diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index a413877..ed2e882 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -18,6 +18,12 @@ fi
 # Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default
 /app/generate-dhparam.sh $DHPARAM_BITS
 
+# Compute the DNS resolvers for use in the templates
+export RESOLVERS=$(awk '$1 == "nameserver" {print $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g')
+if [ "x$RESOLVERS" = "x" ]; then
+    echo "Warning: unable to determine DNS resolvers for nginx" >&2
+fi
+
 # If the user has run the default command and the socket doesn't exist, fail
 if [ "$socketMissing" = 1 -a "$1" = forego -a "$2" = start -a "$3" = '-r' ]; then
 	exit 1
diff --git a/nginx.tmpl b/nginx.tmpl
index f23e627..2ef7646 100644
--- a/nginx.tmpl
+++ b/nginx.tmpl
@@ -58,6 +58,10 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] '
 
 access_log off;
 
+{{ if ne $.Env.RESOLVERS "" }}
+resolver {{ $.Env.RESOLVERS }};
+{{ end }}
+
 {{ if (exists "/etc/nginx/proxy.conf") }}
 include /etc/nginx/proxy.conf;
 {{ else }}
@@ -198,6 +202,12 @@ server {
 	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
 	{{ end }}
 
+	{{ if (exists (printf "/etc/nginx/certs/%s.chain.crt" $cert)) }}
+	ssl_stapling on;
+	ssl_stapling_verify on;
+	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.crt" $cert }};
+	{{ end }}
+
 	{{ if (ne $https_method "noredirect") }}
 	add_header Strict-Transport-Security "max-age=31536000";
 	{{ end }}