - 81
    environment:
-      WEB_PORTS: "81"
+      WEB_PORTS: 81
      VIRTUAL_HOST: webA.nginx-proxy
  webB:
@ -25,5 +30,5 @@ services:
    expose:
      - 82
    environment:
-      WEB_PORTS: "82"
+      WEB_PORTS: 82
      VIRTUAL_HOST: webB.nginx-proxy
--- a/test/stress_tests/test_unreachable_network/test_unreachable_net.py
+++ b/test/stress_tests/test_unreachable_network/test_unreachable_net.py
--- a/test/test_docker-unix-socket/test_docker-unix-socket.py
+++ b/test/test_docker-unix-socket/test_docker-unix-socket.py
@ -1,3 +1,5 @@
 import pytest
 def test_unknown_virtual_host(docker_compose, nginxproxy):
    r = nginxproxy.get("http://nginx-proxy/port")
    assert r.status_code == 503
--- a/test/test_docker-unix-socket/test_docker-unix-socket.yml
+++ b/test/test_docker-unix-socket/test_docker-unix-socket.yml
@ -1,16 +1,12 @@
-services:
+version: "2"
  nginx-proxy:
    volumes:
      - /var/run/docker.sock:/f00.sock:ro
    environment:
      DOCKER_HOST: unix:///f00.sock
 services:
  web1:
    image: web
    expose:
      - "81"
    environment:
-      WEB_PORTS: "81"
+      WEB_PORTS: 81
      VIRTUAL_HOST: web1.nginx-proxy.tld
  web2:
@ -18,5 +14,12 @@ services:
    expose:
      - "82"
    environment:
-      WEB_PORTS: "82"
+      WEB_PORTS: 82
      VIRTUAL_HOST: web2.nginx-proxy.tld
  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/f00.sock:ro
    environment:
      DOCKER_HOST: unix:///f00.sock
--- a/test/test_acme-http-challenge-location/compose.base.override.yml
+++ b/test/test_acme-http-challenge-location/compose.base.override.yml
@ -1,6 +0,0 @@
 services:
  nginx-proxy:
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ${PYTEST_MODULE_PATH}/certs:/etc/nginx/certs:ro
      - ${PYTEST_MODULE_PATH}/acme_root:/usr/share/nginx/html:ro
--- a/test/test_acme_http_challenge_location/acme_root/.well-known/acme-challenge/test-filename
+++ b/test/test_acme_http_challenge_location/acme_root/.well-known/acme-challenge/test-filename
--- a/test/test_acme_http_challenge_location/certs/nginx-proxy.tld.crt
+++ b/test/test_acme_http_challenge_location/certs/nginx-proxy.tld.crt
--- a/test/test_acme_http_challenge_location/certs/nginx-proxy.tld.key
+++ b/test/test_acme_http_challenge_location/certs/nginx-proxy.tld.key
--- a/test/test_acme-http-challenge-location/test_acme-http-challenge-location-enabled-is-default.py
+++ b/test/test_acme-http-challenge-location/test_acme-http-challenge-location-enabled-is-default.py
@ -1,27 +1,30 @@
-def test_redirect_acme_challenge_location_enabled(docker_compose, nginxproxy, acme_challenge_path):
+import pytest
 def test_redirect_acme_challenge_location_disabled(docker_compose, nginxproxy, acme_challenge_path):
    r = nginxproxy.get(
        f"http://web1.nginx-proxy.tld/{acme_challenge_path}",
        allow_redirects=False
    )
    assert r.status_code == 200
 def test_redirect_acme_challenge_location_disabled(docker_compose, nginxproxy, acme_challenge_path):
    r = nginxproxy.get(
        f"http://web2.nginx-proxy.tld/{acme_challenge_path}",
        allow_redirects=False
    )
    assert r.status_code == 301
-def test_noredirect_acme_challenge_location_enabled(docker_compose, nginxproxy, acme_challenge_path):
+def test_redirect_acme_challenge_location_enabled(docker_compose, nginxproxy, acme_challenge_path):
    r = nginxproxy.get(
-        f"http://web3.nginx-proxy.tld/{acme_challenge_path}",
+        f"http://web2.nginx-proxy.tld/{acme_challenge_path}",
        allow_redirects=False
    )
    assert r.status_code == 200
 def test_noredirect_acme_challenge_location_disabled(docker_compose, nginxproxy, acme_challenge_path):
    r = nginxproxy.get(
-        f"http://web4.nginx-proxy.tld/{acme_challenge_path}",
+        f"http://web3.nginx-proxy.tld/{acme_challenge_path}",
        allow_redirects=False
    )
    assert r.status_code == 404
 def test_noredirect_acme_challenge_location_enabled(docker_compose, nginxproxy, acme_challenge_path):
    r = nginxproxy.get(
        f"http://web4.nginx-proxy.tld/{acme_challenge_path}",
        allow_redirects=False
    )
    assert r.status_code == 200
--- a/test/test_acme-http-challenge-location/test_acme-http-challenge-location-disabled.yml
+++ b/test/test_acme-http-challenge-location/test_acme-http-challenge-location-disabled.yml
@ -1,8 +1,6 @@
-services:
+version: "2"
  nginx-proxy:
    environment:
      ACME_HTTP_CHALLENGE_LOCATION: "false"
 services:
  web1:
    image: web
    expose:
@ -38,3 +36,12 @@ services:
      VIRTUAL_HOST: "web4.nginx-proxy.tld"
      HTTPS_METHOD: noredirect
      ACME_HTTP_CHALLENGE_LOCATION: "true"
  sut:
    image: nginxproxy/nginx-proxy:test
    environment:
      ACME_HTTP_CHALLENGE_LOCATION: "false"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./certs:/etc/nginx/certs:ro
      - ./acme_root:/usr/share/nginx/html:ro
--- a/test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.py
+++ b/test/test_acme_http_challenge_location/test_acme_challenge_location_enabled_is_default.py
@ -1,27 +1,30 @@
-def test_redirect_acme_challenge_location_disabled(docker_compose, nginxproxy, acme_challenge_path):
+import pytest
 def test_redirect_acme_challenge_location_enabled(docker_compose, nginxproxy, acme_challenge_path):
    r = nginxproxy.get(
        f"http://web1.nginx-proxy.tld/{acme_challenge_path}",
        allow_redirects=False
    )
-    assert r.status_code == 301
+    assert r.status_code == 200
-def test_redirect_acme_challenge_location_enabled(docker_compose, nginxproxy, acme_challenge_path):
+def test_redirect_acme_challenge_location_disabled(docker_compose, nginxproxy, acme_challenge_path):
    r = nginxproxy.get(
        f"http://web2.nginx-proxy.tld/{acme_challenge_path}",
        allow_redirects=False
    )
    assert r.status_code == 301
 def test_noredirect_acme_challenge_location_enabled(docker_compose, nginxproxy, acme_challenge_path):
    r = nginxproxy.get(
        f"http://web3.nginx-proxy.tld/{acme_challenge_path}",
        allow_redirects=False
    )
    assert r.status_code == 200
 def test_noredirect_acme_challenge_location_disabled(docker_compose, nginxproxy, acme_challenge_path):
    r = nginxproxy.get(
        f"http://web3.nginx-proxy.tld/{acme_challenge_path}",
        allow_redirects=False
    )
    assert r.status_code == 404
 def test_noredirect_acme_challenge_location_enabled(docker_compose, nginxproxy, acme_challenge_path):
    r = nginxproxy.get(
        f"http://web4.nginx-proxy.tld/{acme_challenge_path}",
        allow_redirects=False
    )
-    assert r.status_code == 200
+    assert r.status_code == 404
--- a/test/test_acme-http-challenge-location/test_acme-http-challenge-location-enabled-is-default.yml
+++ b/test/test_acme-http-challenge-location/test_acme-http-challenge-location-enabled-is-default.yml
@ -1,3 +1,5 @@
 version: "2"
 services:
  web1:
    image: web
@ -34,3 +36,10 @@ services:
      VIRTUAL_HOST: "web4.nginx-proxy.tld"
      HTTPS_METHOD: noredirect
      ACME_HTTP_CHALLENGE_LOCATION: "false"
  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./certs:/etc/nginx/certs:ro
      - ./acme_root:/usr/share/nginx/html:ro
--- a/test/test_acme-http-challenge-location/test_acme-http-challenge-location-legacy.py
+++ b/test/test_acme-http-challenge-location/test_acme-http-challenge-location-legacy.py
@ -1,3 +1,6 @@
 import pytest
 def test_redirect_acme_challenge_location_legacy(docker_compose, nginxproxy, acme_challenge_path):
    r = nginxproxy.get(
        f"http://web1.nginx-proxy.tld/{acme_challenge_path}",
--- a/test/test_acme-http-challenge-location/test_acme-http-challenge-location-legacy.yml
+++ b/test/test_acme-http-challenge-location/test_acme-http-challenge-location-legacy.yml
@ -1,8 +1,6 @@
-services:
+version: "2"
  nginx-proxy:
    environment:
      ACME_HTTP_CHALLENGE_LOCATION: "legacy"
 services:
  web1:
    image: web
    expose:
@ -19,3 +17,12 @@ services:
      WEB_PORTS: "82"
      VIRTUAL_HOST: "web2.nginx-proxy.tld"
      HTTPS_METHOD: noredirect
  sut:
    image: nginxproxy/nginx-proxy:test
    environment:
      ACME_HTTP_CHALLENGE_LOCATION: "legacy"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./certs:/etc/nginx/certs:ro
      - ./acme_root:/usr/share/nginx/html:ro
--- a/test/test_build/test_build.py
+++ b/test/test_build/test_build.py
@ -1,25 +1,22 @@
 """
 Test that nginx-proxy-tester can build successfully
 """
 import pathlib
 import re
 import docker
 import pytest
-
+import docker
 import re
 import os
 client = docker.from_env()
@pytest.fixture(scope = "session")
 def docker_build(request):
    # Define Dockerfile path
-    current_file_path = pathlib.Path(__file__)
+    dockerfile_path = os.path.join(os.path.dirname(__file__), "requirements/")
    dockerfile_path = current_file_path.parent.parent.joinpath("requirements")
    dockerfile_name = "Dockerfile-nginx-proxy-tester"
    # Build the Docker image
    image, logs = client.images.build(
-        path = dockerfile_path.as_posix(),
+        path = dockerfile_path,
        dockerfile = dockerfile_name,
        rm = True,  # Remove intermediate containers
        tag = "nginx-proxy-tester-ci",  # Tag for the built image
--- a/test/test_custom-error-page/test_custom-error-page.py
+++ b/test/test_custom-error-page/test_custom-error-page.py
@ -1,3 +1,4 @@
 import pytest
 import re
--- a/test/test_custom-error-page/test_custom-error-page.yml
+++ b/test/test_custom-error-page/test_custom-error-page.yml
@ -1,5 +1,8 @@
 version: "2"
 services:
-  nginx-proxy:
+  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ${PYTEST_MODULE_PATH}/50x.html:/usr/share/nginx/html/errors/50x.html:ro
+      - ./50x.html:/usr/share/nginx/html/errors/50x.html:ro
--- a/test/test_custom/my_custom_proxy_settings_f00.conf
+++ b/test/test_custom/my_custom_proxy_settings_f00.conf
--- a/test/test_custom/test_defaults-location.py
+++ b/test/test_custom/test_defaults-location.py
@ -1,3 +1,5 @@
 import pytest
 def test_custom_default_conf_does_not_apply_to_unknown_vhost(docker_compose, nginxproxy):
    r = nginxproxy.get("http://nginx-proxy/")
    assert r.status_code == 503
--- a/test/test_custom/test_defaults-location.yml
+++ b/test/test_custom/test_defaults-location.yml
@ -1,16 +1,19 @@
 version: "2"
 services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ${PYTEST_MODULE_PATH}/my_custom_proxy_settings_f00.conf:/etc/nginx/vhost.d/default_location:ro
+      - ./my_custom_proxy_settings.conf:/etc/nginx/vhost.d/default_location:ro
-      - ${PYTEST_MODULE_PATH}/my_custom_proxy_settings_bar.conf:/etc/nginx/vhost.d/web3.nginx-proxy.example_location:ro
+      - ./my_custom_proxy_settings_bar.conf:/etc/nginx/vhost.d/web3.nginx-proxy.example_location:ro
  web1:
    image: web
    expose:
      - "81"
    environment:
-      WEB_PORTS: "81"
+      WEB_PORTS: 81
      VIRTUAL_HOST: web1.nginx-proxy.example
  web2:
@ -18,7 +21,7 @@ services:
    expose:
      - "82"
    environment:
-      WEB_PORTS: "82"
+      WEB_PORTS: 82
      VIRTUAL_HOST: web2.nginx-proxy.example
  web3:
@ -26,5 +29,5 @@ services:
    expose:
      - "83"
    environment:
-      WEB_PORTS: "83"
+      WEB_PORTS: 83
      VIRTUAL_HOST: web3.nginx-proxy.example
--- a/test/test_custom/test_defaults.py
+++ b/test/test_custom/test_defaults.py
@ -1,3 +1,5 @@
 import pytest
 def test_custom_conf_does_not_apply_to_unknown_vhost(docker_compose, nginxproxy):
    r = nginxproxy.get("http://nginx-proxy/")
    assert r.status_code == 503
--- a/test/test_custom/test_defaults.yml
+++ b/test/test_custom/test_defaults.yml
@ -1,15 +1,18 @@
 version: "2"
 services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ${PYTEST_MODULE_PATH}/my_custom_proxy_settings_f00.conf:/etc/nginx/proxy.conf:ro
+      - ./my_custom_proxy_settings.conf:/etc/nginx/proxy.conf:ro
  web1:
    image: web
    expose:
      - "81"
    environment:
-      WEB_PORTS: "81"
+      WEB_PORTS: 81
      VIRTUAL_HOST: web1.nginx-proxy.example
  web2:
@ -17,5 +20,5 @@ services:
    expose:
      - "82"
    environment:
-      WEB_PORTS: "82"
+      WEB_PORTS: 82
      VIRTUAL_HOST: web2.nginx-proxy.example
--- a/test/test_custom/test_location-per-vhost.py
+++ b/test/test_custom/test_location-per-vhost.py
@ -1,3 +1,5 @@
 import pytest
 def test_custom_conf_does_not_apply_to_unknown_vhost(docker_compose, nginxproxy):
    r = nginxproxy.get("http://nginx-proxy/")
    assert r.status_code == 503
@ -10,13 +12,6 @@ def test_custom_conf_applies_to_web1(docker_compose, nginxproxy):
    assert "X-test" in r.headers
    assert "f00" == r.headers["X-test"]
 def test_custom_conf_applies_to_regex(docker_compose, nginxproxy):
    r = nginxproxy.get("http://regex.foo.nginx-proxy.example/port")
    assert r.status_code == 200   
    assert r.text == "answer from port 83\n"
    assert "X-test" in r.headers
    assert "bar" == r.headers["X-test"]
 def test_custom_conf_does_not_apply_to_web2(docker_compose, nginxproxy):
    r = nginxproxy.get("http://web2.nginx-proxy.example/port")
    assert r.status_code == 200   
--- a/test/test_custom/test_location-per-vhost.yml
+++ b/test/test_custom/test_location-per-vhost.yml
@ -1,16 +1,18 @@
 version: "2"
 services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ${PYTEST_MODULE_PATH}/my_custom_proxy_settings_f00.conf:/etc/nginx/vhost.d/web1.nginx-proxy.example_location:ro
+      - ./my_custom_proxy_settings.conf:/etc/nginx/vhost.d/web1.nginx-proxy.example_location:ro
      - ${PYTEST_MODULE_PATH}/my_custom_proxy_settings_bar.conf:/etc/nginx/vhost.d/561032515ede3ab3a015edfb244608b72409c430_location:ro
  web1:
    image: web
    expose:
      - "81"
    environment:
-      WEB_PORTS: "81"
+      WEB_PORTS: 81
      VIRTUAL_HOST: web1.nginx-proxy.example
  web2:
@ -18,13 +20,5 @@ services:
    expose:
      - "82"
    environment:
-      WEB_PORTS: "82"
+      WEB_PORTS: 82
      VIRTUAL_HOST: web2.nginx-proxy.example
  regex:
    image: web
    expose:
      - "83"
    environment:
      WEB_PORTS: "83"
      VIRTUAL_HOST: ~^regex.*\.nginx-proxy\.example$
--- a/test/test_custom/test_per-vhost.py
+++ b/test/test_custom/test_per-vhost.py
@ -1,3 +1,5 @@
 import pytest
 def test_custom_conf_does_not_apply_to_unknown_vhost(docker_compose, nginxproxy):
    r = nginxproxy.get("http://nginx-proxy/")
    assert r.status_code == 503
@ -10,13 +12,6 @@ def test_custom_conf_applies_to_web1(docker_compose, nginxproxy):
    assert "X-test" in r.headers
    assert "f00" == r.headers["X-test"]
 def test_custom_conf_applies_to_regex(docker_compose, nginxproxy):
    r = nginxproxy.get("http://regex.foo.nginx-proxy.example/port")
    assert r.status_code == 200   
    assert r.text == "answer from port 83\n"
    assert "X-test" in r.headers
    assert "bar" == r.headers["X-test"]
 def test_custom_conf_does_not_apply_to_web2(docker_compose, nginxproxy):
    r = nginxproxy.get("http://web2.nginx-proxy.example/port")
    assert r.status_code == 200   
--- a/test/test_custom/test_per-vhost.yml
+++ b/test/test_custom/test_per-vhost.yml
@ -1,16 +1,18 @@
 version: "2"
 services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ${PYTEST_MODULE_PATH}/my_custom_proxy_settings_f00.conf:/etc/nginx/vhost.d/web1.nginx-proxy.example:ro
+      - ./my_custom_proxy_settings.conf:/etc/nginx/vhost.d/web1.nginx-proxy.example:ro
      - ${PYTEST_MODULE_PATH}/my_custom_proxy_settings_bar.conf:/etc/nginx/vhost.d/561032515ede3ab3a015edfb244608b72409c430:ro
  web1:
    image: web
    expose:
      - "81"
    environment:
-      WEB_PORTS: "81"
+      WEB_PORTS: 81
      VIRTUAL_HOST: web1.nginx-proxy.example
  web2:
@ -18,13 +20,5 @@ services:
    expose:
      - "82"
    environment:
-      WEB_PORTS: "82"
+      WEB_PORTS: 82
      VIRTUAL_HOST: web2.nginx-proxy.example
  regex:
    image: web
    expose:
      - "83"
    environment:
      WEB_PORTS: "83"
      VIRTUAL_HOST: ~^regex.*\.nginx-proxy\.example$
--- a/test/test_custom/test_proxy-wide.py
+++ b/test/test_custom/test_proxy-wide.py
@ -1,3 +1,5 @@
 import pytest
 def test_custom_conf_does_not_apply_to_unknown_vhost(docker_compose, nginxproxy):
    r = nginxproxy.get("http://nginx-proxy/")
    assert r.status_code == 503
--- a/test/test_custom/test_proxy-wide.yml
+++ b/test/test_custom/test_proxy-wide.yml
@ -1,15 +1,18 @@
 version: "2"
 services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ${PYTEST_MODULE_PATH}/my_custom_proxy_settings_f00.conf:/etc/nginx/conf.d/my_custom_proxy_settings_f00.conf:ro
+      - ./my_custom_proxy_settings.conf:/etc/nginx/conf.d/my_custom_proxy_settings.conf:ro
  web1:
    image: web
    expose:
      - "81"
    environment:
-      WEB_PORTS: "81"
+      WEB_PORTS: 81
      VIRTUAL_HOST: web1.nginx-proxy.example
  web2:
@ -17,5 +20,5 @@ services:
    expose:
      - "82"
    environment:
-      WEB_PORTS: "82"
+      WEB_PORTS: 82
      VIRTUAL_HOST: web2.nginx-proxy.example
--- a/test/test_debug-endpoint/test_global.py
+++ b/test/test_debug-endpoint/test_global.py
@ -1,48 +0,0 @@
 import json
 import pytest
 def test_debug_endpoint_is_enabled_globally(docker_compose, nginxproxy):
    r = nginxproxy.get("http://enabled.debug.nginx-proxy.example/nginx-proxy-debug")
    assert r.status_code == 200
    r = nginxproxy.get("http://stripped.debug.nginx-proxy.example/nginx-proxy-debug")
    assert r.status_code == 200
 def test_debug_endpoint_response_contains_expected_values(docker_compose, nginxproxy):   
    r = nginxproxy.get("http://enabled.debug.nginx-proxy.example/nginx-proxy-debug")
    assert r.status_code == 200
    try:
        jsonResponse = json.loads(r.text)
    except ValueError as err:
        pytest.fail("Failed to parse debug endpoint response as JSON: %s" % err, pytrace=False)
    assert jsonResponse["global"]["enable_debug_endpoint"] == "true"
    assert jsonResponse["vhost"]["enable_debug_endpoint"] == True
 def test_debug_endpoint_paths_stripped_if_response_too_long(docker_compose, nginxproxy):   
    r = nginxproxy.get("http://stripped.debug.nginx-proxy.example/nginx-proxy-debug")
    assert r.status_code == 200
    try:
        jsonResponse = json.loads(r.text)
    except ValueError as err:
        pytest.fail("Failed to parse debug endpoint response as JSON: %s" % err, pytrace=False)
    if "paths" in jsonResponse["vhost"]:
        pytest.fail("Expected paths to be stripped from debug endpoint response", pytrace=False)
    assert jsonResponse["warning"] == "Virtual paths configuration for this hostname is too large and has been stripped from response."
 def test_debug_endpoint_hostname_replaced_by_warning_if_regexp(docker_compose, nginxproxy):   
    r = nginxproxy.get("http://regexp.foo.debug.nginx-proxy.example/nginx-proxy-debug")
    assert r.status_code == 200
    try:
        jsonResponse = json.loads(r.text)
    except ValueError as err:
        pytest.fail("Failed to parse debug endpoint response as JSON: %s" % err, pytrace=False)
    assert jsonResponse["vhost"]["hostname"] == "Hostname is a regexp and unsafe to include in the debug response."
 def test_debug_endpoint_is_disabled_per_container(docker_compose, nginxproxy):
    r = nginxproxy.get("http://disabled.debug.nginx-proxy.example/nginx-proxy-debug")
    assert r.status_code == 404  
--- a/test/test_debug-endpoint/test_global.yml
+++ b/test/test_debug-endpoint/test_global.yml
@ -1,59 +0,0 @@
 services:
  nginx-proxy:
    environment:
      DEBUG_ENDPOINT: "true"
  debug_enabled:
    image: web
    expose:
      - "81"
    environment:
      WEB_PORTS: "81"
      VIRTUAL_HOST: enabled.debug.nginx-proxy.example
  debug_stripped:
    image: web
    expose:
      - "82"
    environment:
      WEB_PORTS: "82"
      VIRTUAL_HOST_MULTIPORTS: |-
        stripped.debug.nginx-proxy.example:
          "/1":
          "/2":
          "/3":
          "/4":
          "/5":
          "/6":
          "/7":
          "/8":
          "/9":
          "/10":
          "/11":
          "/12":
          "/13":
          "/14":
          "/15":
          "/16":
          "/17":
          "/18":
          "/19":
          "/20":
  debug_regexp:
    image: web
    expose:
      - "84"
    environment:
      WEB_PORTS: "84"
      VIRTUAL_HOST: ~^regexp.*\.debug.nginx-proxy.example
  debug_disabled:
    image: web
    expose:
      - "83"
    environment:
      WEB_PORTS: "83"
      VIRTUAL_HOST: disabled.debug.nginx-proxy.example
    labels:
      com.github.nginx-proxy.nginx-proxy.debug-endpoint: "false"
--- a/test/test_debug-endpoint/test_per-container.py
+++ b/test/test_debug-endpoint/test_per-container.py
@ -1,26 +0,0 @@
 import json
 import pytest
 def test_debug_endpoint_is_disabled_globally(docker_compose, nginxproxy):
    r = nginxproxy.get("http://disabled1.debug.nginx-proxy.example/nginx-proxy-debug")
    assert r.status_code == 404 
    r = nginxproxy.get("http://disabled2.debug.nginx-proxy.example/nginx-proxy-debug")
    assert r.status_code == 404 
 def test_debug_endpoint_is_enabled_per_container(docker_compose, nginxproxy):
    r = nginxproxy.get("http://enabled.debug.nginx-proxy.example/nginx-proxy-debug")
    assert r.status_code == 200
 def test_debug_endpoint_response_contains_expected_values(docker_compose, nginxproxy):   
    r = nginxproxy.get("http://enabled.debug.nginx-proxy.example/nginx-proxy-debug")
    assert r.status_code == 200
    try:
        jsonResponse = json.loads(r.text)
    except ValueError as err:
        pytest.fail("Failed to parse debug endpoint response as JSON:: %s" % err, pytrace=False)
    assert jsonResponse["global"]["enable_debug_endpoint"] == "false"
    assert jsonResponse["vhost"]["enable_debug_endpoint"] == True
--- a/test/test_debug-endpoint/test_per-container.yml
+++ b/test/test_debug-endpoint/test_per-container.yml
@ -1,27 +0,0 @@
 services:
  debug_disabled1:
    image: web
    expose:
      - "81"
    environment:
      WEB_PORTS: "81"
      VIRTUAL_HOST: disabled1.debug.nginx-proxy.example
  debug_disabled2:
    image: web
    expose:
      - "82"
    environment:
      WEB_PORTS: "82"
      VIRTUAL_HOST: disabled2.debug.nginx-proxy.example
  debug_enabled:
    image: web
    expose:
      - "83"
    environment:
      WEB_PORTS: "83"
      VIRTUAL_HOST: enabled.debug.nginx-proxy.example
    labels:
      com.github.nginx-proxy.nginx-proxy.debug-endpoint: "true"
--- a/test/test_default-host/test_default-host.py
+++ b/test/test_default-host/test_default-host.py
@ -1,3 +1,6 @@
 import pytest
 def test_fallback_on_default(docker_compose, nginxproxy):
    r = nginxproxy.get("http://unknown.nginx-proxy.tld/port")
    assert r.status_code == 200
--- a/test/test_default-host.yml
+++ b/test/test_default-host.yml
@ -0,0 +1,19 @@
 version: "2"
 services:
  # GIVEN a webserver with VIRTUAL_HOST set to web1.tld
  web1:
    image: web
    expose:
      - "81"
    environment:
      WEB_PORTS: 81
      VIRTUAL_HOST: web1.tld
  # WHEN nginx-proxy runs with DEFAULT_HOST set to web1.tld
  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
    environment:
      DEFAULT_HOST: web1.tld
--- a/test/test_default-host/test_default-host.yml
+++ b/test/test_default-host/test_default-host.yml
@ -1,12 +0,0 @@
 services:
  nginx-proxy:
    environment:
      DEFAULT_HOST: web1.tld
  web1:
    image: web
    expose:
      - "81"
    environment:
      WEB_PORTS: "81"
      VIRTUAL_HOST: web1.tld
--- a/test/test_dockergen/.gitignore
+++ b/test/test_dockergen/.gitignore
@ -0,0 +1 @@
 nginx.tmpl
--- a/test/test_dockergen/test_dockergen_v2.py
+++ b/test/test_dockergen/test_dockergen_v2.py
@ -0,0 +1,10 @@
 def test_unknown_virtual_host_is_503(docker_compose, nginxproxy):
    r = nginxproxy.get("http://unknown.nginx.container.docker/")
    assert r.status_code == 503
 def test_forwards_to_whoami(docker_compose, nginxproxy):
    r = nginxproxy.get("http://whoami.nginx.container.docker/")
    assert r.status_code == 200
    whoami_container = docker_compose.containers.get("whoami")
    assert r.text == f"I'm {whoami_container.id[:12]}\n"
--- a/test/test_dockergen/test_dockergen_v2.yml
+++ b/test/test_dockergen/test_dockergen_v2.yml
@ -0,0 +1,26 @@
 version: "2"
 services:
  nginx:
    image: nginx
    container_name: nginx
    volumes:
      - /etc/nginx/conf.d
  dockergen:
    image: nginxproxy/docker-gen
    command: -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
    volumes_from:
      - nginx
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ../../nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl
  web:
    image: web
    container_name: whoami
    expose:
      - "80"
    environment:
      WEB_PORTS: 80
      VIRTUAL_HOST: whoami.nginx.container.docker
--- a/test/test_dockergen/test_dockergen_v3.py
+++ b/test/test_dockergen/test_dockergen_v3.py
@ -1,11 +1,11 @@
 import docker
 import pytest
-from packaging.version import Version
+from distutils.version import LooseVersion
 raw_version = docker.from_env().version()["Version"]
 pytestmark = pytest.mark.skipif(
-    Version(raw_version) < Version("1.13"),
+    LooseVersion(raw_version) < LooseVersion("1.13"),
    reason="Docker compose syntax v3 requires docker engine v1.13 or later (got {raw_version})"
 )
--- a/test/test_dockergen/test_dockergen.base.yml
+++ b/test/test_dockergen/test_dockergen.base.yml
@ -1,18 +1,13 @@
-volumes:
+version: "3"
  nginx_conf:
 services:
-  nginx-proxy-nginx:
+  nginx:
    image: nginx
    container_name: nginx
    volumes:
-      - nginx_conf:/etc/nginx/conf.d:ro
+      - nginx_conf:/etc/nginx/conf.d
    ports:
      - "80:80"
      - "443:443"
-  nginx-proxy-dockergen:
+  dockergen:
    image: nginxproxy/docker-gen
    command: -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
    volumes:
@ -26,5 +21,8 @@ services:
    expose:
      - "80"
    environment:
-      WEB_PORTS: "80"
+      WEB_PORTS: 80
      VIRTUAL_HOST: whoami.nginx.container.docker
 volumes:
  nginx_conf: {}
--- a/test/test_enable-http-on-missing-cert/test_enable-http-on-missing-cert.py
+++ b/test/test_enable-http-on-missing-cert/test_enable-http-on-missing-cert.py
@ -1,3 +1,6 @@
 import pytest
 def test_nohttp_missing_cert_disabled(docker_compose, nginxproxy):
    r = nginxproxy.get("http://nohttp-missing-cert-disabled.nginx-proxy.tld/", allow_redirects=False)
    assert r.status_code == 503
--- a/test/test_enable-http-on-missing-cert/test_enable-http-on-missing-cert.yml
+++ b/test/test_enable-http-on-missing-cert/test_enable-http-on-missing-cert.yml
@ -1,5 +1,11 @@
 version: "2"
 services:
-  nginx-proxy:
+  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./withdefault.certs:/etc/nginx/certs:ro
    environment:
      ENABLE_HTTP_ON_MISSING_CERT: "false"
--- a/test/test_events/test_events.py
+++ b/test/test_events/test_events.py
@ -7,7 +7,7 @@ import pytest
 from docker.errors import NotFound
-@pytest.fixture
+@pytest.fixture()
 def web1(docker_compose):
    """
    pytest fixture creating a web container with `VIRTUAL_HOST=web1.nginx-proxy` listening on port 81.
@ -22,7 +22,7 @@ def web1(docker_compose):
        },
        ports={"81/tcp": None}
    )
-    docker_compose.networks.get("test_events-net").connect(container)
+    docker_compose.networks.get("test_default").connect(container)
    sleep(2)  # give it some time to initialize and for docker-gen to detect it
    yield container
    try:
@ -30,7 +30,7 @@ def web1(docker_compose):
    except NotFound:
        pass
-@pytest.fixture
+@pytest.fixture()
 def web2(docker_compose):
    """
    pytest fixture creating a web container with `VIRTUAL_HOST=nginx-proxy`, `VIRTUAL_PATH=/web2/` and `VIRTUAL_DEST=/` listening on port 82.
@ -47,7 +47,7 @@ def web2(docker_compose):
        },
        ports={"82/tcp": None}
    )
-    docker_compose.networks.get("test_events-net").connect(container)
+    docker_compose.networks.get("test_default").connect(container)
    sleep(2)  # give it some time to initialize and for docker-gen to detect it
    yield container
    try:
--- a/test/compose.base.yml
+++ b/test/compose.base.yml
@ -1,9 +1,7 @@
 version: "2"
 services:
-  nginx-proxy:
+  nginxproxy:
    image: nginxproxy/nginx-proxy:test
    container_name: nginx-proxy
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
    ports:
      - "80:80"
      - "443:443"
--- a/test/test_events/test_events.yml
+++ b/test/test_events/test_events.yml
@ -1,3 +0,0 @@
 networks:
  default:
    name: test_events-net
--- a/test/test_fallback/test_fallback.data/custom-fallback.conf
+++ b/test/test_fallback/test_fallback.data/custom-fallback.conf
--- a/test/test_fallback.data/custom-fallback.yml
+++ b/test/test_fallback.data/custom-fallback.yml
@ -0,0 +1,17 @@
 version: "2"
 services:
  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./custom-fallback.conf:/etc/nginx/conf.d/zzz-custom-fallback.conf:ro
  http-only:
    image: web
    expose:
      - "83"
    environment:
      WEB_PORTS: "83"
      VIRTUAL_HOST: http-only.nginx-proxy.test
      HTTPS_METHOD: nohttps
--- a/test/test_fallback/test_fallback.data/nodefault.certs/http-only.nginx-proxy.test.crt
+++ b/test/test_fallback/test_fallback.data/nodefault.certs/http-only.nginx-proxy.test.crt
--- a/test/test_fallback/test_fallback.data/nodefault.certs/http-only.nginx-proxy.test.key
+++ b/test/test_fallback/test_fallback.data/nodefault.certs/http-only.nginx-proxy.test.key
--- a/test/test_fallback/test_fallback.data/nodefault.certs/https-and-http.nginx-proxy.test.crt
+++ b/test/test_fallback/test_fallback.data/nodefault.certs/https-and-http.nginx-proxy.test.crt
--- a/test/test_fallback/test_fallback.data/nodefault.certs/https-and-http.nginx-proxy.test.key
+++ b/test/test_fallback/test_fallback.data/nodefault.certs/https-and-http.nginx-proxy.test.key
--- a/test/test_fallback/test_fallback.data/nodefault.certs/https-only.nginx-proxy.test.crt
+++ b/test/test_fallback/test_fallback.data/nodefault.certs/https-only.nginx-proxy.test.crt
--- a/test/test_fallback/test_fallback.data/nodefault.certs/https-only.nginx-proxy.test.key
+++ b/test/test_fallback/test_fallback.data/nodefault.certs/https-only.nginx-proxy.test.key
--- a/test/test_fallback/test_fallback.data/nodefault.yml
+++ b/test/test_fallback/test_fallback.data/nodefault.yml
@ -1,8 +1,11 @@
 version: "2"
 services:
-  nginx-proxy:
+  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ${PYTEST_MODULE_PATH}/test_fallback.data/nodefault.certs:/etc/nginx/certs:ro
+      - ./nodefault.certs:/etc/nginx/certs:ro
  https-and-http:
    image: web
--- a/test/test_fallback/test_fallback.data/nohttp-on-app.yml
+++ b/test/test_fallback/test_fallback.data/nohttp-on-app.yml
@ -1,8 +1,11 @@
 version: "2"
 services:
-  nginx-proxy:
+  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ${PYTEST_MODULE_PATH}/test_fallback.data/withdefault.certs:/etc/nginx/certs:ro
+      - ./withdefault.certs:/etc/nginx/certs:ro
    environment:
      HTTPS_METHOD: redirect
--- a/test/test_fallback/test_fallback.data/nohttp-with-missing-cert.yml
+++ b/test/test_fallback/test_fallback.data/nohttp-with-missing-cert.yml
@ -1,8 +1,11 @@
 version: "2"
 services:
-  nginx-proxy:
+  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ${PYTEST_MODULE_PATH}/test_fallback.data/withdefault.certs:/etc/nginx/certs:ro
+      - ./withdefault.certs:/etc/nginx/certs:ro
    environment:
      HTTPS_METHOD: nohttp
@ -21,13 +24,3 @@ services:
    environment:
      WEB_PORTS: "84"
      VIRTUAL_HOST: missing-cert.nginx-proxy.test
  missing-cert-default-untrusted:
    image: web
    expose:
      - "85"
    environment:
      WEB_PORTS: "85"
      VIRTUAL_HOST: missing-cert.default-untrusted.nginx-proxy.test
    labels:
      com.github.nginx-proxy.nginx-proxy.trust-default-cert: "false"
--- a/test/test_fallback/test_fallback.data/nohttp.yml
+++ b/test/test_fallback/test_fallback.data/nohttp.yml
@ -1,8 +1,11 @@
 version: "2"
 services:
-  nginx-proxy:
+  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ${PYTEST_MODULE_PATH}/test_fallback.data/withdefault.certs:/etc/nginx/certs:ro
+      - ./withdefault.certs:/etc/nginx/certs:ro
    environment:
      HTTPS_METHOD: nohttp
--- a/test/test_fallback/test_fallback.data/nohttps-on-app.yml
+++ b/test/test_fallback/test_fallback.data/nohttps-on-app.yml
@ -1,5 +1,10 @@
 version: "2"
 services:
-  nginx-proxy:
+  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
    environment:
      HTTPS_METHOD: redirect
--- a/test/test_fallback/test_fallback.data/custom-fallback.yml
+++ b/test/test_fallback/test_fallback.data/custom-fallback.yml
@ -1,8 +1,12 @@
 version: "2"
 services:
-  nginx-proxy:
+  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ${PYTEST_MODULE_PATH}/test_fallback.data/custom-fallback.conf:/etc/nginx/conf.d/zzz-custom-fallback.conf:ro
+    environment:
      HTTPS_METHOD: nohttps
  http-only:
    image: web
@ -11,4 +15,3 @@ services:
    environment:
      WEB_PORTS: "83"
      VIRTUAL_HOST: http-only.nginx-proxy.test
      HTTPS_METHOD: nohttps
--- a/test/test_fallback/test_fallback.data/withdefault.certs/default.crt
+++ b/test/test_fallback/test_fallback.data/withdefault.certs/default.crt
--- a/test/test_fallback/test_fallback.data/withdefault.certs/default.key
+++ b/test/test_fallback/test_fallback.data/withdefault.certs/default.key
--- a/test/test_fallback/test_fallback.data/withdefault.certs/http-only.nginx-proxy.test.crt
+++ b/test/test_fallback/test_fallback.data/withdefault.certs/http-only.nginx-proxy.test.crt
--- a/test/test_fallback/test_fallback.data/withdefault.certs/http-only.nginx-proxy.test.key
+++ b/test/test_fallback/test_fallback.data/withdefault.certs/http-only.nginx-proxy.test.key
--- a/test/test_fallback/test_fallback.data/withdefault.certs/https-and-http.nginx-proxy.test.crt
+++ b/test/test_fallback/test_fallback.data/withdefault.certs/https-and-http.nginx-proxy.test.crt
--- a/test/test_fallback/test_fallback.data/withdefault.certs/https-and-http.nginx-proxy.test.key
+++ b/test/test_fallback/test_fallback.data/withdefault.certs/https-and-http.nginx-proxy.test.key
--- a/test/test_fallback/test_fallback.data/withdefault.certs/https-only.nginx-proxy.test.crt
+++ b/test/test_fallback/test_fallback.data/withdefault.certs/https-only.nginx-proxy.test.crt
--- a/test/test_fallback/test_fallback.data/withdefault.certs/https-only.nginx-proxy.test.key
+++ b/test/test_fallback/test_fallback.data/withdefault.certs/https-only.nginx-proxy.test.key
--- a/test/test_fallback/test_fallback.data/untrusteddefault.yml
+++ b/test/test_fallback/test_fallback.data/untrusteddefault.yml
@ -1,10 +1,11 @@
 version: "2"
 services:
-  nginx-proxy:
+  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ${PYTEST_MODULE_PATH}/test_fallback.data/withdefault.certs:/etc/nginx/certs:ro
+      - ./withdefault.certs:/etc/nginx/certs:ro
    environment:
      TRUST_DEFAULT_CERT: "false"
  https-and-http:
    image: web
--- a/test/test_fallback/test_fallback.py
+++ b/test/test_fallback/test_fallback.py
@ -1,38 +1,38 @@
-import pathlib
+import os.path
 import re
 from typing import List, Callable
 import backoff
 import pytest
 import requests
 from requests import Response
@pytest.fixture
-def docker_compose_files(compose_file) -> List[str]:
+def data_dir():
-    data_dir = pathlib.Path(__file__).parent.joinpath("test_fallback.data")
+    return f"{os.path.splitext(__file__)[0]}.data"
    return [
        data_dir.joinpath("compose.base.yml"),
        data_dir.joinpath(compose_file).as_posix()
    ]
@pytest.fixture
-def get(docker_compose, nginxproxy, want_err_re: re.Pattern[str]) -> Callable[[str], Response]:
+def docker_compose_file(data_dir, compose_file):
    return os.path.join(data_dir, compose_file)
@pytest.fixture
 def get(docker_compose, nginxproxy, want_err_re):
    @backoff.on_exception(
        backoff.constant,
-        requests.exceptions.SSLError,
+        requests.exceptions.RequestException,
-        giveup=lambda e: want_err_re and bool(want_err_re.search(str(e))),
+        giveup=lambda e: want_err_re and want_err_re.search(str(e)),
        interval=.3,
        max_tries=30,
        jitter=None)
-    def _get(url) -> Response:
+    def _get(url):
        return nginxproxy.get(url, allow_redirects=False)
    return _get
-INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME")
+INTERNAL_ERR_RE = re.compile("TLSV1_ALERT_INTERNAL_ERROR")
@pytest.mark.parametrize("compose_file,url,want_code,want_err_re", [
@ -43,23 +43,10 @@ INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME")
    ("withdefault.yml", "https://https-only.nginx-proxy.test/", 200, None),
    ("withdefault.yml", "http://http-only.nginx-proxy.test/", 200, None),
    ("withdefault.yml", "https://http-only.nginx-proxy.test/", 503, None),
-    ("withdefault.yml", "http://missing-cert.nginx-proxy.test/", 301, None),
+    ("withdefault.yml", "http://missing-cert.nginx-proxy.test/", 200, None),
-    ("withdefault.yml", "https://missing-cert.nginx-proxy.test/", 200, None),
+    ("withdefault.yml", "https://missing-cert.nginx-proxy.test/", 500, None),
    ("withdefault.yml", "http://missing-cert.default-untrusted.nginx-proxy.test/", 200, None),
    ("withdefault.yml", "https://missing-cert.default-untrusted.nginx-proxy.test/", None, INTERNAL_ERR_RE),
    ("withdefault.yml", "http://unknown.nginx-proxy.test/", 503, None),
    ("withdefault.yml", "https://unknown.nginx-proxy.test/", 503, None),
    # Same as withdefault.yml, except default.crt is not trusted (TRUST_DEFAULT_CERT=false).
    ("untrusteddefault.yml", "http://https-and-http.nginx-proxy.test/", 301, None),
    ("untrusteddefault.yml", "https://https-and-http.nginx-proxy.test/", 200, None),
    ("untrusteddefault.yml", "http://https-only.nginx-proxy.test/", 503, None),
    ("untrusteddefault.yml", "https://https-only.nginx-proxy.test/", 200, None),
    ("untrusteddefault.yml", "http://http-only.nginx-proxy.test/", 200, None),
    ("untrusteddefault.yml", "https://http-only.nginx-proxy.test/", 503, None),
    ("untrusteddefault.yml", "http://missing-cert.nginx-proxy.test/", 200, None),
    ("untrusteddefault.yml", "https://missing-cert.nginx-proxy.test/", None, INTERNAL_ERR_RE),
    ("untrusteddefault.yml", "http://unknown.nginx-proxy.test/", 503, None),
    ("untrusteddefault.yml", "https://unknown.nginx-proxy.test/", 503, None),
    # Same as withdefault.yml, except there is no default.crt.
    ("nodefault.yml", "http://https-and-http.nginx-proxy.test/", 301, None),
    ("nodefault.yml", "https://https-and-http.nginx-proxy.test/", 200, None),
@ -81,15 +68,12 @@ INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME")
    ("nohttp-on-app.yml", "https://https-only.nginx-proxy.test/", 200, None),
    ("nohttp-on-app.yml", "http://unknown.nginx-proxy.test/", 503, None),
    ("nohttp-on-app.yml", "https://unknown.nginx-proxy.test/", 503, None),
-    # Same as nohttp.yml, except there are two vhosts with a missing cert, the second
+    # Same as nohttp.yml, except there is a vhost with a missing cert.  This causes its
    # one being configured not to trust the default certificate. This causes its
    # HTTPS_METHOD=nohttp setting to effectively become HTTPS_METHOD=noredirect.
    ("nohttp-with-missing-cert.yml", "http://https-only.nginx-proxy.test/", 503, None),
    ("nohttp-with-missing-cert.yml", "https://https-only.nginx-proxy.test/", 200, None),
-    ("nohttp-with-missing-cert.yml", "http://missing-cert.nginx-proxy.test/", 503, None),
+    ("nohttp-with-missing-cert.yml", "http://missing-cert.nginx-proxy.test/", 200, None),
-    ("nohttp-with-missing-cert.yml", "https://missing-cert.nginx-proxy.test/", 200, None),
+    ("nohttp-with-missing-cert.yml", "https://missing-cert.nginx-proxy.test/", 500, None),
    ("nohttp-with-missing-cert.yml", "http://missing-cert.default-untrusted.nginx-proxy.test/", 200, None),
    ("nohttp-with-missing-cert.yml", "https://missing-cert.default-untrusted.nginx-proxy.test/", None, INTERNAL_ERR_RE),
    ("nohttp-with-missing-cert.yml", "http://unknown.nginx-proxy.test/", 503, None),
    ("nohttp-with-missing-cert.yml", "https://unknown.nginx-proxy.test/", 503, None),
    # HTTPS_METHOD=nohttps on nginx-proxy, HTTPS_METHOD unset on the app container.
@ -108,10 +92,10 @@ INTERNAL_ERR_RE = re.compile("TLSV1_UNRECOGNIZED_NAME")
    # should prefer that server for handling requests for unknown vhosts.
    ("custom-fallback.yml", "http://unknown.nginx-proxy.test/", 418, None),
 ])
-def test_fallback(get, compose_file, url, want_code, want_err_re):
+def test_fallback(get, url, want_code, want_err_re):
    if want_err_re is None:
        r = get(url)
        assert r.status_code == want_code
    else:
-        with pytest.raises(requests.exceptions.SSLError, match=want_err_re):
+        with pytest.raises(requests.exceptions.RequestException, match=want_err_re):
            get(url)
--- a/test/test_fallback/test_fallback.data/compose.base.yml
+++ b/test/test_fallback/test_fallback.data/compose.base.yml
@ -1,9 +0,0 @@
 services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy:test
    container_name: nginx-proxy
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
    ports:
      - "80:80"
      - "443:443"
--- a/test/test_fallback/test_fallback.data/nohttps.yml
+++ b/test/test_fallback/test_fallback.data/nohttps.yml
@ -1,12 +0,0 @@
 services:
  nginx-proxy:
    environment:
      HTTPS_METHOD: nohttps
  http-only:
    image: web
    expose:
      - "83"
    environment:
      WEB_PORTS: "83"
      VIRTUAL_HOST: http-only.nginx-proxy.test
--- a/test/test_fallback/test_fallback.data/withdefault.yml
+++ b/test/test_fallback/test_fallback.data/withdefault.yml
@ -1,49 +0,0 @@
 services:
  nginx-proxy:
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ${PYTEST_MODULE_PATH}/test_fallback.data/withdefault.certs:/etc/nginx/certs:ro
  https-and-http:
    image: web
    expose:
      - "81"
    environment:
      WEB_PORTS: "81"
      VIRTUAL_HOST: https-and-http.nginx-proxy.test
  https-only:
    image: web
    expose:
      - "82"
    environment:
      WEB_PORTS: "82"
      VIRTUAL_HOST: https-only.nginx-proxy.test
      HTTPS_METHOD: nohttp
  http-only:
    image: web
    expose:
      - "83"
    environment:
      WEB_PORTS: "83"
      VIRTUAL_HOST: http-only.nginx-proxy.test
      HTTPS_METHOD: nohttps
  missing-cert:
    image: web
    expose:
      - "84"
    environment:
      WEB_PORTS: "84"
      VIRTUAL_HOST: missing-cert.nginx-proxy.test
  missing-cert-default-untrusted:
    image: web
    expose:
      - "85"
    environment:
      WEB_PORTS: "85"
      VIRTUAL_HOST: missing-cert.default-untrusted.nginx-proxy.test
    labels:
      com.github.nginx-proxy.nginx-proxy.trust-default-cert: "false"
--- a/test/test_headers/certs/default.crt
+++ b/test/test_headers/certs/default.crt
@ -1,70 +0,0 @@
 Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4096 (0x1000)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=nginx-proxy test suite, CN=www.nginx-proxy.tld
        Validity
            Not Before: Jan 13 03:06:39 2017 GMT
            Not After : May 31 03:06:39 2044 GMT
        Subject: CN=web.nginx-proxy.tld
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:95:56:c7:0d:48:a5:2b:3c:65:49:3f:26:e1:38:
                    2b:61:30:56:e4:92:d7:63:e0:eb:ad:ac:f9:33:9b:
                    b2:31:f1:39:13:0b:e5:43:7b:c5:bd:8a:85:c8:d9:
                    3d:d8:ac:71:ba:16:e7:81:96:b2:ab:ae:c6:c0:bd:
                    be:a7:d1:96:8f:b2:9b:df:ba:f9:4d:a1:3b:7e:21:
                    4a:cd:b6:45:f9:6d:79:50:bf:24:8f:c1:6b:c1:09:
                    19:5b:62:cb:96:e8:04:14:20:e8:d4:16:62:6a:f2:
                    37:c1:96:e2:9d:53:05:0b:52:1d:e7:68:92:db:8b:
                    36:68:cd:8d:5b:02:ff:12:f0:ac:5d:0c:c4:e0:7a:
                    55:a2:49:60:9f:ff:47:1f:52:73:55:4d:d4:f2:d1:
                    62:a2:f4:50:9d:c9:f6:f1:43:b3:dc:57:e1:31:76:
                    b4:e0:a4:69:7e:f2:6d:34:ae:b9:8d:74:26:7b:d9:
                    f6:07:00:ef:4b:36:61:b3:ef:7a:a1:36:3a:b6:d0:
                    9e:f8:b8:a9:0d:4c:30:a2:ed:eb:ab:6b:eb:2e:e2:
                    0b:28:be:f7:04:b1:e9:e0:84:d6:5d:31:77:7c:dc:
                    d2:1f:d4:1d:71:6f:6f:6c:6d:1b:bf:31:e2:5b:c3:
                    52:d0:14:fc:8b:fb:45:ea:41:ec:ca:c7:3b:67:12:
                    c4:df
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:web.nginx-proxy.tld
    Signature Algorithm: sha256WithRSAEncryption
         4e:48:7d:81:66:ba:2f:50:3d:24:42:61:3f:1f:de:cf:ec:1b:
         1b:bd:0a:67:b6:62:c8:79:9d:31:a0:fd:a9:61:ce:ff:69:bf:
         0e:f4:f7:e6:15:2b:b0:f0:e4:f2:f4:d2:8f:74:02:b1:1e:4a:
         a8:6f:26:0a:77:32:29:cf:dc:b5:61:82:3e:58:47:61:92:f0:
         0c:20:25:f8:41:4d:34:09:44:bc:39:9e:aa:82:06:83:13:8b:
         1e:2c:3d:cf:cd:1a:f7:77:39:38:e0:a3:a7:f3:09:da:02:8d:
         73:75:38:b4:dd:24:a7:f9:03:db:98:c6:88:54:87:dc:e0:65:
         4c:95:c5:39:9c:00:30:dc:f0:d3:2c:19:ca:f1:f4:6c:c6:d9:
         b5:c4:4a:c7:bc:a1:2e:88:7b:b5:33:d0:ff:fb:48:5e:3e:29:
         fa:58:e5:03:de:d8:17:de:ed:96:fc:7e:1f:fe:98:f6:be:99:
         38:87:51:c0:d3:b7:9a:0f:26:92:e5:53:1b:d6:25:4c:ac:48:
         f3:29:fc:74:64:9d:07:6a:25:57:24:aa:a7:70:fa:8f:6c:a7:
         2b:b7:9d:81:46:10:32:93:b9:45:6d:0f:16:18:b2:21:1f:f3:
         30:24:62:3f:e1:6c:07:1d:71:28:cb:4c:bb:f5:39:05:f9:b2:
         5b:a0:05:1b
 -----BEGIN CERTIFICATE-----
 MIIC+zCCAeOgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwPzEfMB0GA1UECgwWbmdp
 bngtcHJveHkgdGVzdCBzdWl0ZTEcMBoGA1UEAwwTd3d3Lm5naW54LXByb3h5LnRs
 ZDAeFw0xNzAxMTMwMzA2MzlaFw00NDA1MzEwMzA2MzlaMB4xHDAaBgNVBAMME3dl
 Yi5uZ2lueC1wcm94eS50bGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
 AQCVVscNSKUrPGVJPybhOCthMFbkktdj4OutrPkzm7Ix8TkTC+VDe8W9ioXI2T3Y
 rHG6FueBlrKrrsbAvb6n0ZaPspvfuvlNoTt+IUrNtkX5bXlQvySPwWvBCRlbYsuW
 6AQUIOjUFmJq8jfBluKdUwULUh3naJLbizZozY1bAv8S8KxdDMTgelWiSWCf/0cf
 UnNVTdTy0WKi9FCdyfbxQ7PcV+ExdrTgpGl+8m00rrmNdCZ72fYHAO9LNmGz73qh
 Njq20J74uKkNTDCi7eura+su4gsovvcEsenghNZdMXd83NIf1B1xb29sbRu/MeJb
 w1LQFPyL+0XqQezKxztnEsTfAgMBAAGjIjAgMB4GA1UdEQQXMBWCE3dlYi5uZ2lu
 eC1wcm94eS50bGQwDQYJKoZIhvcNAQELBQADggEBAE5IfYFmui9QPSRCYT8f3s/s
 Gxu9Cme2Ysh5nTGg/alhzv9pvw709+YVK7Dw5PL00o90ArEeSqhvJgp3MinP3LVh
 gj5YR2GS8AwgJfhBTTQJRLw5nqqCBoMTix4sPc/NGvd3OTjgo6fzCdoCjXN1OLTd
 JKf5A9uYxohUh9zgZUyVxTmcADDc8NMsGcrx9GzG2bXESse8oS6Ie7Uz0P/7SF4+
 KfpY5QPe2Bfe7Zb8fh/+mPa+mTiHUcDTt5oPJpLlUxvWJUysSPMp/HRknQdqJVck
 qqdw+o9spyu3nYFGEDKTuUVtDxYYsiEf8zAkYj/hbAcdcSjLTLv1OQX5slugBRs=
 -----END CERTIFICATE-----
--- a/test/test_headers/certs/default.key
+++ b/test/test_headers/certs/default.key
@ -1,27 +0,0 @@
 -----BEGIN RSA PRIVATE KEY-----
 MIIEogIBAAKCAQEAlVbHDUilKzxlST8m4TgrYTBW5JLXY+Drraz5M5uyMfE5Ewvl
 Q3vFvYqFyNk92KxxuhbngZayq67GwL2+p9GWj7Kb37r5TaE7fiFKzbZF+W15UL8k
 j8FrwQkZW2LLlugEFCDo1BZiavI3wZbinVMFC1Id52iS24s2aM2NWwL/EvCsXQzE
 4HpVoklgn/9HH1JzVU3U8tFiovRQncn28UOz3FfhMXa04KRpfvJtNK65jXQme9n2
 BwDvSzZhs+96oTY6ttCe+LipDUwwou3rq2vrLuILKL73BLHp4ITWXTF3fNzSH9Qd
 cW9vbG0bvzHiW8NS0BT8i/tF6kHsysc7ZxLE3wIDAQABAoIBAEmK7IecKMq7+V0y
 3mC3GpXICmKR9cRX9XgX4LkLiZuSoXrBtuuevmhzGSMp6I0VjwQHV4a3wdFORs6Q
 Ip3eVvj5Ck4Jc9BJAFVC6+WWR6tnwACFwOmSZRAw/O3GH2B3bdrDwiT/yQPFuLN7
 LKoxQiCrFdLp6rh3PBosb9pMBXU7k/HUazIdgmSKg6/JIoo/4Gwyid04TF/4MI2l
 RscxtP5/ANtS8VgwBEqhgdafRJ4KnLEpgvswgIQvUKmduVhZQlzd0LMY8FbhKVqz
 Utg8gsXaTyH6df/nmgUIInxLMz/MKPnMkv99fS6Sp/hvYlGpLZFWBJ6unMq3lKEr
 LMbHfIECgYEAxB+5QWdVqG2r9loJlf8eeuNeMPml4P8Jmi5RKyJC7Cww6DMlMxOS
 78ZJfl4b3ZrWuyvhjOfX/aTq7kQaF1BI9o3KJBH8k6EtO4gI8KeNmDONyQk9zsrn
 ru8Zwr7hVbAo8fCXxCnmPzhDLsYg6f3BVOsQWoX2SFYKZ1GvkPfIReECgYEAwu6G
 qtgFb57Vim10ecfWGM6vrPxvyfqP+zlH/p4nR+aQ+2sFbt27D0B1byWBRZe4KQyw
 Vq6XiQ09Fk6MJr8E8iAr9GXPPHcqlYI6bbNc6YOP3jVSKut0tQdTUOHll4kYIY+h
 RS3VA3+BA//ADpWpywu+7RZRbaIECA+U2a224r8CgYB5PCMIixgoRaNHZeEHF+1/
 iY1wOOKRcxY8eOU0BLnZxHd3EiasrCzoi2pi80nGczDKAxYqRCcAZDHVl8OJJdf0
 kTGjmnrHx5pucmkUWn7s1vGOlGfgrQ0K1kLWX6hrj7m/1Tn7yOrLqbvd7hvqiTI5
 jBVP3/+eN5G2zIf61TC4AQKBgCX2Q92jojNhsF58AHHy+/vqzIWYx8CC/mVDe4TX
 kfjLqzJ7XhyAK/zFZdlWaX1/FYtRAEpxR+uV226rr1mgW7s3jrfS1/ADmRRyvyQ8
 CP0k9PCmW7EmF51lptEanRbMyRlIGnUZfuFmhF6eAO4WMXHsgKs1bHg4VCapuihG
 T1aLAoGACRGn1UxFuBGqtsh2zhhsBZE7GvXKJSk/eP7QJeEXUNpNjCpgm8kIZM5K
 GorpL7PSB8mwVlDl18TpMm3P7nz6YkJYte+HdjO7pg59H39Uvtg3tZnIrFxNxVNb
 YF62/yHfk2AyTgjQZQUSmDS84jq1zUK4oS90lxr+u8qwELTniMs=
 -----END RSA PRIVATE KEY-----
--- a/test/test_headers/test_http.yml
+++ b/test/test_headers/test_http.yml
@ -1,10 +1,12 @@
 version: "2"
 services:
  web:
    image: web
    expose:
      - "80"
    environment:
-      WEB_PORTS: "80"
+      WEB_PORTS: 80
      VIRTUAL_HOST: web.nginx-proxy.tld
  web-server-tokens-off:
@ -12,6 +14,11 @@ services:
    expose:
      - "80"
    environment:
-      WEB_PORTS: "80"
+      WEB_PORTS: 80
      VIRTUAL_HOST: web-server-tokens-off.nginx-proxy.tld
      SERVER_TOKENS: "off"
  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
--- a/test/test_headers/test_https.yml
+++ b/test/test_headers/test_https.yml
@ -1,15 +1,12 @@
-services:
+version: "2"
  nginx-proxy:
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ${PYTEST_MODULE_PATH}/certs:/etc/nginx/certs:ro
 services:
  web:
    image: web
    expose:
      - "80"
    environment:
-      WEB_PORTS: "80"
+      WEB_PORTS: 80
      VIRTUAL_HOST: web.nginx-proxy.tld
  web-server-tokens-off:
@ -17,6 +14,17 @@ services:
    expose:
      - "80"
    environment:
-      WEB_PORTS: "80"
+      WEB_PORTS: 80
      VIRTUAL_HOST: web-server-tokens-off.nginx-proxy.tld
      SERVER_TOKENS: "off"
  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./certs/web.nginx-proxy.tld.crt:/etc/nginx/certs/default.crt:ro
      - ./certs/web.nginx-proxy.tld.key:/etc/nginx/certs/default.key:ro
      - ./certs/web.nginx-proxy.tld.crt:/etc/nginx/certs/web.nginx-proxy.tld.crt:ro
      - ./certs/web.nginx-proxy.tld.key:/etc/nginx/certs/web.nginx-proxy.tld.key:ro
      - ./certs/web-server-tokens-off.nginx-proxy.tld.crt:/etc/nginx/certs/web-server-tokens-off.nginx-proxy.tld.crt:ro
      - ./certs/web-server-tokens-off.nginx-proxy.tld.key:/etc/nginx/certs/web-server-tokens-off.nginx-proxy.tld.key:ro
--- a/test/test_host-network-mode/test_host-network-mode.py
+++ b/test/test_host-network-mode/test_host-network-mode.py
@ -1,3 +1,6 @@
 import pytest
 def test_forwards_to_bridge_network_container(docker_compose, nginxproxy):
    r = nginxproxy.get("http://bridge-network.nginx-proxy.tld/port")
    assert r.status_code == 200   
--- a/test/test_host-network-mode/test_host-network-mode.yml
+++ b/test/test_host-network-mode/test_host-network-mode.yml
@ -1,14 +1,11 @@
 version: "2"
 networks:
  net1:
    internal: true
  net2:
 services:
  nginx-proxy:
    networks:
      - net1
      - net2
  bridge-network:
    image: web
    environment:
@ -24,3 +21,11 @@ services:
      VIRTUAL_HOST: "host-network.nginx-proxy.tld"
      VIRTUAL_PORT: "8080"
    network_mode: host
  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
    networks:
      - net1
      - net2
--- a/test/test_host-network-mode/test_proxy-host-network-mode.py
+++ b/test/test_host-network-mode/test_proxy-host-network-mode.py
@ -1,5 +1,5 @@
-# Note: on Docker Desktop, host networking must be manually enabled.
+import pytest
-# See https://docs.docker.com/engine/network/drivers/host/
+
 def test_forwards_to_host_network_container_1(docker_compose, nginxproxy):
    r = nginxproxy.get("http://host-network-1.nginx-proxy.tld:8888/port")
--- a/test/test_host-network-mode/test_proxy-host-network-mode.yml
+++ b/test/test_host-network-mode/test_proxy-host-network-mode.yml
@ -1,9 +1,6 @@
-services:
+version: "2"
  nginx-proxy:
    environment:
      HTTP_PORT: 8888
    network_mode: host
 services:
  host-network-1:
    image: web
    environment:
@ -19,3 +16,11 @@ services:
      VIRTUAL_HOST: "host-network-2.nginx-proxy.tld"
      VIRTUAL_PORT: "8181"
    network_mode: host
  sut:
    image: nginxproxy/nginx-proxy:test
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
    environment:
      HTTP_PORT: 8888
    network_mode: host
--- a/test/test_htpasswd/compose.base.override.yml
+++ b/test/test_htpasswd/compose.base.override.yml
@ -1,5 +0,0 @@
 services:
  nginx-proxy:
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ${PYTEST_MODULE_PATH}/htpasswd:/etc/nginx/htpasswd:ro
--- a/Show more
+++ b/Show more
		`@ -0,0 +1 @@`
							`This directory contains tests that showcase scenarios known to break the expected behavior of nginx-proxy.`