Merge pull request #1 from harvdogg/master

Allow complete override of location blocks
Merge pull request #1113 from basro/master
2025-04-11 16:21:01 +00:00 · 2020-04-13 19:45:23 +02:00 · 2020-03-25 14:27:02 -06:00 · 2020-03-25 14:26:30 -06:00 · 2020-03-03 00:29:54 -05:00 · 2020-03-03 00:24:21 -05:00
129 changed files with 4108 additions and 1747 deletions
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@ -0,0 +1,14 @@
+# !!!PLEASE READ!!!
+
+## Questions
+
+If you have a question, DO NOT SUBMIT a new issue.  Please ask the question on the Q&A Group: https://groups.google.com/forum/#!forum/nginx-proxy
+
+## Bugs or Features
+
+If you are logging a bug or feature request, please search the current open issues to see if there is already a bug or feature opened.
+
+For bugs, the easier you make it to reproduce the issue you see, the easier and faster it can get fixed.  If you can provide a script or docker-compose file that reproduces the problems, that is very helpful.
+
+Thanks,
+Jason
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
+**/__pycache__/
+**/.cache/
+.idea/
--- a/.travis.yml
+++ b/.travis.yml
@ -1,22 +1,22 @@
+dist: trusty
 sudo: required
-services:
-  - docker

 env:
-    global:
-        - DOCKER_VERSION=1.10.1-0~trusty
+  matrix:
+  - TEST_TARGET: test-debian
+  - TEST_TARGET: test-alpine

 before_install:
-  # list docker-engine versions
-  - apt-cache madison docker-engine
-  # upgrade docker-engine to specific version
-  - sudo apt-get -o Dpkg::Options::="--force-confnew" install -y docker-engine=${DOCKER_VERSION}
+  - sudo apt-get -y remove docker docker-engine docker-ce
+  - sudo rm /etc/apt/sources.list.d/docker.list
+  - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+  - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+  - sudo apt-get update
+  - sudo apt-get -y install docker-ce
  - docker version
  - docker info
-  - sudo add-apt-repository ppa:duggan/bats --yes
-  - sudo apt-get update -qq
-  - sudo apt-get install -qq bats
+  # prepare docker test requirements
  - make update-dependencies

 script:
-  - make test
+  - make $TEST_TARGET
--- a/13
+++ b/13
@ -1,5 +1,5 @@
-FROM nginx:1.9.12
-MAINTAINER Jason Wilder mail@jasonwilder.com
+FROM nginx:1.17.8
+LABEL maintainer="Jason Wilder mail@jasonwilder.com"

 # Install wget and install/updates certificates
 RUN apt-get update \
@ -9,26 +9,29 @@ RUN apt-get update \
 && apt-get clean \
 && rm -r /var/lib/apt/lists/*

+
 # Configure Nginx and apply fix for very long server names
 RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
- && sed -i 's/^http {/&\n    server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf
+ && sed -i 's/worker_processes  1/worker_processes  auto/' /etc/nginx/nginx.conf

 # Install Forego
 ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego
 RUN chmod u+x /usr/local/bin/forego

-ENV DOCKER_GEN_VERSION 0.7.1
+ENV DOCKER_GEN_VERSION 0.7.4

 RUN wget https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \
 && tar -C /usr/local/bin -xvzf docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \
 && rm /docker-gen-linux-amd64-$DOCKER_GEN_VERSION.tar.gz

+COPY network_internal.conf /etc/nginx/
+
 COPY . /app/
 WORKDIR /app/

 ENV DOCKER_HOST unix:///tmp/docker.sock

-VOLUME ["/etc/nginx/certs"]
+VOLUME ["/etc/nginx/certs", "/etc/nginx/dhparam"]

 ENTRYPOINT ["/app/docker-entrypoint.sh"]
 CMD ["forego", "start", "-r"]
--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@ -0,0 +1,34 @@
+FROM nginx:1.17.8-alpine
+LABEL maintainer="Jason Wilder mail@jasonwilder.com"
+
+# Install wget and install/updates certificates
+RUN apk add --no-cache --virtual .run-deps \
+    ca-certificates bash wget openssl \
+    && update-ca-certificates
+
+
+# Configure Nginx and apply fix for very long server names
+RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
+ && sed -i 's/worker_processes  1/worker_processes  auto/' /etc/nginx/nginx.conf
+
+# Install Forego
+ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego
+RUN chmod u+x /usr/local/bin/forego
+
+ENV DOCKER_GEN_VERSION 0.7.4
+
+RUN wget --quiet https://github.com/jwilder/docker-gen/releases/download/$DOCKER_GEN_VERSION/docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \
+ && tar -C /usr/local/bin -xvzf docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz \
+ && rm /docker-gen-alpine-linux-amd64-$DOCKER_GEN_VERSION.tar.gz
+
+COPY network_internal.conf /etc/nginx/
+
+COPY . /app/
+WORKDIR /app/
+
+ENV DOCKER_HOST unix:///tmp/docker.sock
+
+VOLUME ["/etc/nginx/certs", "/etc/nginx/dhparam"]
+
+ENTRYPOINT ["/app/docker-entrypoint.sh"]
+CMD ["forego", "start", "-r"]
--- a/22
+++ b/22
@ -1,14 +1,16 @@
 .SILENT :
-.PHONY : test
+.PHONY : test-debian test-alpine test
+

 update-dependencies:
-	docker pull jwilder/docker-gen:0.7.1
-	docker pull nginx:1.9.12
-	docker pull python:3
-	docker pull rancher/socat-docker:latest
-	docker pull appropriate/curl:latest
-	docker pull docker:1.10
+	test/requirements/build.sh

-test:
-	docker build -t jwilder/nginx-proxy:bats .
-	bats test
+test-debian: update-dependencies
+	docker build -t jwilder/nginx-proxy:test .
+	test/pytest.sh
+
+test-alpine: update-dependencies
+	docker build -f Dockerfile.alpine -t jwilder/nginx-proxy:test .
+	test/pytest.sh
+
+test: test-debian test-alpine
--- a/2
+++ b/2
@ -1,2 +1,2 @@
+dockergen: docker-gen -watch -notify "nginx -s reload" /app/nginx.tmpl /etc/nginx/conf.d/default.conf
 nginx: nginx
-dockergen: docker-gen -watch -only-exposed -notify "nginx -s reload" /app/nginx.tmpl /etc/nginx/conf.d/default.conf
--- a/README.md
+++ b/README.md
@ -1,4 +1,5 @@
-![nginx 1.9.12](https://img.shields.io/badge/nginx-1.9.12-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build](https://circleci.com/gh/jwilder/nginx-proxy.svg?&style=shield&circle-token=2da3ee844076a47371bd45da81cf27409ca7306a)](https://circleci.com/gh/jwilder/nginx-proxy) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub')
+![latest 0.7.0](https://img.shields.io/badge/latest-0.7.0-green.svg?style=flat)
+![nginx 1.17.8](https://img.shields.io/badge/nginx-1.17.8-brightgreen.svg) ![License MIT](https://img.shields.io/badge/license-MIT-blue.svg) [![Build Status](https://travis-ci.org/jwilder/nginx-proxy.svg?branch=master)](https://travis-ci.org/jwilder/nginx-proxy) [![](https://img.shields.io/docker/stars/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub') [![](https://img.shields.io/docker/pulls/jwilder/nginx-proxy.svg)](https://hub.docker.com/r/jwilder/nginx-proxy 'DockerHub')


 nginx-proxy sets up a container running nginx and [docker-gen][1].  docker-gen generates reverse proxy configs for nginx and reloads nginx when containers are started and stopped.
@ -15,14 +16,56 @@ Then start any containers you want proxied with an env var `VIRTUAL_HOST=subdoma

    $ docker run -e VIRTUAL_HOST=foo.bar.com  ...

-The containers being proxied must [expose](https://docs.docker.com/reference/run/#expose-incoming-ports) the port to be proxied, either by using the `EXPOSE` directive in their `Dockerfile` or by using the `--expose` flag to `docker run` or `docker create`.
+The containers being proxied must [expose](https://docs.docker.com/engine/reference/run/#expose-incoming-ports) the port to be proxied, either by using the `EXPOSE` directive in their `Dockerfile` or by using the `--expose` flag to `docker run` or `docker create` and be in the same network. By default, if you don't pass the --net flag when your nginx-proxy container is created, it will only be attached to the default bridge network. This means that it will not be able to connect to containers on networks other than bridge.

-Provided your DNS is setup to forward foo.bar.com to the a host running nginx-proxy, the request will be routed to a container with the VIRTUAL_HOST env var set.
+Provided your DNS is setup to forward foo.bar.com to the host running nginx-proxy, the request will be routed to a container with the VIRTUAL_HOST env var set.

-### Docker-compose
+### Image variants

-Currently this does not work with the new v2 syntax of docker-compose (due to not being compatible with the new network overlay see [#304](https://github.com/jwilder/nginx-proxy/issues/304)). It does work when using the old docker-composer syntax.
+The nginx-proxy images are available in two flavors.

+#### jwilder/nginx-proxy:latest
+
+This image uses the debian:jessie based nginx image.
+
+    $ docker pull jwilder/nginx-proxy:latest
+
+#### jwilder/nginx-proxy:alpine
+
+This image is based on the nginx:alpine image. Use this image to fully support HTTP/2 (including ALPN required by recent Chrome versions). A valid certificate is required as well (see eg. below "SSL Support using letsencrypt" for more info).
+
+    $ docker pull jwilder/nginx-proxy:alpine
+
+### Docker Compose
+
+```yaml
+version: '2'
+
+services:
+  nginx-proxy:
+    image: jwilder/nginx-proxy
+    ports:
+      - "80:80"
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+
+  whoami:
+    image: jwilder/whoami
+    environment:
+      - VIRTUAL_HOST=whoami.local
+```
+
+```shell
+$ docker-compose up
+$ curl -H "Host: whoami.local" localhost
+I'm 5b129ab83266
+```
+
+### IPv6 support
+
+You can activate the IPv6 support for the nginx-proxy container by passing the value `true` to the `ENABLE_IPV6` environment variable:
+
+    $ docker run -d -p 80:80 -e ENABLE_IPV6=true -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy

 ### Multiple Ports

@ -53,9 +96,47 @@ $ docker network connect my-other-network my-nginx-proxy

 In this example, the `my-nginx-proxy` container will be connected to `my-network` and `my-other-network` and will be able to proxy to other containers attached to those networks.

+### Internet vs. Local Network Access
+
+If you allow traffic from the public internet to access your `nginx-proxy` container, you may want to restrict some containers to the internal network only, so they cannot be accessed from the public internet.  On containers that should be restricted to the internal network, you should set the environment variable `NETWORK_ACCESS=internal`.  By default, the *internal* network is defined as `127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16`.  To change the list of networks considered internal, mount a file on the `nginx-proxy` at `/etc/nginx/network_internal.conf` with these contents, edited to suit your needs:
+
+```
+# These networks are considered "internal"
+allow 127.0.0.0/8;
+allow 10.0.0.0/8;
+allow 192.168.0.0/16;
+allow 172.16.0.0/12;
+
+# Traffic from all other networks will be rejected
+deny all;
+```
+
+When internal-only access is enabled, external clients with be denied with an `HTTP 403 Forbidden`
+
+> If there is a load-balancer / reverse proxy in front of `nginx-proxy` that hides the client IP (example: AWS Application/Elastic Load Balancer), you will need to use the nginx `realip` module (already installed) to extract the client's IP from the HTTP request headers.  Please see the [nginx realip module configuration](http://nginx.org/en/docs/http/ngx_http_realip_module.html) for more details.  This configuration can be added to a new config file and mounted in `/etc/nginx/conf.d/`.
+
 ### SSL Backends

-If you would like to connect to your backend using HTTPS instead of HTTP, set `VIRTUAL_PROTO=https` on the backend container.
+If you would like the reverse proxy to connect to your backend using HTTPS instead of HTTP, set `VIRTUAL_PROTO=https` on the backend container.
+
+> Note: If you use `VIRTUAL_PROTO=https` and your backend container exposes port 80 and 443, `nginx-proxy` will use HTTPS on port 80.  This is almost certainly not what you want, so you should also include `VIRTUAL_PORT=443`.
+
+### uWSGI Backends
+
+If you would like to connect to uWSGI backend, set `VIRTUAL_PROTO=uwsgi` on the
+backend container. Your backend container should then listen on a port rather
+than a socket and expose that port.
+
+### FastCGI Backends
+ 
+If you would like to connect to FastCGI backend, set `VIRTUAL_PROTO=fastcgi` on the
+backend container. Your backend container should then listen on a port rather
+than a socket and expose that port.
+ 
+### FastCGI File Root Directory
+
+If you use fastcgi,you can set `VIRTUAL_ROOT=xxx`  for your root directory
+

 ### Default Host

@ -71,6 +152,14 @@ image and the official [nginx](https://registry.hub.docker.com/_/nginx/) image.

 You may want to do this to prevent having the docker socket bound to a publicly exposed container service.

+You can demo this pattern with docker-compose:
+
+```console
+$ docker-compose --file docker-compose-separate-containers.yml up
+$ curl -H "Host: whoami.local" localhost
+I'm 5b129ab83266
+```
+
 To run nginx proxy as a separate container you'll need to have [nginx.tmpl](https://github.com/jwilder/nginx-proxy/blob/master/nginx.tmpl) on your host system.

 First start nginx with a volume:
@ -84,13 +173,20 @@ Then start the docker-gen container with the shared volume and template:
 $ docker run --volumes-from nginx \
    -v /var/run/docker.sock:/tmp/docker.sock:ro \
    -v $(pwd):/etc/docker-gen/templates \
-    -t jwilder/docker-gen -notify-sighup nginx -watch -only-exposed /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
+    -t jwilder/docker-gen -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
 ```

 Finally, start your containers with `VIRTUAL_HOST` environment variables.

    $ docker run -e VIRTUAL_HOST=foo.bar.com  ...
+### SSL Support using letsencrypt

+[letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) is a lightweight companion container for the nginx-proxy. It allows the creation/renewal of Let's Encrypt certificates automatically.
+
+Set `DHPARAM_GENERATION` environment variable to `false` to disabled Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`.
+The default value is `true`
+
+     $ docker run -e DHPARAM_GENERATION=false ....
 ### SSL Support

 SSL is supported using single host, wildcard and SNI certificates using naming conventions for
@ -105,11 +201,33 @@ hosts in use.  The certificate and keys should be named after the virtual host w
 `.key` extension.  For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a
 `foo.bar.com.crt` and `foo.bar.com.key` file in the certs directory.

+If you are running the container in a virtualized environment (Hyper-V, VirtualBox, etc...),
+/path/to/certs must exist in that environment or be made accessible to that environment.
+By default, Docker is not able to mount directories on the host machine to containers running in a virtual machine.
+
 #### Diffie-Hellman Groups

-If you have Diffie-Hellman groups enabled, the files should be named after the virtual host with a
+Diffie-Hellman groups are enabled by default, with a pregenerated key in `/etc/nginx/dhparam/dhparam.pem`.
+You can mount a different `dhparam.pem` file at that location to override the default cert.
+To use custom `dhparam.pem` files per-virtual-host, the files should be named after the virtual host with a
 `dhparam` suffix and `.pem` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com`
-should have a `foo.bar.com.dhparam.pem` file in the certs directory.
+should have a `foo.bar.com.dhparam.pem` file in the `/etc/nginx/certs` directory.
+
+> NOTE: If you don't mount a `dhparam.pem` file at `/etc/nginx/dhparam/dhparam.pem`, one will be generated
+at startup.  Since it can take minutes to generate a new `dhparam.pem`, it is done at low priority in the
+background.  Once generation is complete, the `dhparam.pem` is saved on a persistent volume and nginx
+is reloaded.  This generation process only occurs the first time you start `nginx-proxy`.
+
+> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security.  Some
+> older clients (like Java 6 and 7) do not support DH keys with over 1024 bits.  In order to support these
+> clients, you must either provide your own `dhparam.pem`, or tell `nginx-proxy` to generate a 1024-bit
+> key on startup by passing `-e DHPARAM_BITS=1024`.
+
+In the separate container setup, no pregenerated key will be available and neither the
+[jwilder/docker-gen](https://index.docker.io/u/jwilder/docker-gen/) image nor the offical
+[nginx](https://registry.hub.docker.com/_/nginx/) image will generate one. If you still want A+ security
+in a separate container setup, you'll have to generate a 2048 bits DH key file manually and mount it on the
+nginx container, at `/etc/nginx/dhparam/dhparam.pem`.

 #### Wildcard Certificates

@ -123,12 +241,35 @@ to identify the certificate to be used.  For example, a certificate for `*.foo.c
 could be named `shared.crt` and `shared.key`.  A container running with `VIRTUAL_HOST=foo.bar.com`
 and `CERT_NAME=shared` will then use this shared cert.

+#### OCSP Stapling
+To enable OCSP Stapling for a domain, `nginx-proxy` looks for a PEM certificate containing the trusted
+CA certificate chain at `/etc/nginx/certs/<domain>.chain.pem`, where `<domain>` is the domain name in
+the `VIRTUAL_HOST` directive.  The format of this file is a concatenation of the public PEM CA
+certificates starting with the intermediate CA most near the SSL certificate, down to the root CA.  This is
+often referred to as the "SSL Certificate Chain".  If found, this filename is passed to the NGINX
+[`ssl_trusted_certificate` directive](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate)
+and OCSP Stapling is enabled.
+
 #### How SSL Support Works

-The SSL cipher configuration is based on [mozilla nginx intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx) which
-should provide compatibility with clients back to Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
-Windows XP IE8, Android 2.3, Java 7.  The configuration also enables HSTS, and SSL
-session caches.
+The default SSL cipher configuration is based on the [Mozilla intermediate profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29) version 5.0 which
+should provide compatibility with clients back to Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7,
+Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9.  Note that the DES-based TLS ciphers were removed for security.
+The configuration also enables HSTS, PFS, OCSP stapling and SSL session caches.  Currently TLS 1.2 and 1.3
+are supported.
+
+If you don't require backward compatibility, you can use the [Mozilla modern profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility)
+profile instead by including the environment variable `SSL_POLICY=Mozilla-Modern` to the nginx-proxy container or to your container.
+This profile is compatible with clients back to Firefox 63, Android 10.0, Chrome 70, Edge 75, Java 11,
+OpenSSL 1.1.1, Opera 57, and Safari 12.1.  Note that this profile is **not** compatible with any version of Internet Explorer.
+
+Other policies available through the `SSL_POLICY` environment variable are [`Mozilla-Old`](https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility)
+and the [AWS ELB Security Policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html)
+`AWS-TLS-1-2-2017-01`, `AWS-TLS-1-1-2017-01`, `AWS-2016-08`, `AWS-2015-05`, `AWS-2015-03` and `AWS-2015-02`.
+
+Note that the `Mozilla-Old` policy should use a 1024 bits DH key for compatibility but this container generates
+a 2048 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing
+this, either globally or per virtual-host.

 The default behavior for the proxy when port 80 and 443 are exposed is as follows:

@ -139,11 +280,24 @@ is always preferred when available.
 Note that in the latter case, a browser may get an connection error as no certificate is available
 to establish a connection.  A self-signed or generic cert named `default.crt` and `default.key`
 will allow a client browser to make a SSL connection (likely w/ a warning) and subsequently receive
-a 503.
+a 500.

 To serve traffic in both SSL and non-SSL modes without redirecting to SSL, you can include the
 environment variable `HTTPS_METHOD=noredirect` (the default is `HTTPS_METHOD=redirect`).  You can also
-disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`. 
+disable the non-SSL site entirely with `HTTPS_METHOD=nohttp`, or disable the HTTPS site with
+`HTTPS_METHOD=nohttps`. `HTTPS_METHOD` must be specified on each container for which you want to
+override the default behavior.  If `HTTPS_METHOD=noredirect` is used, Strict Transport Security (HSTS)
+is disabled to prevent HTTPS users from being redirected by the client.  If you cannot get to the HTTP
+site after changing this setting, your browser has probably cached the HSTS policy and is automatically
+redirecting you back to HTTPS.  You will need to clear your browser's HSTS cache or use an incognito
+window / different browser.
+
+By default, [HTTP Strict Transport Security (HSTS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) 
+is enabled with `max-age=31536000` for HTTPS sites.  You can disable HSTS with the environment variable 
+`HSTS=off` or use a custom HSTS configuration like `HSTS=max-age=31536000; includeSubDomains; preload`.  
+*WARNING*: HSTS will force your users to visit the HTTPS version of your site for the `max-age` time - 
+even if they type in `http://` manually.  The only way to get to an HTTP site after receiving an HSTS 
+response is to clear your browser's HSTS cache.

 ### Basic Authentication Support

@ -179,10 +333,17 @@ proxy_set_header Connection $proxy_connection;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+# Mitigate httpoxy attack (see README for details)
+proxy_set_header Proxy "";
 ```

 ***NOTE***: If you provide this file it will replace the defaults; you may want to check the .tmpl file to make sure you have all of the needed options.

+***NOTE***: The default configuration blocks the `Proxy` HTTP request header from being sent to downstream servers.  This prevents attackers from using the so-called [httpoxy attack](http://httpoxy.org).  There is no legitimate reason for a client to send this header, and there are many vulnerable languages / platforms (`CVE-2016-5385`, `CVE-2016-5386`, `CVE-2016-5387`, `CVE-2016-5388`, `CVE-2016-1000109`, `CVE-2016-1000110`, `CERT-VU#797896`).
+
 #### Proxy-wide

 To add settings on a proxy-wide basis, add your configuration file under `/etc/nginx/conf.d` using a name ending in `.conf`.
@ -240,7 +401,26 @@ If you are using multiple hostnames for a single container (e.g. `VIRTUAL_HOST=e
 #### Per-VIRTUAL_HOST location default configuration

 If you want most of your virtual hosts to use a default single `location` block configuration and then override on a few specific ones, add those settings to the `/etc/nginx/vhost.d/default_location` file. This file
-will be used on any virtual host which does not have a `/etc/nginx/vhost.d/{VIRTUAL_HOST}` file associated with it.
+will be used on any virtual host which does not have a `/etc/nginx/vhost.d/{VIRTUAL_HOST}_location` file associated with it.
+
+#### Pre-VIRTUAL_HOST custom location blocks
+
+In some circumstances you may want to override nginx's default `/` location block behavior.  Typically, this block acts as a catch-all in order to forward requests not already matched by a specific `location` block directly onto your container as-is.
+
+To provide your own location blocks and bypass the automatic generation of them, simply add your location blocks to a configuration file file under `/etc/nginx/vhost.d` like in the other Per-VIRTUAL_HOST sections except with the suffix `_locations`. Notice the 's' to make the filename plural.  
+The contents of this file will replace all auto-generated location blocks. Additionally, this file will take priority over the previously described location configuration.
+
+When using location overrides, you are responsible for handling any requests that should be forwarded to your container. Passing a request to your container is done using the `proxy_pass` instruction within your defined location blocks.  `proxy_pass` expects a qualified hostname in order
+to forward a request.  By default, nginx-proxy aliases containers to the defined `VIRTUAL_HOST` name.  So if you launch your container with a `VIRTUAL_HOST` value of `app.example.com`, then forwarding a request to your container would look something like this:
+
+```
+location / {
+	proxy_pass http://app.example.com;
+}
+```
+
+If you are using an SSL-enabled container, you would use `https://` in place of `http://`.  You could include any number of other location blocks for nginx to consider and even forward requests to external hosts when they match certain conditions.  You can also use any other rules and instructions
+available to nginx location blocks.

 ### Contributing

@ -248,6 +428,26 @@ Before submitting pull requests or issues, please check github to make sure an e

 #### Running Tests Locally

-To run tests, you'll need to install [bats 0.4.0](https://github.com/sstephenson/bats).
+To run tests, you need to prepare the docker image to test which must be tagged `jwilder/nginx-proxy:test`:
+
+    docker build -t jwilder/nginx-proxy:test .  # build the Debian variant image
+
+and call the [test/pytest.sh](test/pytest.sh) script.
+
+Then build the Alpine variant of the image:
+
+    docker build -f Dockerfile.alpine -t jwilder/nginx-proxy:test .  # build the Alpline variant image
+
+and call the [test/pytest.sh](test/pytest.sh) script again.
+
+
+If your system has the `make` command, you can automate those tasks by calling:

    make test
+
+
+You can learn more about how the test suite works and how to write new tests in the [test/README.md](test/README.md) file.
+
+### Need help?
+
+If you have questions on how to use the image, please ask them on the [Q&A Group](https://groups.google.com/forum/#!forum/nginx-proxy)
--- a/dhparam.pem.default
+++ b/dhparam.pem.default
@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAzB2nIGzpVq7afJnKBm1X0d64avwOlP2oneiKwxRHdDI/5+6TpH1P
+F8ipodGuZBUMmupoB3D34pu2Qq5boNW983sm18ww9LMz2i/pxhSdB+mYAew+A6h6
+ltQ5pNtyn4NaKw1SDFkqvde3GNPhaWoPDbZDJhpHGblR3w1b/ag+lTLZUvVwcD8L
+jYS9f9YWAC6T7WxAxh4zvu1Z0I1EKde8KYBxrreZNheXpXHqMNyJYZCaY2Hb/4oI
+EL65qZq1GCWezpWMjhk6pOnV5gbvqfhoazCv/4OdRv6RoWOIYBNs9BmGho4AtXqV
+FYLdYDhOvN4aVs9Ir+G8ouwiRnix24+UewIBAg==
+-----END DH PARAMETERS-----
--- a/docker-compose-separate-containers.yml
+++ b/docker-compose-separate-containers.yml
@ -0,0 +1,23 @@
+version: '2'
+services:
+  nginx:
+    image: nginx
+    container_name: nginx
+    ports:
+      - "80:80"
+    volumes:
+      - /etc/nginx/conf.d
+
+  dockergen:
+    image: jwilder/docker-gen
+    command: -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
+    volumes_from:
+      - nginx
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl
+
+  whoami:
+    image: jwilder/whoami
+    environment:
+      - VIRTUAL_HOST=whoami.local
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,14 @@
+version: '2'
+services:
+  nginx-proxy:
+    image: jwilder/nginx-proxy
+    container_name: nginx-proxy
+    ports:
+      - "80:80"
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+
+  whoami:
+    image: jwilder/whoami
+    environment:
+      - VIRTUAL_HOST=whoami.local
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@ -2,7 +2,7 @@
 set -e

 # Warn if the DOCKER_HOST socket does not exist
-if [[ $DOCKER_HOST == unix://* ]]; then
+if [[ $DOCKER_HOST = unix://* ]]; then
 	socket_file=${DOCKER_HOST#unix://}
 	if ! [ -S $socket_file ]; then
 		cat >&2 <<-EOT
@ -14,6 +14,18 @@ if [[ $DOCKER_HOST == unix://* ]]; then
 	fi
 fi

+# Generate dhparam file if required
+# Note: if $DHPARAM_BITS is not defined, generate-dhparam.sh will use 2048 as a default
+# Note2: if $DHPARAM_GENERATION is set to false in environment variable, dh param generator will skip completely
+/app/generate-dhparam.sh $DHPARAM_BITS $DHPARAM_GENERATION
+
+# Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in []
+export RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g')
+if [ "x$RESOLVERS" = "x" ]; then
+    echo "Warning: unable to determine DNS resolvers for nginx" >&2
+    unset RESOLVERS
+fi
+
 # If the user has run the default command and the socket doesn't exist, fail
 if [ "$socketMissing" = 1 -a "$1" = forego -a "$2" = start -a "$3" = '-r' ]; then
 	exit 1
--- a/generate-dhparam.sh
+++ b/generate-dhparam.sh
@ -0,0 +1,52 @@
+#!/bin/bash -e
+
+# The first argument is the bit depth of the dhparam, or 2048 if unspecified
+DHPARAM_BITS=${1:-2048}
+GENERATE_DHPARAM=${2:-true}
+
+# If a dhparam file is not available, use the pre-generated one and generate a new one in the background.
+# Note that /etc/nginx/dhparam is a volume, so this dhparam will persist restarts.
+PREGEN_DHPARAM_FILE="/app/dhparam.pem.default"
+DHPARAM_FILE="/etc/nginx/dhparam/dhparam.pem"
+GEN_LOCKFILE="/tmp/dhparam_generating.lock"
+
+# The hash of the pregenerated dhparam file is used to check if the pregen dhparam is already in use
+PREGEN_HASH=$(md5sum $PREGEN_DHPARAM_FILE | cut -d" " -f1)
+if [[ -f $DHPARAM_FILE ]]; then
+    CURRENT_HASH=$(md5sum $DHPARAM_FILE | cut -d" " -f1)
+    if [[ $PREGEN_HASH != $CURRENT_HASH ]]; then
+        # There is already a dhparam, and it's not the default
+        echo "Custom dhparam.pem file found, generation skipped"
+        exit 0
+    fi
+
+    if [[ -f $GEN_LOCKFILE ]]; then
+        # Generation is already in progress
+        exit 0
+    fi
+fi
+
+if [[ $GENERATE_DHPARAM =~ ^[Ff][Aa][Ll][Ss][Ee]$ ]]; then
+    echo "Skipping Diffie-Hellman parameters generation and Ignoring pre-generated dhparam.pem"
+    exit 0
+fi
+
+cat >&2 <<-EOT
+WARNING: $DHPARAM_FILE was not found. A pre-generated dhparam.pem will be used for now while a new one
+is being generated in the background.  Once the new dhparam.pem is in place, nginx will be reloaded.
+EOT
+
+# Put the default dhparam file in place so we can start immediately
+cp $PREGEN_DHPARAM_FILE $DHPARAM_FILE
+touch $GEN_LOCKFILE
+
+# Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator).
+(
+    (
+        nice -n +5 openssl dhparam -out $DHPARAM_FILE.tmp $DHPARAM_BITS 2>&1 \
+        && mv $DHPARAM_FILE.tmp $DHPARAM_FILE \
+        && echo "dhparam generation complete, reloading nginx" \
+        && nginx -s reload
+    ) | grep -vE '^[\.+]+'
+    rm $GEN_LOCKFILE
+) &disown
--- a/network_internal.conf
+++ b/network_internal.conf
@ -0,0 +1,6 @@
+# Only allow traffic from internal clients
+allow 127.0.0.0/8;
+allow 10.0.0.0/8;
+allow 192.168.0.0/16;
+allow 172.16.0.0/12;
+deny all;
--- a/nginx.tmpl
+++ b/nginx.tmpl
@ -1,5 +1,8 @@
 {{ $CurrentContainer := where $ "ID" .Docker.CurrentContainerID | first }}

+{{ $external_http_port := coalesce $.Env.HTTP_PORT "80" }}
+{{ $external_https_port := coalesce $.Env.HTTPS_PORT "443" }}
+
 {{ define "upstream" }}
 	{{ if .Address }}
 		{{/* If we got the containers from swarm and this container's port is published to host, use host IP:PORT */}}
@ -13,7 +16,55 @@
 		{{ end }}
 	{{ else if .Network }}
 		# {{ .Container.Name }}
-		server {{ .Network.IP }} down;
+		{{ if .Network.IP }}
+			server {{ .Network.IP }} down;
+		{{ else }}
+			server 127.0.0.1 down;
+		{{ end }}
+	{{ end }}
+
+{{ end }}
+
+{{ define "ssl_policy" }}
+	{{ if eq .ssl_policy "Mozilla-Modern" }}
+		ssl_protocols TLSv1.3;
+		{{/* nginx currently lacks ability to choose ciphers in TLS 1.3 in configuration, see https://trac.nginx.org/nginx/ticket/1529 /*}}
+		{{/* a possible workaround can be modify /etc/ssl/openssl.cnf to change it globally (see https://trac.nginx.org/nginx/ticket/1529#comment:12 ) /*}}
+		{{/* explicitly set ngnix default value in order to allow single servers to override the global http value */}}
+		ssl_ciphers HIGH:!aNULL:!MD5;
+		ssl_prefer_server_ciphers off;
+	{{ else if eq .ssl_policy "Mozilla-Intermediate" }}
+		ssl_protocols TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+		ssl_prefer_server_ciphers off;
+	{{ else if eq .ssl_policy "Mozilla-Old" }}
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA';
+		ssl_prefer_server_ciphers on;
+	{{ else if eq .ssl_policy "AWS-TLS-1-2-2017-01" }}
+		ssl_protocols TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256';
+		ssl_prefer_server_ciphers on;
+	{{ else if eq .ssl_policy "AWS-TLS-1-1-2017-01" }}
+		ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
+		ssl_prefer_server_ciphers on;
+	{{ else if eq .ssl_policy "AWS-2016-08" }}
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA';
+		ssl_prefer_server_ciphers on;
+	{{ else if eq .ssl_policy "AWS-2015-05" }}
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA';
+		ssl_prefer_server_ciphers on;
+	{{ else if eq .ssl_policy "AWS-2015-03" }}
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA';
+		ssl_prefer_server_ciphers on;
+	{{ else if eq .ssl_policy "AWS-2015-02" }}
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA';
+		ssl_prefer_server_ciphers on;
 	{{ end }}
 {{ end }}

@ -24,6 +75,13 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  ''      $scheme;
 }

+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+  default $http_x_forwarded_port;
+  ''      $server_port;
+}
+
 # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
 # Connection header that may have been passed to this server
 map $http_upgrade $proxy_connection {
@ -31,6 +89,20 @@ map $http_upgrade $proxy_connection {
  '' close;
 }

+# Apply fix for very long server names
+server_names_hash_bucket_size 128;
+
+# Default dhparam
+{{ if (exists "/etc/nginx/dhparam/dhparam.pem") }}
+ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
+{{ end }}
+
+# Set appropriate X-Forwarded-Ssl header
+map $scheme $proxy_x_forwarded_ssl {
+  default off;
+  https on;
+}
+
 gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

 log_format vhost '$host $remote_addr - $remote_user [$time_local] '
@ -39,6 +111,14 @@ log_format vhost '$host $remote_addr - $remote_user [$time_local] '

 access_log off;

+{{/* Get the SSL_POLICY defined by this container, falling back to "Mozilla-Intermediate" */}}
+{{ $ssl_policy := or ($.Env.SSL_POLICY) "Mozilla-Intermediate" }}
+{{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}
+
+{{ if $.Env.RESOLVERS }}
+resolver {{ $.Env.RESOLVERS }};
+{{ end }}
+
 {{ if (exists "/etc/nginx/proxy.conf") }}
 include /etc/nginx/proxy.conf;
 {{ else }}
@ -51,22 +131,38 @@ proxy_set_header Connection $proxy_connection;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+# Mitigate httpoxy attack (see README for details)
+proxy_set_header Proxy "";
 {{ end }}

+{{ $access_log := (or (and (not $.Env.DISABLE_ACCESS_LOGS) "access_log /var/log/nginx/access.log vhost;") "") }}
+
+{{ $enable_ipv6 := eq (or ($.Env.ENABLE_IPV6) "") "true" }}
 server {
 	server_name _; # This is just an invalid value which will never trigger on a real hostname.
-	listen 80;
-	access_log /var/log/nginx/access.log vhost;
+	listen {{ $external_http_port }};
+	{{ if $enable_ipv6 }}
+	listen [::]:{{ $external_http_port }};
+	{{ end }}
+	{{ $access_log }}
 	return 503;
 }

 {{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
 server {
 	server_name _; # This is just an invalid value which will never trigger on a real hostname.
-	listen 443 ssl http2;
-	access_log /var/log/nginx/access.log vhost;
+	listen {{ $external_https_port }} ssl http2;
+	{{ if $enable_ipv6 }}
+	listen [::]:{{ $external_https_port }} ssl http2;
+	{{ end }}
+	{{ $access_log }}
 	return 503;

+	ssl_session_cache shared:SSL:50m;
+	ssl_session_tickets off;
 	ssl_certificate /etc/nginx/certs/default.crt;
 	ssl_certificate_key /etc/nginx/certs/default.key;
 }
@ -74,14 +170,20 @@ server {

 {{ range $host, $containers := groupByMulti $ "Env.VIRTUAL_HOST" "," }}

-upstream {{ $host }} {
+{{ $host := trim $host }}
+{{ $is_regexp := hasPrefix "~" $host }}
+{{ $upstream_name := when $is_regexp (sha1 $host) $host }}
+
+# {{ $host }}
+upstream {{ $upstream_name }} {
+
 {{ range $container := $containers }}
 	{{ $addrLen := len $container.Addresses }}

 	{{ range $knownNetwork := $CurrentContainer.Networks }}
 		{{ range $containerNetwork := $container.Networks }}
-			{{ if eq $knownNetwork.Name $containerNetwork.Name }}
-				## Can be connect with "{{ $containerNetwork.Name }}" network
+			{{ if (and (ne $containerNetwork.Name "ingress") (or (eq $knownNetwork.Name $containerNetwork.Name) (eq $knownNetwork.Name "host"))) }}
+				## Can be connected with "{{ $containerNetwork.Name }}" network

 				{{/* If only 1 port exposed, use that */}}
 				{{ if eq $addrLen 1 }}
@ -93,6 +195,9 @@ upstream {{ $host }} {
 					{{ $address := where $container.Addresses "Port" $port | first }}
 					{{ template "upstream" (dict "Container" $container "Address" $address "Network" $containerNetwork) }}
 				{{ end }}
+			{{ else }}
+				# Cannot connect to network of this container
+				server 127.0.0.1 down;
 			{{ end }}
 		{{ end }}
 	{{ end }}
@ -103,11 +208,24 @@ upstream {{ $host }} {
 {{ $default_server := index (dict $host "" $default_host "default_server") $host }}

 {{/* Get the VIRTUAL_PROTO defined by containers w/ the same vhost, falling back to "http" */}}
-{{ $proto := or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http" }}
+{{ $proto := trim (or (first (groupByKeys $containers "Env.VIRTUAL_PROTO")) "http") }}
+
+{{/* Get the NETWORK_ACCESS defined by containers w/ the same vhost, falling back to "external" */}}
+{{ $network_tag := or (first (groupByKeys $containers "Env.NETWORK_ACCESS")) "external" }}

 {{/* Get the HTTPS_METHOD defined by containers w/ the same vhost, falling back to "redirect" */}}
 {{ $https_method := or (first (groupByKeys $containers "Env.HTTPS_METHOD")) "redirect" }}

+{{/* Get the SSL_POLICY defined by containers w/ the same vhost, falling back to empty string (use default) */}}
+{{ $ssl_policy := or (first (groupByKeys $containers "Env.SSL_POLICY")) "" }}
+
+{{/* Get the HSTS defined by containers w/ the same vhost, falling back to "max-age=31536000" */}}
+{{ $hsts := or (first (groupByKeys $containers "Env.HSTS")) "max-age=31536000" }}
+
+{{/* Get the VIRTUAL_ROOT By containers w/ use fastcgi root */}}
+{{ $vhost_root := or (first (groupByKeys $containers "Env.VIRTUAL_ROOT")) "/var/www/public" }}
+
+
 {{/* Get the first cert name defined by containers w/ the same vhost */}}
 {{ $certName := (first (groupByKeys $containers "Env.CERT_NAME")) }}

@ -115,36 +233,58 @@ upstream {{ $host }} {
 {{ $vhostCert := (closest (dir "/etc/nginx/certs") (printf "%s.crt" $host))}}

 {{/* vhostCert is actually a filename so remove any suffixes since they are added later */}}
-{{ $vhostCert := replace $vhostCert ".crt" "" -1 }}
-{{ $vhostCert := replace $vhostCert ".key" "" -1 }}
+{{ $vhostCert := trimSuffix ".crt" $vhostCert }}
+{{ $vhostCert := trimSuffix ".key" $vhostCert }}

-{{/* Use the cert specifid on the container or fallback to the best vhost match */}}
+{{/* Use the cert specified on the container or fallback to the best vhost match */}}
 {{ $cert := (coalesce $certName $vhostCert) }}

-{{ $is_https := (and (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
+{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}

 {{ if $is_https }}

 {{ if eq $https_method "redirect" }}
 server {
 	server_name {{ $host }};
-	listen 80 {{ $default_server }};
-	access_log /var/log/nginx/access.log vhost;
-	return 301 https://$host$request_uri;
+	listen {{ $external_http_port }} {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:{{ $external_http_port }} {{ $default_server }};
+	{{ end }}
+	{{ $access_log }}
+	
+	# Do not HTTPS redirect Let'sEncrypt ACME challenge
+	location /.well-known/acme-challenge/ {
+		auth_basic off;
+		allow all;
+		root /usr/share/nginx/html;
+		try_files $uri =404;
+		break;
+	}
+	
+	location / {
+		return 301 https://$host$request_uri;
+	}
 }
 {{ end }}

 server {
 	server_name {{ $host }};
-	listen 443 ssl http2 {{ $default_server }};
-	access_log /var/log/nginx/access.log vhost;
+	listen {{ $external_https_port }} ssl http2 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }};
+	{{ end }}
+	{{ $access_log }}

-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+	{{ if eq $network_tag "internal" }}
+	# Only allow traffic from internal clients
+	include /etc/nginx/network_internal.conf;
+	{{ end }}
+
+	{{ template "ssl_policy" (dict "ssl_policy" $ssl_policy) }}

-	ssl_prefer_server_ciphers on;
 	ssl_session_timeout 5m;
 	ssl_session_cache shared:SSL:50m;
+	ssl_session_tickets off;

 	ssl_certificate /etc/nginx/certs/{{ (printf "%s.crt" $cert) }};
 	ssl_certificate_key /etc/nginx/certs/{{ (printf "%s.key" $cert) }};
@ -153,7 +293,15 @@ server {
 	ssl_dhparam {{ printf "/etc/nginx/certs/%s.dhparam.pem" $cert }};
 	{{ end }}

-	add_header Strict-Transport-Security "max-age=31536000";
+	{{ if (exists (printf "/etc/nginx/certs/%s.chain.pem" $cert)) }}
+	ssl_stapling on;
+	ssl_stapling_verify on;
+	ssl_trusted_certificate {{ printf "/etc/nginx/certs/%s.chain.pem" $cert }};
+	{{ end }}
+
+	{{ if (not (or (eq $https_method "noredirect") (eq $hsts "off"))) }}
+	add_header Strict-Transport-Security "{{ trim $hsts }}" always;
+	{{ end }}

 	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
 	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
@ -161,18 +309,34 @@ server {
 	include /etc/nginx/vhost.d/default;
 	{{ end }}

+	{{ if (exists (printf "/etc/nginx/vhost.d/%s_locations" $host)) }}
+	include {{ printf "/etc/nginx/vhost.d/%s_locations" $host}};
+	{{ else }}
 	location / {
-		proxy_pass {{ trim $proto }}://{{ trim $host }};
+		{{ if eq $proto "uwsgi" }}
+		include uwsgi_params;
+		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else if eq $proto "fastcgi" }}
+		root   {{ trim $vhost_root }};
+		include fastcgi_params;
+		fastcgi_pass {{ trim $upstream_name }};
+		{{ else if eq $proto "grpc" }}
+		grpc_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else }}
+		proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ end }}
+
 		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
 		auth_basic	"Restricted {{ $host }}";
 		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
 		{{ end }}
-                {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
-                include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
-                {{ else if (exists "/etc/nginx/vhost.d/default_location") }}
-                include /etc/nginx/vhost.d/default_location;
-                {{ end }}
+		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
+		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
+		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
+		include /etc/nginx/vhost.d/default_location;
+		{{ end }}
 	}
+	{{ end }}
 }

 {{ end }}
@ -181,8 +345,16 @@ server {

 server {
 	server_name {{ $host }};
-	listen 80 {{ $default_server }};
-	access_log /var/log/nginx/access.log vhost;
+	listen {{ $external_http_port }} {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:80 {{ $default_server }};
+	{{ end }}
+	{{ $access_log }}
+
+	{{ if eq $network_tag "internal" }}
+	# Only allow traffic from internal clients
+	include /etc/nginx/network_internal.conf;
+	{{ end }}

 	{{ if (exists (printf "/etc/nginx/vhost.d/%s" $host)) }}
 	include {{ printf "/etc/nginx/vhost.d/%s" $host }};
@ -190,26 +362,44 @@ server {
 	include /etc/nginx/vhost.d/default;
 	{{ end }}

+	{{ if (exists (printf "/etc/nginx/vhost.d/%s_locations" $host)) }}
+	include {{ printf "/etc/nginx/vhost.d/%s_locations" $host}};
+	{{ else }}
 	location / {
-		proxy_pass {{ trim $proto }}://{{ trim $host }};
+		{{ if eq $proto "uwsgi" }}
+		include uwsgi_params;
+		uwsgi_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else if eq $proto "fastcgi" }}
+		root   {{ trim $vhost_root }};
+		include fastcgi_params;
+		fastcgi_pass {{ trim $upstream_name }};
+		{{ else if eq $proto "grpc" }}
+		grpc_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ else }}
+		proxy_pass {{ trim $proto }}://{{ trim $upstream_name }};
+		{{ end }}
 		{{ if (exists (printf "/etc/nginx/htpasswd/%s" $host)) }}
 		auth_basic	"Restricted {{ $host }}";
 		auth_basic_user_file	{{ (printf "/etc/nginx/htpasswd/%s" $host) }};
 		{{ end }}
-                {{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
-                include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
-                {{ else if (exists "/etc/nginx/vhost.d/default_location") }}
-                include /etc/nginx/vhost.d/default_location;
-                {{ end }}
+		{{ if (exists (printf "/etc/nginx/vhost.d/%s_location" $host)) }}
+		include {{ printf "/etc/nginx/vhost.d/%s_location" $host}};
+		{{ else if (exists "/etc/nginx/vhost.d/default_location") }}
+		include /etc/nginx/vhost.d/default_location;
+		{{ end }}
 	}
+	{{ end }}
 }

 {{ if (and (not $is_https) (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
 server {
 	server_name {{ $host }};
-	listen 443 ssl http2 {{ $default_server }};
-	access_log /var/log/nginx/access.log vhost;
-	return 503;
+	listen {{ $external_https_port }} ssl http2 {{ $default_server }};
+	{{ if $enable_ipv6 }}
+	listen [::]:{{ $external_https_port }} ssl http2 {{ $default_server }};
+	{{ end }}
+	{{ $access_log }}
+	return 500;

 	ssl_certificate /etc/nginx/certs/default.crt;
 	ssl_certificate_key /etc/nginx/certs/default.key;
--- a/test/README.md
+++ b/test/README.md
@ -1,14 +1,107 @@
-Test suite
-==========
-
-This test suite is implemented on top of the [Bats](https://github.com/sstephenson/bats/blob/master/README.md) test framework.
-
-It is intended to verify the correct behavior of the Docker image `jwilder/nginx-proxy:bats`.
-
-Running the test suite
----------------------
-
-Make sure you have Bats installed, then run:
-
-    docker build -t jwilder/nginx-proxy:bats .
-    bats test/
+Nginx proxy test suite
+======================
+
+Install requirements
+--------------------
+
+You need [python 2.7](https://www.python.org/) and [pip](https://pip.pypa.io/en/stable/installing/) installed. Then run the commands:
+
+    requirements/build.sh
+    pip install -r requirements/python-requirements.txt
+
+If you can't install those requirements on your computer, you can alternatively use the _pytest.sh_ script which will run the tests from a Docker container which has those requirements.
+
+
+Prepare the nginx-proxy test image
+----------------------------------
+
+    docker build -t jwilder/nginx-proxy:test ..
+
+or if you want to test the alpine flavor:
+
+    docker build -t jwilder/nginx-proxy:test -f Dockerfile.alpine ..
+
+make sure to tag that test image exactly `jwilder/nginx-proxy:test` or the test suite won't work.
+
+
+Run the test suite
+------------------
+
+    pytest
+
+need more verbosity ?
+
+    pytest -s
+
+
+Run one single test module
+--------------------------
+
+    pytest test_nominal.py
+
+
+Write a test module
+-------------------
+
+This test suite uses [pytest](http://doc.pytest.org/en/latest/). The [conftest.py](conftest.py) file will be automatically loaded by pytest and will provide you with two useful pytest [fixtures](http://doc.pytest.org/en/latest/fixture.html#fixture): 
+
+- docker_compose
+- nginxproxy
+
+
+### docker_compose fixture
+
+When using the `docker_compose` fixture in a test, pytest will try to find a yml file named after your test module filename. For instance, if your test module is `test_example.py`, then the `docker_compose` fixture will try to load a `test_example.yml` [docker compose file](https://docs.docker.com/compose/compose-file/).
+
+Once the docker compose file found, the fixture will remove all containers, run `docker-compose up`, and finally your test will be executed.
+
+The fixture will run the _docker-compose_ command with the `-f` option to load the given compose file. So you can test your docker compose file syntax by running it yourself with:
+
+    docker-compose -f test_example.yml up -d
+
+In the case you are running pytest from within a docker container, the `docker_compose` fixture will make sure the container running pytest is attached to all docker networks. That way, your test will be able to reach any of them.
+
+In your tests, you can use the `docker_compose` variable to query and command the docker daemon as it provides you with a [client from the docker python module](https://docker-py.readthedocs.io/en/2.0.2/client.html#client-reference).
+
+Also this fixture alters the way the python interpreter resolves domain names to IP addresses in the following ways:
+
+Any domain name containing the substring `nginx-proxy` will resolve to the IP address of the container that was created from the `jwilder/nginx-proxy:test` image. So all the following domain names will resolve to the nginx-proxy container in tests:
+- `nginx-proxy`
+- `nginx-proxy.com`
+- `www.nginx-proxy.com`
+- `www.nginx-proxy.test`
+- `www.nginx-proxy`
+- `whatever.nginx-proxyooooooo`
+- ...
+
+Any domain name ending with `XXX.container.docker` will resolve to the IP address of the XXX container.
+- `web1.container.docker` will resolve to the IP address of the `web1` container
+- `f00.web1.container.docker` will resolve to the IP address of the `web1` container
+- `anything.whatever.web2.container.docker` will resolve to the IP address of the `web2` container
+
+Otherwise, domain names are resoved as usual using your system DNS resolver.
+
+
+### nginxproxy fixture
+
+The `nginxproxy` fixture will provide you with a replacement for the python [requests](https://pypi.python.org/pypi/requests/) module. This replacement will just repeat up to 30 times a requests if it receives the HTTP error 404 or 502. This error occurs when you try to send queries to nginx-proxy too early after the container creation.
+
+Also this requests replacement is preconfigured to use the Certificate Authority root certificate [certs/ca-root.crt](certs/) to validate https connections.
+
+Furthermore, the nginxproxy methods accept an additional keyword parameter: `ipv6` which forces requests made against containers to use the containers IPv6 address when set to `True`. If IPv6 is not supported by the system or docker, that particular test will be skipped.
+
+    def test_forwards_to_web1_ipv6(docker_compose, nginxproxy):
+        r = nginxproxy.get("http://web1.nginx-proxy.tld/port", ipv6=True)
+        assert r.status_code == 200   
+        assert r.text == "answer from port 81\n"
+
+
+
+### The web docker image
+
+When you ran the `requirements/build.sh` script earlier, you built a [`web`](requirements/README.md) docker image which is convenient for running a small web server in a container. This image can produce containers that listens on multiple ports at the same time.
+
+
+### Testing TLS
+
+If you need to create server certificates, use the [`certs/create_server_certificate.sh`](certs/) script. Pytest will be able to validate any certificate issued from this script.
--- a/test/certs/README.md
+++ b/test/certs/README.md
@ -0,0 +1,81 @@
+create_server_certificate.sh
+============================
+
+`create_server_certificate.sh` is a script helping with issuing server certificates that can be used to provide TLS on web servers.
+
+It also creates a Certificate Authority (CA) root key and certificate. This CA root certificate can be used to validate the server certificates it generates.
+
+For instance, with _curl_:
+
+    curl --cacert /somewhere/ca-root.crt https://www.example.com/
+
+or with _wget_:
+
+    wget --certificate=/somewhere/ca-root.crt https://www.example.com/
+
+or with the python _requests_ module:
+
+    import requests
+    r = requests.get("https://www.example.com", verify="/somewhere/ca-root.crt")
+
+Usage
+-----
+
+### Simple domain
+
+Create a server certificate for domain `www.example.com`:
+
+    ./create_server_certificate.sh www.example.com
+
+Will produce:
+ - `www.example.com.key`
+ - `www.example.com.crt`
+
+
+### Multiple domains 
+
+Create a server certificate for main domain `www.example.com` and alternative domains `example.com`, `foo.com` and `bar.com`:
+
+    ./create_server_certificate.sh www.example.com foo.com bar.com
+
+Will produce:
+ - `www.example.com.key`
+ - `www.example.com.crt`
+ 
+### Wildcard domain
+
+Create a server certificate for wildcard domain `*.example.com`:
+
+    ./create_server_certificate.sh "*.example.com"
+
+Note that you need to use quotes around the domain string or the shell would expand `*`.
+
+Will produce:
+ - `*.example.com.key`
+ - `*.example.com.crt`
+
+Again, to prevent your shell from expanding `*`, use quotes. i.e.: `cat "*.example.com.crt"`.
+
+Such a server certificate would be valid for domains:
+- `foo.example.com` 
+- `bar.example.com`
+
+but not for domains:
+- `example.com`
+- `foo.bar.example.com`
+
+
+### Wildcard domain on multiple levels
+
+While you can technically create a server certificate for wildcard domain `*.example.com` and alternative name `*.*.example.com`, client implementations generally do not support multiple wildcards in a domain name.
+
+For instance, a python script using urllib3 would fail to validate domain `foo.bar.example.com` presenting a certificate with name `*.*.example.com`. It is advised to stay away from producing such certificates.
+
+If you want to give it a try:
+
+    ./create_server_certificate.sh "*.example.com" "*.*.example.com"
+
+Such a server certificate would be valid for domains:
+- `foo.example.com` 
+- `bar.example.com`
+- `foo.bar.example.com`
--- a/test/certs/ca-root.crt
+++ b/test/certs/ca-root.crt
@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZDCCAkygAwIBAgIJAJmW6Ju6iJNNMA0GCSqGSIb3DQEBCwUAMD8xHzAdBgNV
+BAoMFm5naW54LXByb3h5IHRlc3Qgc3VpdGUxHDAaBgNVBAMME3d3dy5uZ2lueC1w
+cm94eS50bGQwHhcNMTcwMTEwMDAwODUxWhcNMjcwMTA4MDAwODUxWjA/MR8wHQYD
+VQQKDBZuZ2lueC1wcm94eSB0ZXN0IHN1aXRlMRwwGgYDVQQDDBN3d3cubmdpbngt
+cHJveHkudGxkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAndjE3OPr
+48hIOQigk/HejrowsQDLNfkkc6vej0J983rJitGTgBfxqq27fOPfqhE5bi1M5JDk
+KkrOrSitxCJLgpq+4Ls9/RXg8skZFHRAQbNwuKBehaDkPdamJ0i3dv6e4kZy41oI
+RqxQ/MKdminC4LShFZvPoKeh9ae7w1MgB2/4E68LO66bYiHlLNL7ENViSHhLyCmt
+qIE7kdV9jgn2NuVJ37m6/6SNQ3GBiIjEW+ooRQ3HEVKBCismcwq80+BD5VS/yW18
+KqX8m4sBM+IgZbcOqrV+APMbGvd8iNJgQSSQC/r0Wscgt7UeggVYKDazjDSPvLUE
+FUN5wEmydkP2AQIDAQABo2MwYTAdBgNVHQ4EFgQUJL59pHomt+8dUNxv8HgrYjKf
+OA8wHwYDVR0jBBgwFoAUJL59pHomt+8dUNxv8HgrYjKfOA8wDwYDVR0TAQH/BAUw
+AwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBABALxY96YqsZ
+CL2crzY0FIGhfjLE7P3mtUGklUpFu7xyI6mGUyL1nJYSnHB5IEV6QLhVVUE/CojI
+crXorQWBDkx26AgCt/eIOdvPYC0JDeXiIhH6sld3yH7JGwGqJkfXaUUfUkuwMae7
+mMIEG9e6vfSh/YNTRxs0KBjBcXHHl5K+Dz4h9r14OqnQFqVFZaR6T6td44tDDNhn
+beW8iIfCWRqDsnvIcJzLa2QR4onmJSw5DaSeFFaKefhdHEzEBZntLfyFbjRYHT/O
+BRdewhg6rSDkGLcL8n/ZnRLOa+xmegjQ/Op94OmWO3TfXOITJAtkaO2YVZoyek8
+T6ckVovq4zU=
+-----END CERTIFICATE-----
--- a/test/certs/ca-root.key
+++ b/test/certs/ca-root.key
@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAndjE3OPr48hIOQigk/HejrowsQDLNfkkc6vej0J983rJitGT
+gBfxqq27fOPfqhE5bi1M5JDkKkrOrSitxCJLgpq+4Ls9/RXg8skZFHRAQbNwuKBe
+haDkPdamJ0i3dv6e4kZy41oIRqxQ/MKdminC4LShFZvPoKeh9ae7w1MgB2/4E68L
+O66bYiHlLNL7ENViSHhLyCmtqIE7kdV9jgn2NuVJ37m6/6SNQ3GBiIjEW+ooRQ3H
+EVKBCismcwq80+BD5VS/yW18KqX8m4sBM+IgZbcOqrV+APMbGvd8iNJgQSSQC/r0
+Wscgt7UeggVYKDazjDSPvLUEFUN5wEmydkP2AQIDAQABAoIBAQCDM4zetix6lx1B
+GuSuVFrTc/vJBInkgQRFiVRi67fZS/R+CJl73WsonWO7+YUNzWdZJxpE2hJs/OUx
+lSBqaL8u/gUuszRhS3BBHdpU4BQRCF/ndpVaqVNN+z78ZDrrE9Vo63nPdCRw6gYf
+MnzhiVjMghdq6Kn6NZwvno45WrzCsIbrrQ4zU+S2PhG8MTA53jzqqQ8mUSJX0lAl
+6b9+1aWA0d0Jnk3M3doaFU/Dlnz3n6kkx0AdqNe8bdsFrPfwsrF+dwGx04SGgLmK
+V2OjIDFYYGtiHp3PJ9IYIA32ij+UloSDDZ2BxXkma8Zilw04ytY5l8tlk2ZDWTD9
+U2MXxjmBAoGBAMmmI19I/asTPjljlqzrOsrdRkklJvnCHgy/yw9u3nMfkJ0lLGAp
+mZoCqJIEsAqlLGM5bOjKy3KQ3n2SBX3mz7/RajnpJRTnNLeJIPAAXHN9TDyKcWRo
+Los6xHN7YMSLYKs4HMihXp9Yu4Ms88/8nO/01nufjN0rTgFnWdL0WfxJAoGBAMhk
+Qm92ukMmbrXSrV0WF+eFooHwgPmUWZ1oZY5ZHmO3FCuSBHiICGrWKmdbcG6H5zmZ
+oFZ0unsvk2Yjl+/+tntxr/dwp6Q+chsqkLms8GE76NWEO8qn4hQNywkFgpKlPci3
+n5IqpuQ2DpJ1PAQkwgZD/5rSscNidNMezXO5Uvv5AoGBALR291kjXcJpKlr6AbMn
+oipD9c8obMVBMNuAGh7pvjORoD7DMf+tu0XV8z8a6uHcCOmUTx/XvlP9yuDeegO/
+OVYV+NdzDDi04r0PAGdKK3NAQ6Y60Fhn1J/OLFqdpHDBu/X/9eKoaKJ7KvWumVUe
+YuVtXTauB8c4JkujTwQ4ov/hAoGAHxvhbGhkFhSbT0K7gx3w7BJE3iM2AojTOKqC
+SYzwOM6tJO5wHz4PAHbq8kyxsZcLgFenGoTYhlMmcM7JwYorThKiHKmyfL7s++ap
+vQlp785bIPp8RcO2RyK1CFuAn79jTgujjA9vBTKXJIlqncIPFOXtgl1/FzPrqvK3
+NmXoyhECgYEAje9hM9RYO0jbfmTZoQh+onMRz34SM9XWLH+NQGgfvsGtjeRnrUKK
+GuWQz/GQGJLy/Uc1KHIdrfPDjvQhZXmPL1v7pNfCrqyj+EnKCNDPPnYq5Zq4WLsB
+x1hKPH0LmfEBkXOiFGrD3h3KAuBK5nb0/EFBDR4JuMaySC5CpbOds9o=
+-----END RSA PRIVATE KEY-----
--- a/test/certs/create_server_certificate.sh
+++ b/test/certs/create_server_certificate.sh
@ -0,0 +1,183 @@
+#!/bin/bash
+set -u
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+if [[ "$#" -eq 0 ]]; then
+	cat <<-EOF
+
+	To generate a server certificate, provide the domain name as a parameter:
+	    $(basename $0) www.my-domain.tdl
+	    $(basename $0) www.my-domain.tdl alternate.domain.tld
+
+	You can also create certificates for wildcard domains:
+	    $(basename $0) '*.my-domain.tdl'
+
+	EOF
+	exit 0
+else
+	DOMAIN="$1"
+	ALTERNATE_DOMAINS="DNS:$( echo "$@" | sed 's/ /,DNS:/g')"
+fi
+
+
+###############################################################################
+# Create a nginx container (which conveniently provides the `openssl` command)
+###############################################################################
+
+CONTAINER=$(docker run -d -v $DIR:/work -w /work -e SAN="$ALTERNATE_DOMAINS" nginx:1.14.1)
+# Configure openssl
+docker exec $CONTAINER bash -c '
+	mkdir -p /ca/{certs,crl,private,newcerts} 2>/dev/null
+	echo 1000 > /ca/serial
+	touch /ca/index.txt
+	cat > /ca/openssl.cnf <<-"OESCRIPT"
+		[ ca ]
+		# `man ca`
+		default_ca = CA_default
+
+		[ CA_default ]
+		# Directory and file locations.
+		dir               = /ca
+		certs             = $dir/certs
+		crl_dir           = $dir/crl
+		new_certs_dir     = $dir/newcerts
+		database          = $dir/index.txt
+		serial            = $dir/serial
+		RANDFILE          = $dir/private/.rand
+
+		# The root key and root certificate.
+		private_key       = /work/ca-root.key
+		certificate       = /work/ca-root.crt
+
+		# SHA-1 is deprecated, so use SHA-2 instead.
+		default_md        = sha256
+
+		name_opt          = ca_default
+		cert_opt          = ca_default
+		default_days      = 10000
+		preserve          = no
+		policy            = policy_loose
+
+		[ policy_loose ]
+		countryName             = optional
+		stateOrProvinceName     = optional
+		localityName            = optional
+		organizationName        = optional
+		organizationalUnitName  = optional
+		commonName              = supplied
+		emailAddress            = optional
+
+		[ req ]
+		# Options for the `req` tool (`man req`).
+		default_bits        = 2048
+		distinguished_name  = req_distinguished_name
+		string_mask         = utf8only
+
+		# SHA-1 is deprecated, so use SHA-2 instead.
+		default_md          = sha256
+
+		# Extension to add when the -x509 option is used.
+		x509_extensions     = v3_ca
+
+		[ req_distinguished_name ]
+		# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+		countryName                     = Country Name (2 letter code)
+		stateOrProvinceName             = State or Province Name
+		localityName                    = Locality Name
+		0.organizationName              = Organization Name
+		organizationalUnitName          = Organizational Unit Name
+		commonName                      = Common Name
+		emailAddress                    = Email Address
+
+		[ v3_ca ]
+		# Extensions for a typical CA (`man x509v3_config`).
+		subjectKeyIdentifier = hash
+		authorityKeyIdentifier = keyid:always,issuer
+		basicConstraints = critical, CA:true
+		keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+		[ server_cert ]
+		# Extensions for server certificates (`man x509v3_config`).
+		basicConstraints = CA:FALSE
+		nsCertType = server
+		nsComment = server certificate generated for test purpose (nginx-proxy test suite)
+		subjectKeyIdentifier = hash
+		authorityKeyIdentifier = keyid,issuer:always
+		keyUsage = critical, digitalSignature, keyEncipherment
+		extendedKeyUsage = serverAuth
+
+		[ san_env ]
+		subjectAltName=${ENV::SAN}
+	OESCRIPT
+'
+
+# shortcut for calling `openssl` inside the container
+function openssl {
+	docker exec $CONTAINER openssl "$@"
+}
+
+function exitfail {
+		echo
+		echo ERROR: "$@"
+		docker rm -f $CONTAINER
+		exit 1
+}
+
+
+###############################################################################
+# Setup Certificate authority
+###############################################################################
+
+if ! [[ -f "$DIR/ca-root.key" ]]; then
+	echo
+	echo "> Create a Certificate Authority root key: $DIR/ca-root.key"
+	openssl genrsa -out ca-root.key 2048
+	[[ $? -eq 0 ]] || exitfail failed to generate CA root key
+fi
+
+# Create a CA root certificate
+if ! [[ -f "$DIR/ca-root.crt" ]]; then
+	echo
+	echo "> Create a CA root certificate: $DIR/ca-root.crt"
+	openssl req -config /ca/openssl.cnf \
+	-key ca-root.key \
+	-new -x509 -days 3650 -subj "/O=nginx-proxy test suite/CN=www.nginx-proxy.tld" -extensions v3_ca \
+	-out ca-root.crt
+	[[ $? -eq 0 ]] || exitfail failed to generate CA root certificate
+
+	# Verify certificate
+	openssl x509 -noout -text -in ca-root.crt
+fi
+
+
+###############################################################################
+# create server key and certificate signed by the certificate authority
+###############################################################################
+
+echo
+echo "> Create a host key: $DIR/$DOMAIN.key"
+openssl genrsa -out "$DOMAIN.key" 2048
+
+echo
+echo "> Create a host certificate signing request"
+
+SAN="$ALTERNATE_DOMAINS" openssl req -config /ca/openssl.cnf \
+	-key "$DOMAIN.key" \
+	-new -out "/ca/$DOMAIN.csr" -days 1000 -extensions san_env -subj "/CN=$DOMAIN"
+	[[ $? -eq 0 ]] || exitfail failed to generate server certificate signing request
+
+echo
+echo "> Create server certificate: $DIR/$DOMAIN.crt"
+SAN="$ALTERNATE_DOMAINS" openssl ca -config /ca/openssl.cnf -batch \
+		-extensions server_cert \
+		-extensions san_env \
+		-in "/ca/$DOMAIN.csr" \
+		-out "$DOMAIN.crt"
+	[[ $? -eq 0 ]] || exitfail failed to generate server certificate
+
+
+# Verify host certificate
+#openssl x509 -noout -text -in "$DOMAIN.crt"
+
+
+docker rm -f $CONTAINER >/dev/null
--- a/test/conftest.py
+++ b/test/conftest.py
@ -0,0 +1,473 @@
+from __future__ import print_function
+import contextlib
+import logging
+import os
+import shlex
+import socket
+import subprocess
+import time
+import re
+
+import backoff
+import docker
+import pytest
+import requests
+from _pytest._code.code import ReprExceptionInfo
+from requests.packages.urllib3.util.connection import HAS_IPV6
+
+logging.basicConfig(level=logging.INFO)
+logging.getLogger('backoff').setLevel(logging.INFO)
+logging.getLogger('DNS').setLevel(logging.DEBUG)
+logging.getLogger('requests.packages.urllib3.connectionpool').setLevel(logging.WARN)
+
+CA_ROOT_CERTIFICATE = os.path.join(os.path.dirname(__file__), 'certs/ca-root.crt')
+I_AM_RUNNING_INSIDE_A_DOCKER_CONTAINER = os.path.isfile("/.dockerenv")
+FORCE_CONTAINER_IPV6 = False  # ugly global state to consider containers' IPv6 address instead of IPv4
+
+
+docker_client = docker.from_env()
+
+
+###############################################################################
+# 
+# utilities
+# 
+###############################################################################
+
+@contextlib.contextmanager
+def ipv6(force_ipv6=True):
+    """
+    Meant to be used as a context manager to force IPv6 sockets:
+
+        with ipv6():
+            nginxproxy.get("http://something.nginx-proxy.local")  # force use of IPv6
+
+        with ipv6(False):
+            nginxproxy.get("http://something.nginx-proxy.local")  # legacy behavior
+
+
+    """
+    global FORCE_CONTAINER_IPV6
+    FORCE_CONTAINER_IPV6 = force_ipv6
+    yield
+    FORCE_CONTAINER_IPV6 = False
+
+
+class requests_for_docker(object):
+    """
+    Proxy for calling methods of the requests module. 
+    When a HTTP response failed due to HTTP Error 404 or 502, retry a few times.
+    Provides method `get_conf` to extract the nginx-proxy configuration content.
+    """
+    def __init__(self):
+        self.session = requests.Session()
+        if os.path.isfile(CA_ROOT_CERTIFICATE):
+            self.session.verify = CA_ROOT_CERTIFICATE
+
+    def get_conf(self):
+        """
+        Return the nginx config file
+        """
+        nginx_proxy_containers = docker_client.containers.list(filters={"ancestor": "jwilder/nginx-proxy:test"})
+        if len(nginx_proxy_containers) > 1:
+            pytest.fail("Too many running jwilder/nginx-proxy:test containers", pytrace=False)
+        elif len(nginx_proxy_containers) == 0:
+            pytest.fail("No running jwilder/nginx-proxy:test container", pytrace=False)
+        return get_nginx_conf_from_container(nginx_proxy_containers[0])
+
+    def get(self, *args, **kwargs):
+        with ipv6(kwargs.pop('ipv6', False)):
+            @backoff.on_predicate(backoff.constant, lambda r: r.status_code in (404, 502), interval=.3, max_tries=30, jitter=None)
+            def _get(*args, **kwargs):
+                return self.session.get(*args, **kwargs)
+            return _get(*args, **kwargs)
+
+    def post(self, *args, **kwargs):
+        with ipv6(kwargs.pop('ipv6', False)):
+            @backoff.on_predicate(backoff.constant, lambda r: r.status_code in (404, 502), interval=.3, max_tries=30, jitter=None)
+            def _post(*args, **kwargs):
+                return self.session.post(*args, **kwargs)
+            return _post(*args, **kwargs)
+
+    def put(self, *args, **kwargs):
+        with ipv6(kwargs.pop('ipv6', False)):
+            @backoff.on_predicate(backoff.constant, lambda r: r.status_code in (404, 502), interval=.3, max_tries=30, jitter=None)
+            def _put(*args, **kwargs):
+                return self.session.put(*args, **kwargs)
+            return _put(*args, **kwargs)
+
+    def head(self, *args, **kwargs):
+        with ipv6(kwargs.pop('ipv6', False)):
+            @backoff.on_predicate(backoff.constant, lambda r: r.status_code in (404, 502), interval=.3, max_tries=30, jitter=None)
+            def _head(*args, **kwargs):
+                return self.session.head(*args, **kwargs)
+            return _head(*args, **kwargs)
+
+    def delete(self, *args, **kwargs):
+        with ipv6(kwargs.pop('ipv6', False)):
+            @backoff.on_predicate(backoff.constant, lambda r: r.status_code in (404, 502), interval=.3, max_tries=30, jitter=None)
+            def _delete(*args, **kwargs):
+                return self.session.delete(*args, **kwargs)
+            return _delete(*args, **kwargs)
+
+    def options(self, *args, **kwargs):
+        with ipv6(kwargs.pop('ipv6', False)):
+            @backoff.on_predicate(backoff.constant, lambda r: r.status_code in (404, 502), interval=.3, max_tries=30, jitter=None)
+            def _options(*args, **kwargs):
+                return self.session.options(*args, **kwargs)
+            return _options(*args, **kwargs)
+
+    def __getattr__(self, name):
+        return getattr(requests, name)
+
+
+def container_ip(container):
+    """
+    return the IP address of a container.
+
+    If the global FORCE_CONTAINER_IPV6 flag is set, return the IPv6 address
+    """
+    global FORCE_CONTAINER_IPV6
+    if FORCE_CONTAINER_IPV6:
+        if not HAS_IPV6:
+            pytest.skip("This system does not support IPv6")
+        ip = container_ipv6(container)
+        if ip == '':
+            pytest.skip("Container %s has no IPv6 address" % container.name)
+        else:
+            return ip
+    else:
+        net_info = container.attrs["NetworkSettings"]["Networks"]
+        if "bridge" in net_info:
+            return net_info["bridge"]["IPAddress"]
+
+        # not default bridge network, fallback on first network defined
+        network_name = net_info.keys()[0]
+        return net_info[network_name]["IPAddress"]
+
+
+def container_ipv6(container):
+    """
+    return the IPv6 address of a container.
+    """
+    net_info = container.attrs["NetworkSettings"]["Networks"]
+    if "bridge" in net_info:
+        return net_info["bridge"]["GlobalIPv6Address"]
+
+    # not default bridge network, fallback on first network defined
+    network_name = net_info.keys()[0]
+    return net_info[network_name]["GlobalIPv6Address"]
+
+
+def nginx_proxy_dns_resolver(domain_name):
+    """
+    if "nginx-proxy" if found in host, return the ip address of the docker container
+    issued from the docker image jwilder/nginx-proxy:test.
+
+    :return: IP or None
+    """
+    log = logging.getLogger('DNS')
+    log.debug("nginx_proxy_dns_resolver(%r)" % domain_name)
+    if 'nginx-proxy' in domain_name:
+        nginxproxy_containers = docker_client.containers.list(filters={"status": "running", "ancestor": "jwilder/nginx-proxy:test"})
+        if len(nginxproxy_containers) == 0:
+            log.warn("no container found from image jwilder/nginx-proxy:test while resolving %r", domain_name)
+            return
+        nginxproxy_container = nginxproxy_containers[0]
+        ip = container_ip(nginxproxy_container)
+        log.info("resolving domain name %r as IP address %s of nginx-proxy container %s" % (domain_name, ip, nginxproxy_container.name))
+        return ip
+
+def docker_container_dns_resolver(domain_name):
+    """
+    if domain name is of the form "XXX.container.docker" or "anything.XXX.container.docker", return the ip address of the docker container
+    named XXX.
+
+    :return: IP or None
+    """
+    log = logging.getLogger('DNS')
+    log.debug("docker_container_dns_resolver(%r)" % domain_name)
+
+    match = re.search('(^|.+\.)(?P<container>[^.]+)\.container\.docker$', domain_name)
+    if not match:
+        log.debug("%r does not match" % domain_name)
+        return
+
+    container_name = match.group('container')
+    log.debug("looking for container %r" % container_name)
+    try:
+        container = docker_client.containers.get(container_name)
+    except docker.errors.NotFound:
+        log.warn("container named %r not found while resolving %r" % (container_name, domain_name))
+        return
+    log.debug("container %r found (%s)" % (container.name, container.short_id))
+
+    ip = container_ip(container)
+    log.info("resolving domain name %r as IP address %s of container %s" % (domain_name, ip, container.name))
+    return ip 
+
+
+def monkey_patch_urllib_dns_resolver():
+    """
+    Alter the behavior of the urllib DNS resolver so that any domain name
+    containing substring 'nginx-proxy' will resolve to the IP address
+    of the container created from image 'jwilder/nginx-proxy:test'.
+    """
+    prv_getaddrinfo = socket.getaddrinfo
+    dns_cache = {}
+    def new_getaddrinfo(*args):
+        logging.getLogger('DNS').debug("resolving domain name %s" % repr(args))
+        _args = list(args)
+
+        # custom DNS resolvers
+        ip = nginx_proxy_dns_resolver(args[0])
+        if ip is None:
+            ip = docker_container_dns_resolver(args[0])
+        if ip is not None:
+            _args[0] = ip
+
+        # call on original DNS resolver, with eventually the original host changed to the wanted IP address
+        try:
+            return dns_cache[tuple(_args)]
+        except KeyError:
+            res = prv_getaddrinfo(*_args)
+            dns_cache[tuple(_args)] = res
+            return res
+    socket.getaddrinfo = new_getaddrinfo
+    return prv_getaddrinfo
+
+def restore_urllib_dns_resolver(getaddrinfo_func):
+    socket.getaddrinfo = getaddrinfo_func
+
+
+def remove_all_containers():
+    for container in docker_client.containers.list(all=True):
+        if I_AM_RUNNING_INSIDE_A_DOCKER_CONTAINER and container.id.startswith(socket.gethostname()):
+            continue  # pytest is running within a Docker container, so we do not want to remove that particular container
+        logging.info("removing container %s" % container.name)
+        container.remove(v=True, force=True)
+
+
+def get_nginx_conf_from_container(container):
+    """
+    return the nginx /etc/nginx/conf.d/default.conf file content from a container
+    """
+    import tarfile
+    from cStringIO import StringIO
+    strm, stat = container.get_archive('/etc/nginx/conf.d/default.conf')
+    with tarfile.open(fileobj=StringIO(strm.read())) as tf:
+        conffile = tf.extractfile('default.conf')
+        return conffile.read()
+
+
+def docker_compose_up(compose_file='docker-compose.yml'):
+    logging.info('docker-compose -f %s up -d' % compose_file)
+    try:
+        subprocess.check_output(shlex.split('docker-compose -f %s up -d' % compose_file), stderr=subprocess.STDOUT)
+    except subprocess.CalledProcessError, e:
+        pytest.fail("Error while runninng 'docker-compose -f %s up -d':\n%s" % (compose_file, e.output), pytrace=False)
+
+
+def docker_compose_down(compose_file='docker-compose.yml'):
+    logging.info('docker-compose -f %s down' % compose_file)
+    try:
+        subprocess.check_output(shlex.split('docker-compose -f %s down' % compose_file), stderr=subprocess.STDOUT)
+    except subprocess.CalledProcessError, e:
+        pytest.fail("Error while runninng 'docker-compose -f %s down':\n%s" % (compose_file, e.output), pytrace=False)
+
+
+def wait_for_nginxproxy_to_be_ready():
+    """
+    If one (and only one) container started from image jwilder/nginx-proxy:test is found, 
+    wait for its log to contain substring "Watching docker events"
+    """
+    containers = docker_client.containers.list(filters={"ancestor": "jwilder/nginx-proxy:test"})
+    if len(containers) != 1:
+        return
+    container = containers[0]
+    for line in container.logs(stream=True):
+        if "Watching docker events" in line:
+            logging.debug("nginx-proxy ready")
+            break
+
+def find_docker_compose_file(request):
+    """
+    helper for fixture functions to figure out the name of the docker-compose file to consider.
+
+    - if the test module provides a `docker_compose_file` variable, take that
+    - else, if a yaml file exists with the same name as the test module (but for the `.yml` extension), use that
+    - otherwise use `docker-compose.yml`.
+    """
+    test_module_dir = os.path.dirname(request.module.__file__)
+    yml_file = os.path.join(test_module_dir, request.module.__name__ + '.yml')
+    yaml_file = os.path.join(test_module_dir, request.module.__name__ + '.yaml')
+    default_file = os.path.join(test_module_dir, 'docker-compose.yml')
+
+    docker_compose_file_module_variable = getattr(request.module, "docker_compose_file", None)
+    if docker_compose_file_module_variable is not None:
+        docker_compose_file = os.path.join( test_module_dir, docker_compose_file_module_variable)
+        if not os.path.isfile(docker_compose_file):
+            raise ValueError("docker compose file %r could not be found. Check your test module `docker_compose_file` variable value." % docker_compose_file)
+    else:
+        if os.path.isfile(yml_file):
+            docker_compose_file = yml_file
+        elif os.path.isfile(yaml_file):
+            docker_compose_file = yaml_file
+        else:
+            docker_compose_file = default_file
+
+    if not os.path.isfile(docker_compose_file):
+        logging.error("Could not find any docker-compose file named either '{0}.yml', '{0}.yaml' or 'docker-compose.yml'".format(request.module.__name__))
+
+    logging.debug("using docker compose file %s" % docker_compose_file)
+    return docker_compose_file
+
+
+def connect_to_network(network):
+    """
+    If we are running from a container, connect our container to the given network
+
+    :return: the name of the network we were connected to, or None
+    """
+    if I_AM_RUNNING_INSIDE_A_DOCKER_CONTAINER:
+        try:
+            my_container = docker_client.containers.get(socket.gethostname())
+        except docker.errors.NotFound:
+            logging.warn("container %r not found" % socket.gethostname())
+            return
+
+        # figure out our container networks
+        my_networks = my_container.attrs["NetworkSettings"]["Networks"].keys()
+
+        # make sure our container is connected to the nginx-proxy's network
+        if network not in my_networks:
+            logging.info("Connecting to docker network: %s" % network.name)
+            network.connect(my_container)
+            return network
+
+
+def disconnect_from_network(network=None):
+    """
+    If we are running from a container, disconnect our container from the given network.
+
+    :param network: name of a docker network to disconnect from
+    """
+    if I_AM_RUNNING_INSIDE_A_DOCKER_CONTAINER and network is not None:
+        try:
+            my_container = docker_client.containers.get(socket.gethostname())
+        except docker.errors.NotFound:
+            logging.warn("container %r not found" % socket.gethostname())
+            return
+
+        # figure out our container networks
+        my_networks_names = my_container.attrs["NetworkSettings"]["Networks"].keys()
+
+        # disconnect our container from the given network
+        if network.name in my_networks_names:
+            logging.info("Disconnecting from network %s" % network.name)
+            network.disconnect(my_container)
+
+
+def connect_to_all_networks():
+    """
+    If we are running from a container, connect our container to all current docker networks.
+
+    :return: a list of networks we connected to
+    """
+    if not I_AM_RUNNING_INSIDE_A_DOCKER_CONTAINER:
+        return []
+    else:
+        # find the list of docker networks
+        networks = filter(lambda network: len(network.containers) > 0 and network.name != 'bridge', docker_client.networks.list())
+        return [connect_to_network(network) for network in networks]
+
+
+###############################################################################
+# 
+# Py.test fixtures
+# 
+###############################################################################
+
+@pytest.yield_fixture(scope="module")
+def docker_compose(request):
+    """
+    pytest fixture providing containers described in a docker compose file. After the tests, remove the created containers
+    
+    A custom docker compose file name can be defined in a variable named `docker_compose_file`.
+    
+    Also, in the case where pytest is running from a docker container, this fixture makes sure
+    our container will be attached to all the docker networks.
+    """
+    docker_compose_file = find_docker_compose_file(request)
+    original_dns_resolver = monkey_patch_urllib_dns_resolver()
+    remove_all_containers()
+    docker_compose_up(docker_compose_file)
+    networks = connect_to_all_networks()
+    wait_for_nginxproxy_to_be_ready()
+    time.sleep(3)  # give time to containers to be ready
+    yield docker_client
+    for network in networks:
+        disconnect_from_network(network)
+    docker_compose_down(docker_compose_file)
+    restore_urllib_dns_resolver(original_dns_resolver)
+
+
+@pytest.yield_fixture()
+def nginxproxy():
+    """
+    Provides the `nginxproxy` object that can be used in the same way the requests module is:
+
+    r = nginxproxy.get("http://foo.com")
+
+    The difference is that in case an HTTP requests has status code 404 or 502 (which mostly
+    indicates that nginx has just reloaded), we retry up to 30 times the query.
+
+    Also, the nginxproxy methods accept an additional keyword parameter: `ipv6` which forces requests
+    made against containers to use the containers IPv6 address when set to `True`. If IPv6 is not
+    supported by the system or docker, that particular test will be skipped.
+    """
+    yield requests_for_docker()
+
+
+###############################################################################
+# 
+# Py.test hooks
+# 
+###############################################################################
+
+# pytest hook to display additionnal stuff in test report
+def pytest_runtest_logreport(report):
+    if report.failed:
+        if isinstance(report.longrepr, ReprExceptionInfo):
+            test_containers = docker_client.containers.list(all=True, filters={"ancestor": "jwilder/nginx-proxy:test"})
+            for container in test_containers:
+                report.longrepr.addsection('nginx-proxy logs', container.logs())
+                report.longrepr.addsection('nginx-proxy conf', get_nginx_conf_from_container(container))
+
+
+# Py.test `incremental` marker, see http://stackoverflow.com/a/12579625/107049
+def pytest_runtest_makereport(item, call):
+    if "incremental" in item.keywords:
+        if call.excinfo is not None:
+            parent = item.parent
+            parent._previousfailed = item
+
+
+def pytest_runtest_setup(item):
+    previousfailed = getattr(item.parent, "_previousfailed", None)
+    if previousfailed is not None:
+        pytest.xfail("previous test failed (%s)" % previousfailed.name)
+
+###############################################################################
+# 
+# Check requirements
+# 
+###############################################################################
+
+try:
+    docker_client.images.get('jwilder/nginx-proxy:test')
+except docker.errors.ImageNotFound:
+    pytest.exit("The docker image 'jwilder/nginx-proxy:test' is missing")
+
+if docker.__version__ != "2.1.0":
+    pytest.exit("This test suite is meant to work with the python docker module v2.1.0")
--- a/test/default-host.bats
+++ b/test/default-host.bats
@ -1,33 +0,0 @@
-#!/usr/bin/env bats
-load test_helpers
-
-function setup {
-	# make sure to stop any web container before each test so we don't
-	# have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set
-	stop_bats_containers web
-}
-
-
-@test "[$TEST_FILE] DEFAULT_HOST=web1.bats" {
-	SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE}-1
-
-	# GIVEN a webserver with VIRTUAL_HOST set to web.bats
-	prepare_web_container bats-web 80 -e VIRTUAL_HOST=web.bats
-
-	# WHEN nginx-proxy runs with DEFAULT_HOST set to web.bats
-	run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro -e DEFAULT_HOST=web.bats
-	assert_success
-	docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events"
-
-	# THEN querying the proxy without Host header → 200
-	run curl_container $SUT_CONTAINER / --head
-	assert_output -l 0 $'HTTP/1.1 200 OK\r'
-
-	# THEN querying the proxy with any other Host header → 200
-	run curl_container $SUT_CONTAINER / --head --header "Host: something.I.just.made.up"
-	assert_output -l 0 $'HTTP/1.1 200 OK\r'
-}
-
-@test "[$TEST_FILE] stop all bats containers" {
-	stop_bats_containers
-}
--- a/test/docker.bats
+++ b/test/docker.bats
@ -1,123 +0,0 @@
-#!/usr/bin/env bats
-load test_helpers
-
-
-@test "[$TEST_FILE] start 2 web containers" {
-	prepare_web_container bats-web1 81 -e VIRTUAL_HOST=web1.bats
-	prepare_web_container bats-web2 82 -e VIRTUAL_HOST=web2.bats
-}
-
-
-@test "[$TEST_FILE] -v /var/run/docker.sock:/tmp/docker.sock:ro" {
-	SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE}-1
-
-	# WHEN nginx-proxy runs on our docker host using the default unix socket
-	run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro
-	assert_success
-	docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events"
-
-	# THEN
-	assert_nginxproxy_behaves $SUT_CONTAINER
-}
-
-
-@test "[$TEST_FILE] -v /var/run/docker.sock:/f00.sock:ro -e DOCKER_HOST=unix:///f00.sock" {
-	SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE}-2
-
-	# WHEN nginx-proxy runs on our docker host using a custom unix socket
-	run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/f00.sock:ro -e DOCKER_HOST=unix:///f00.sock
-	assert_success
-	docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events"
-
-	# THEN
-	assert_nginxproxy_behaves $SUT_CONTAINER
-}
-
-
-@test "[$TEST_FILE] -e DOCKER_HOST=tcp://..." {
-	SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE}-3
-	# GIVEN a container exposing our docker host over TCP
-	run docker_tcp bats-docker-tcp
-	assert_success
-	sleep 1s
-
-	# WHEN nginx-proxy runs on our docker host using tcp to connect to our docker host
-	run nginxproxy $SUT_CONTAINER -e DOCKER_HOST="tcp://bats-docker-tcp:2375" --link bats-docker-tcp:bats-docker-tcp
-	assert_success
-	docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events"
-
-	# THEN
-	assert_nginxproxy_behaves $SUT_CONTAINER
-}
-
-
-@test "[$TEST_FILE] separated containers (nginx + docker-gen + nginx.tmpl)" {
-	docker_clean bats-nginx
-	docker_clean bats-docker-gen
-
-	# GIVEN a simple nginx container
-	run docker run -d \
-		--label bats-type="nginx" \
-		--name bats-nginx \
-		-v /etc/nginx/conf.d/ \
-		-v /etc/nginx/certs/ \
-		nginx:latest
-	assert_success
-	run retry 5 1s docker run --label bats-type="curl" appropriate/curl --silent --fail --head http://$(docker_ip bats-nginx)/
-	assert_output -l 0 $'HTTP/1.1 200 OK\r'
-
-	# WHEN docker-gen runs on our docker host
-	run docker run -d \
-		--label bats-type="docker-gen" \
-		--name bats-docker-gen \
-		-v /var/run/docker.sock:/tmp/docker.sock:ro \
-		-v $BATS_TEST_DIRNAME/../nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro \
-		--volumes-from bats-nginx \
-		--expose 80 \
-		jwilder/docker-gen:0.7.1 \
-			-notify-sighup bats-nginx \
-			-watch \
-			-only-exposed \
-			/etc/docker-gen/templates/nginx.tmpl \
-			/etc/nginx/conf.d/default.conf
-	assert_success
-	docker_wait_for_log bats-docker-gen 9 "Watching docker events"
-
-	# Give some time to the docker-gen container to notify bats-nginx so it
-	# reloads its config
-	sleep 2s
-
-	run docker_running_state bats-nginx
-	assert_output "true" || {
-		docker logs bats-docker-gen
-		false
-	} >&2
-
-	# THEN
-	assert_nginxproxy_behaves bats-nginx
-}
-
-@test "[$TEST_FILE] stop all bats containers" {
-	stop_bats_containers
-}
-
-
-# $1 nginx-proxy container
-function assert_nginxproxy_behaves {
-	local -r container=$1
-
-	# Querying the proxy without Host header → 503
-	run curl_container $container / --head
-	assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r'
-
-	# Querying the proxy with Host header → 200
-	run curl_container $container /data --header "Host: web1.bats"
-	assert_output "answer from port 81"
-
-	run curl_container $container /data --header "Host: web2.bats"
-	assert_output "answer from port 82"
-
-	# Querying the proxy with unknown Host header → 503
-	run curl_container $container /data --header "Host: webFOO.bats" --head
-	assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r'
-}
--- a/test/lib/README.md
+++ b/test/lib/README.md
@ -1,6 +0,0 @@
-bats lib
-========
-
-found on https://github.com/sstephenson/bats/pull/110
-
-When that pull request will be merged, the `test/lib/bats` won't be necessary anymore.
--- a/test/lib/bats/batslib.bash
+++ b/test/lib/bats/batslib.bash
@ -1,596 +0,0 @@
-#
-# batslib.bash
-# ------------
-#
-# The Standard Library is a collection of test helpers intended to
-# simplify testing. It contains the following types of test helpers.
-#
-#   - Assertions are functions that perform a test and output relevant
-#     information on failure to help debugging. They return 1 on failure
-#     and 0 otherwise.
-#
-# All output is formatted for readability using the functions of
-# `output.bash' and sent to the standard error.
-#
-
-source "${BATS_LIB}/batslib/output.bash"
-
-
-########################################################################
-#                               ASSERTIONS
-########################################################################
-
-# Fail and display a message. When no parameters are specified, the
-# message is read from the standard input. Other functions use this to
-# report failure.
-#
-# Globals:
-#   none
-# Arguments:
-#   $@ - [=STDIN] message
-# Returns:
-#   1 - always
-# Inputs:
-#   STDIN - [=$@] message
-# Outputs:
-#   STDERR - message
-fail() {
-  (( $# == 0 )) && batslib_err || batslib_err "$@"
-  return 1
-}
-
-# Fail and display details if the expression evaluates to false. Details
-# include the expression, `$status' and `$output'.
-#
-# NOTE: The expression must be a simple command. Compound commands, such
-#       as `[[', can be used only when executed with `bash -c'.
-#
-# Globals:
-#   status
-#   output
-# Arguments:
-#   $1 - expression
-# Returns:
-#   0 - expression evaluates to TRUE
-#   1 - otherwise
-# Outputs:
-#   STDERR - details, on failure
-assert() {
-  if ! "$@"; then
-    { local -ar single=(
-        'expression' "$*"
-        'status'     "$status"
-      )
-      local -ar may_be_multi=(
-        'output'     "$output"
-      )
-      local -ir width="$( batslib_get_max_single_line_key_width \
-                            "${single[@]}" "${may_be_multi[@]}" )"
-      batslib_print_kv_single "$width" "${single[@]}"
-      batslib_print_kv_single_or_multi "$width" "${may_be_multi[@]}"
-    } | batslib_decorate 'assertion failed' \
-      | fail
-  fi
-}
-
-# Fail and display details if the expected and actual values do not
-# equal. Details include both values.
-#
-# Globals:
-#   none
-# Arguments:
-#   $1 - actual value
-#   $2 - expected value
-# Returns:
-#   0 - values equal
-#   1 - otherwise
-# Outputs:
-#   STDERR - details, on failure
-assert_equal() {
-  if [[ $1 != "$2" ]]; then
-    batslib_print_kv_single_or_multi 8 \
-        'expected' "$2" \
-        'actual'   "$1" \
-      | batslib_decorate 'values do not equal' \
-      | fail
-  fi
-}
-
-# Fail and display details if `$status' is not 0. Details include
-# `$status' and `$output'.
-#
-# Globals:
-#   status
-#   output
-# Arguments:
-#   none
-# Returns:
-#   0 - `$status' is 0
-#   1 - otherwise
-# Outputs:
-#   STDERR - details, on failure
-assert_success() {
-  if (( status != 0 )); then
-    { local -ir width=6
-      batslib_print_kv_single "$width" 'status' "$status"
-      batslib_print_kv_single_or_multi "$width" 'output' "$output"
-    } | batslib_decorate 'command failed' \
-      | fail
-  fi
-}
-
-# Fail and display details if `$status' is 0. Details include `$output'.
-#
-# Optionally, when the expected status is specified, fail when it does
-# not equal `$status'. In this case, details include the expected and
-# actual status, and `$output'.
-#
-# Globals:
-#   status
-#   output
-# Arguments:
-#   $1 - [opt] expected status
-# Returns:
-#   0 - `$status' is not 0, or
-#       `$status' equals the expected status
-#   1 - otherwise
-# Outputs:
-#   STDERR - details, on failure
-assert_failure() {
-  (( $# > 0 )) && local -r expected="$1"
-  if (( status == 0 )); then
-    batslib_print_kv_single_or_multi 6 'output' "$output" \
-      | batslib_decorate 'command succeeded, but it was expected to fail' \
-      | fail
-  elif (( $# > 0 )) && (( status != expected )); then
-    { local -ir width=8
-      batslib_print_kv_single "$width" \
-          'expected' "$expected" \
-          'actual'   "$status"
-      batslib_print_kv_single_or_multi "$width" \
-          'output' "$output"
-    } | batslib_decorate 'command failed as expected, but status differs' \
-      | fail
-  fi
-}
-
-# Fail and display details if the expected does not match the actual
-# output or a fragment of it.
-#
-# By default, the entire output is matched. The assertion fails if the
-# expected output does not equal `$output'. Details include both values.
-#
-# When `-l <index>' is used, only the <index>-th line is matched. The
-# assertion fails if the expected line does not equal
-# `${lines[<index>}'. Details include the compared lines and <index>.
-#
-# When `-l' is used without the <index> argument, the output is searched
-# for the expected line. The expected line is matched against each line
-# in `${lines[@]}'. If no match is found the assertion fails. Details
-# include the expected line and `$output'.
-#
-# By default, literal matching is performed. Options `-p' and `-r'
-# enable partial (i.e. substring) and extended regular expression
-# matching, respectively. Specifying an invalid extended regular
-# expression with `-r' displays an error.
-#
-# Options `-p' and `-r' are mutually exclusive. When used
-# simultaneously, an error is displayed.
-#
-# Globals:
-#   output
-#   lines
-# Options:
-#   -l <index> - match against the <index>-th element of `${lines[@]}'
-#   -l - search `${lines[@]}' for the expected line
-#   -p - partial matching
-#   -r - extended regular expression matching
-# Arguments:
-#   $1 - expected output
-# Returns:
-#   0 - expected matches the actual output
-#   1 - otherwise
-# Outputs:
-#   STDERR - details, on failure
-#            error message, on error
-assert_output() {
-  local -i is_match_line=0
-  local -i is_match_contained=0
-  local -i is_mode_partial=0
-  local -i is_mode_regex=0
-
-  # Handle options.
-  while (( $# > 0 )); do
-    case "$1" in
-      -l)
-        if (( $# > 2 )) && [[ $2 =~ ^([0-9]|[1-9][0-9]+)$ ]]; then
-          is_match_line=1
-          local -ri idx="$2"
-          shift
-        else
-          is_match_contained=1;
-        fi
-        shift
-        ;;
-      -p) is_mode_partial=1; shift ;;
-      -r) is_mode_regex=1; shift ;;
-      --) break ;;
-      *) break ;;
-    esac
-  done
-
-  if (( is_match_line )) && (( is_match_contained )); then
-    echo "\`-l' and \`-l <index>' are mutually exclusive" \
-      | batslib_decorate 'ERROR: assert_output' \
-      | fail
-    return $?
-  fi
-
-  if (( is_mode_partial )) && (( is_mode_regex )); then
-    echo "\`-p' and \`-r' are mutually exclusive" \
-      | batslib_decorate 'ERROR: assert_output' \
-      | fail
-    return $?
-  fi
-
-  # Arguments.
-  local -r expected="$1"
-
-  if (( is_mode_regex == 1 )) && [[ '' =~ $expected ]] || (( $? == 2 )); then
-    echo "Invalid extended regular expression: \`$expected'" \
-      | batslib_decorate 'ERROR: assert_output' \
-      | fail
-    return $?
-  fi
-
-  # Matching.
-  if (( is_match_contained )); then
-    # Line contained in output.
-    if (( is_mode_regex )); then
-      local -i idx
-      for (( idx = 0; idx < ${#lines[@]}; ++idx )); do
-        [[ ${lines[$idx]} =~ $expected ]] && return 0
-      done
-      { local -ar single=(
-          'regex'  "$expected"
-        )
-        local -ar may_be_multi=(
-          'output' "$output"
-        )
-        local -ir width="$( batslib_get_max_single_line_key_width \
-                              "${single[@]}" "${may_be_multi[@]}" )"
-        batslib_print_kv_single "$width" "${single[@]}"
-        batslib_print_kv_single_or_multi "$width" "${may_be_multi[@]}"
-      } | batslib_decorate 'no output line matches regular expression' \
-        | fail
-    elif (( is_mode_partial )); then
-      local -i idx
-      for (( idx = 0; idx < ${#lines[@]}; ++idx )); do
-        [[ ${lines[$idx]} == *"$expected"* ]] && return 0
-      done
-      { local -ar single=(
-          'substring' "$expected"
-        )
-        local -ar may_be_multi=(
-          'output'    "$output"
-        )
-        local -ir width="$( batslib_get_max_single_line_key_width \
-                              "${single[@]}" "${may_be_multi[@]}" )"
-        batslib_print_kv_single "$width" "${single[@]}"
-        batslib_print_kv_single_or_multi "$width" "${may_be_multi[@]}"
-      } | batslib_decorate 'no output line contains substring' \
-        | fail
-    else
-      local -i idx
-      for (( idx = 0; idx < ${#lines[@]}; ++idx )); do
-        [[ ${lines[$idx]} == "$expected" ]] && return 0
-      done
-      { local -ar single=(
-          'line'   "$expected"
-        )
-        local -ar may_be_multi=(
-          'output' "$output"
-        )
-        local -ir width="$( batslib_get_max_single_line_key_width \
-                            "${single[@]}" "${may_be_multi[@]}" )"
-        batslib_print_kv_single "$width" "${single[@]}"
-        batslib_print_kv_single_or_multi "$width" "${may_be_multi[@]}"
-      } | batslib_decorate 'output does not contain line' \
-        | fail
-    fi
-  elif (( is_match_line )); then
-    # Specific line.
-    if (( is_mode_regex )); then
-      if ! [[ ${lines[$idx]} =~ $expected ]]; then
-        batslib_print_kv_single 5 \
-            'index' "$idx" \
-            'regex' "$expected" \
-            'line'  "${lines[$idx]}" \
-          | batslib_decorate 'regular expression does not match line' \
-          | fail
-      fi
-    elif (( is_mode_partial )); then
-      if [[ ${lines[$idx]} != *"$expected"* ]]; then
-        batslib_print_kv_single 9 \
-            'index'     "$idx" \
-            'substring' "$expected" \
-            'line'      "${lines[$idx]}" \
-          | batslib_decorate 'line does not contain substring' \
-          | fail
-      fi
-    else
-      if [[ ${lines[$idx]} != "$expected" ]]; then
-        batslib_print_kv_single 8 \
-            'index'    "$idx" \
-            'expected' "$expected" \
-            'actual'   "${lines[$idx]}" \
-          | batslib_decorate 'line differs' \
-          | fail
-      fi
-    fi
-  else
-    # Entire output.
-    if (( is_mode_regex )); then
-      if ! [[ $output =~ $expected ]]; then
-        batslib_print_kv_single_or_multi 6 \
-            'regex'  "$expected" \
-            'output' "$output" \
-          | batslib_decorate 'regular expression does not match output' \
-          | fail
-      fi
-    elif (( is_mode_partial )); then
-      if [[ $output != *"$expected"* ]]; then
-        batslib_print_kv_single_or_multi 9 \
-            'substring' "$expected" \
-            'output'    "$output" \
-          | batslib_decorate 'output does not contain substring' \
-          | fail
-      fi
-    else
-      if [[ $output != "$expected" ]]; then
-        batslib_print_kv_single_or_multi 8 \
-            'expected' "$expected" \
-            'actual'   "$output" \
-          | batslib_decorate 'output differs' \
-          | fail
-      fi
-    fi
-  fi
-}
-
-# Fail and display details if the unexpected matches the actual output
-# or a fragment of it.
-#
-# By default, the entire output is matched. The assertion fails if the
-# unexpected output equals `$output'. Details include `$output'.
-#
-# When `-l <index>' is used, only the <index>-th line is matched. The
-# assertion fails if the unexpected line equals `${lines[<index>}'.
-# Details include the compared line and <index>.
-#
-# When `-l' is used without the <index> argument, the output is searched
-# for the unexpected line. The unexpected line is matched against each
-# line in `${lines[<index>]}'. If a match is found the assertion fails.
-# Details include the unexpected line, the index where it was found and
-# `$output' (with the unexpected line highlighted in it if `$output` is
-# longer than one line).
-#
-# By default, literal matching is performed. Options `-p' and `-r'
-# enable partial (i.e. substring) and extended regular expression
-# matching, respectively. On failure, the substring or the regular
-# expression is added to the details (if not already displayed).
-# Specifying an invalid extended regular expression with `-r' displays
-# an error.
-#
-# Options `-p' and `-r' are mutually exclusive. When used
-# simultaneously, an error is displayed.
-#
-# Globals:
-#   output
-#   lines
-# Options:
-#   -l <index> - match against the <index>-th element of `${lines[@]}'
-#   -l - search `${lines[@]}' for the unexpected line
-#   -p - partial matching
-#   -r - extended regular expression matching
-# Arguments:
-#   $1 - unexpected output
-# Returns:
-#   0 - unexpected matches the actual output
-#   1 - otherwise
-# Outputs:
-#   STDERR - details, on failure
-#            error message, on error
-refute_output() {
-  local -i is_match_line=0
-  local -i is_match_contained=0
-  local -i is_mode_partial=0
-  local -i is_mode_regex=0
-
-  # Handle options.
-  while (( $# > 0 )); do
-    case "$1" in
-      -l)
-        if (( $# > 2 )) && [[ $2 =~ ^([0-9]|[1-9][0-9]+)$ ]]; then
-          is_match_line=1
-          local -ri idx="$2"
-          shift
-        else
-          is_match_contained=1;
-        fi
-        shift
-        ;;
-      -L) is_match_contained=1; shift ;;
-      -p) is_mode_partial=1; shift ;;
-      -r) is_mode_regex=1; shift ;;
-      --) break ;;
-      *) break ;;
-    esac
-  done
-
-  if (( is_match_line )) && (( is_match_contained )); then
-    echo "\`-l' and \`-l <index>' are mutually exclusive" \
-      | batslib_decorate 'ERROR: refute_output' \
-      | fail
-    return $?
-  fi
-
-  if (( is_mode_partial )) && (( is_mode_regex )); then
-    echo "\`-p' and \`-r' are mutually exclusive" \
-      | batslib_decorate 'ERROR: refute_output' \
-      | fail
-    return $?
-  fi
-
-  # Arguments.
-  local -r unexpected="$1"
-
-  if (( is_mode_regex == 1 )) && [[ '' =~ $unexpected ]] || (( $? == 2 )); then
-    echo "Invalid extended regular expression: \`$unexpected'" \
-      | batslib_decorate 'ERROR: refute_output' \
-      | fail
-    return $?
-  fi
-
-  # Matching.
-  if (( is_match_contained )); then
-    # Line contained in output.
-    if (( is_mode_regex )); then
-      local -i idx
-      for (( idx = 0; idx < ${#lines[@]}; ++idx )); do
-        if [[ ${lines[$idx]} =~ $unexpected ]]; then
-          { local -ar single=(
-              'regex'  "$unexpected"
-              'index'  "$idx"
-            )
-            local -a may_be_multi=(
-              'output' "$output"
-            )
-            local -ir width="$( batslib_get_max_single_line_key_width \
-                                "${single[@]}" "${may_be_multi[@]}" )"
-            batslib_print_kv_single "$width" "${single[@]}"
-            if batslib_is_single_line "${may_be_multi[1]}"; then
-              batslib_print_kv_single "$width" "${may_be_multi[@]}"
-            else
-              may_be_multi[1]="$( printf '%s' "${may_be_multi[1]}" \
-                                    | batslib_prefix \
-                                    | batslib_mark '>' "$idx" )"
-              batslib_print_kv_multi "${may_be_multi[@]}"
-            fi
-          } | batslib_decorate 'no line should match the regular expression' \
-            | fail
-          return $?
-        fi
-      done
-    elif (( is_mode_partial )); then
-      local -i idx
-      for (( idx = 0; idx < ${#lines[@]}; ++idx )); do
-        if [[ ${lines[$idx]} == *"$unexpected"* ]]; then
-          { local -ar single=(
-              'substring' "$unexpected"
-              'index'     "$idx"
-            )
-            local -a may_be_multi=(
-              'output'    "$output"
-            )
-            local -ir width="$( batslib_get_max_single_line_key_width \
-                                "${single[@]}" "${may_be_multi[@]}" )"
-            batslib_print_kv_single "$width" "${single[@]}"
-            if batslib_is_single_line "${may_be_multi[1]}"; then
-              batslib_print_kv_single "$width" "${may_be_multi[@]}"
-            else
-              may_be_multi[1]="$( printf '%s' "${may_be_multi[1]}" \
-                                    | batslib_prefix \
-                                    | batslib_mark '>' "$idx" )"
-              batslib_print_kv_multi "${may_be_multi[@]}"
-            fi
-          } | batslib_decorate 'no line should contain substring' \
-            | fail
-          return $?
-        fi
-      done
-    else
-      local -i idx
-      for (( idx = 0; idx < ${#lines[@]}; ++idx )); do
-        if [[ ${lines[$idx]} == "$unexpected" ]]; then
-          { local -ar single=(
-              'line'   "$unexpected"
-              'index'  "$idx"
-            )
-            local -a may_be_multi=(
-              'output' "$output"
-            )
-            local -ir width="$( batslib_get_max_single_line_key_width \
-                                "${single[@]}" "${may_be_multi[@]}" )"
-            batslib_print_kv_single "$width" "${single[@]}"
-            if batslib_is_single_line "${may_be_multi[1]}"; then
-              batslib_print_kv_single "$width" "${may_be_multi[@]}"
-            else
-              may_be_multi[1]="$( printf '%s' "${may_be_multi[1]}" \
-                                    | batslib_prefix \
-                                    | batslib_mark '>' "$idx" )"
-              batslib_print_kv_multi "${may_be_multi[@]}"
-            fi
-          } | batslib_decorate 'line should not be in output' \
-            | fail
-          return $?
-        fi
-      done
-    fi
-  elif (( is_match_line )); then
-    # Specific line.
-    if (( is_mode_regex )); then
-      if [[ ${lines[$idx]} =~ $unexpected ]] || (( $? == 0 )); then
-        batslib_print_kv_single 5 \
-            'index' "$idx" \
-            'regex' "$unexpected" \
-            'line'  "${lines[$idx]}" \
-          | batslib_decorate 'regular expression should not match line' \
-          | fail
-      fi
-    elif (( is_mode_partial )); then
-      if [[ ${lines[$idx]} == *"$unexpected"* ]]; then
-        batslib_print_kv_single 9 \
-            'index'     "$idx" \
-            'substring' "$unexpected" \
-            'line'      "${lines[$idx]}" \
-          | batslib_decorate 'line should not contain substring' \
-          | fail
-      fi
-    else
-      if [[ ${lines[$idx]} == "$unexpected" ]]; then
-        batslib_print_kv_single 5 \
-            'index' "$idx" \
-            'line'  "${lines[$idx]}" \
-          | batslib_decorate 'line should differ' \
-          | fail
-      fi
-    fi
-  else
-    # Entire output.
-    if (( is_mode_regex )); then
-      if [[ $output =~ $unexpected ]] || (( $? == 0 )); then
-        batslib_print_kv_single_or_multi 6 \
-            'regex'  "$unexpected" \
-            'output' "$output" \
-          | batslib_decorate 'regular expression should not match output' \
-          | fail
-      fi
-    elif (( is_mode_partial )); then
-      if [[ $output == *"$unexpected"* ]]; then
-        batslib_print_kv_single_or_multi 9 \
-            'substring' "$unexpected" \
-            'output'    "$output" \
-          | batslib_decorate 'output should not contain substring' \
-          | fail
-      fi
-    else
-      if [[ $output == "$unexpected" ]]; then
-        batslib_print_kv_single_or_multi 6 \
-            'output' "$output" \
-          | batslib_decorate 'output equals, but it was expected to differ' \
-          | fail
-      fi
-    fi
-  fi
-}
--- a/test/lib/bats/batslib/output.bash
+++ b/test/lib/bats/batslib/output.bash
@ -1,264 +0,0 @@
-#
-# output.bash
-# -----------
-#
-# Private functions implementing output formatting. Used by public
-# helper functions.
-#
-
-# Print a message to the standard error. When no parameters are
-# specified, the message is read from the standard input.
-#
-# Globals:
-#   none
-# Arguments:
-#   $@ - [=STDIN] message
-# Returns:
-#   none
-# Inputs:
-#   STDIN - [=$@] message
-# Outputs:
-#   STDERR - message
-batslib_err() {
-  { if (( $# > 0 )); then
-      echo "$@"
-    else
-      cat -
-    fi
-  } >&2
-}
-
-# Count the number of lines in the given string.
-#
-# TODO(ztombol): Fix tests and remove this note after #93 is resolved!
-# NOTE: Due to a bug in Bats, `batslib_count_lines "$output"' does not
-#       give the same result as `${#lines[@]}' when the output contains
-#       empty lines.
-#       See PR #93 (https://github.com/sstephenson/bats/pull/93).
-#
-# Globals:
-#   none
-# Arguments:
-#   $1 - string
-# Returns:
-#   none
-# Outputs:
-#   STDOUT - number of lines
-batslib_count_lines() {
-  local -i n_lines=0
-  local line
-  while IFS='' read -r line || [[ -n $line ]]; do
-    (( ++n_lines ))
-  done < <(printf '%s' "$1")
-  echo "$n_lines"
-}
-
-# Determine whether all strings are single-line.
-#
-# Globals:
-#   none
-# Arguments:
-#   $@ - strings
-# Returns:
-#   0 - all strings are single-line
-#   1 - otherwise
-batslib_is_single_line() {
-  for string in "$@"; do
-    (( $(batslib_count_lines "$string") > 1 )) && return 1
-  done
-  return 0
-}
-
-# Determine the length of the longest key that has a single-line value.
-#
-# This function is useful in determining the correct width of the key
-# column in two-column format when some keys may have multi-line values
-# and thus should be excluded.
-#
-# Globals:
-#   none
-# Arguments:
-#   $odd - key
-#   $even - value of the previous key
-# Returns:
-#   none
-# Outputs:
-#   STDOUT - length of longest key
-batslib_get_max_single_line_key_width() {
-  local -i max_len=-1
-  while (( $# != 0 )); do
-    local -i key_len="${#1}"
-    batslib_is_single_line "$2" && (( key_len > max_len )) && max_len="$key_len"
-    shift 2
-  done
-  echo "$max_len"
-}
-
-# Print key-value pairs in two-column format.
-#
-# Keys are displayed in the first column, and their corresponding values
-# in the second. To evenly line up values, the key column is fixed-width
-# and its width is specified with the first parameter (possibly computed
-# using `batslib_get_max_single_line_key_width').
-#
-# Globals:
-#   none
-# Arguments:
-#   $1 - width of key column
-#   $even - key
-#   $odd - value of the previous key
-# Returns:
-#   none
-# Outputs:
-#   STDOUT - formatted key-value pairs
-batslib_print_kv_single() {
-  local -ir col_width="$1"; shift
-  while (( $# != 0 )); do
-    printf '%-*s : %s\n' "$col_width" "$1" "$2"
-    shift 2
-  done
-}
-
-# Print key-value pairs in multi-line format.
-#
-# The key is displayed first with the number of lines of its
-# corresponding value in parenthesis. Next, starting on the next line,
-# the value is displayed. For better readability, it is recommended to
-# indent values using `batslib_prefix'.
-#
-# Globals:
-#   none
-# Arguments:
-#   $odd - key
-#   $even - value of the previous key
-# Returns:
-#   none
-# Outputs:
-#   STDOUT - formatted key-value pairs
-batslib_print_kv_multi() {
-  while (( $# != 0 )); do
-    printf '%s (%d lines):\n' "$1" "$( batslib_count_lines "$2" )"
-    printf '%s\n' "$2"
-    shift 2
-  done
-}
-
-# Print all key-value pairs in either two-column or multi-line format
-# depending on whether all values are single-line.
-#
-# If all values are single-line, print all pairs in two-column format
-# with the specified key column width (identical to using
-# `batslib_print_kv_single').
-#
-# Otherwise, print all pairs in multi-line format after indenting values
-# with two spaces for readability (identical to using `batslib_prefix'
-# and `batslib_print_kv_multi')
-#
-# Globals:
-#   none
-# Arguments:
-#   $1 - width of key column (for two-column format)
-#   $even - key
-#   $odd - value of the previous key
-# Returns:
-#   none
-# Outputs:
-#   STDOUT - formatted key-value pairs
-batslib_print_kv_single_or_multi() {
-  local -ir width="$1"; shift
-  local -a pairs=( "$@" )
-
-  local -a values=()
-  local -i i
-  for (( i=1; i < ${#pairs[@]}; i+=2 )); do
-    values+=( "${pairs[$i]}" )
-  done
-
-  if batslib_is_single_line "${values[@]}"; then
-    batslib_print_kv_single "$width" "${pairs[@]}"
-  else
-    local -i i
-    for (( i=1; i < ${#pairs[@]}; i+=2 )); do
-      pairs[$i]="$( batslib_prefix < <(printf '%s' "${pairs[$i]}") )"
-    done
-    batslib_print_kv_multi "${pairs[@]}"
-  fi
-}
-
-# Prefix each line read from the standard input with the given string.
-#
-# Globals:
-#   none
-# Arguments:
-#   $1 - [=  ] prefix string
-# Returns:
-#   none
-# Inputs:
-#   STDIN - lines
-# Outputs:
-#   STDOUT - prefixed lines
-batslib_prefix() {
-  local -r prefix="${1:-  }"
-  local line
-  while IFS='' read -r line || [[ -n $line ]]; do
-    printf '%s%s\n' "$prefix" "$line"
-  done
-}
-
-# Mark select lines of the text read from the standard input by
-# overwriting their beginning with the given string.
-#
-# Usually the input is indented by a few spaces using `batslib_prefix'
-# first.
-#
-# Globals:
-#   none
-# Arguments:
-#   $1 - marking string
-#   $@ - indices (zero-based) of lines to mark
-# Returns:
-#   none
-# Inputs:
-#   STDIN - lines
-# Outputs:
-#   STDOUT - lines after marking
-batslib_mark() {
-  local -r symbol="$1"; shift
-  # Sort line numbers.
-  set -- $( sort -nu <<< "$( printf '%d\n' "$@" )" )
-
-  local line
-  local -i idx=0
-  while IFS='' read -r line || [[ -n $line ]]; do
-    if (( ${1:--1} == idx )); then
-      printf '%s\n' "${symbol}${line:${#symbol}}"
-      shift
-    else
-      printf '%s\n' "$line"
-    fi
-    (( ++idx ))
-  done
-}
-
-# Enclose the input text in header and footer lines.
-#
-# The header contains the given string as title. The output is preceded
-# and followed by an additional newline to make it stand out more.
-#
-# Globals:
-#   none
-# Arguments:
-#   $1 - title
-# Returns:
-#   none
-# Inputs:
-#   STDIN - text
-# Outputs:
-#   STDOUT - decorated text
-batslib_decorate() {
-  echo
-  echo "-- $1 --"
-  cat -
-  echo '--'
-  echo
-}
--- a/test/lib/docker_helpers.bash
+++ b/test/lib/docker_helpers.bash
@ -1,66 +0,0 @@
-## functions to help deal with docker
-
-# Removes container $1
-function docker_clean {
-	docker kill $1 &>/dev/null ||:
-	sleep .25s
-	docker rm -vf $1 &>/dev/null ||:
-	sleep .25s
-}
-
-# get the ip of docker container $1
-function docker_ip {
-	docker inspect --format '{{ .NetworkSettings.IPAddress }}' $1
-}
-
-# get the ip of docker container $1
-function docker_id {
-	docker inspect --format '{{ .ID }}' $1
-}
-
-# get the running state of container $1
-# → true/false
-# fails if the container does not exist
-function docker_running_state {
-	docker inspect -f {{.State.Running}} $1
-}
-
-# get the docker container $1 PID
-function docker_pid {
-	docker inspect --format {{.State.Pid}} $1
-}
-
-# asserts logs from container $1 contains $2
-function docker_assert_log {
-	local -r container=$1
-	shift
-	run docker logs $container
-	assert_output -p "$*"
-}
-
-# wait for a container to produce a given text in its log
-# $1 container
-# $2 timeout in second
-# $* text to wait for
-function docker_wait_for_log {
-	local -r container=$1
-	local -ir timeout_sec=$2
-	shift 2
-	retry $(( $timeout_sec * 2 )) .5s docker_assert_log $container "$*"
-}
-
-# Create a docker container named $1 which exposes the docker host unix 
-# socket over tcp on port 2375.
-#
-# $1 container name
-function docker_tcp {
-	local container_name="$1"
-	docker_clean $container_name
-	docker run -d \
-		--label bats-type="socat" \
-		--name $container_name \
-		--expose 2375 \
-		-v /var/run/docker.sock:/var/run/docker.sock \
-		rancher/socat-docker
-	docker run --label bats-type="docker" --link "$container_name:docker" docker:1.10 version
-}
--- a/test/lib/helpers.bash
+++ b/test/lib/helpers.bash
@ -1,22 +0,0 @@
-## add the retry function to bats
-
-# Retry a command $1 times until it succeeds. Wait $2 seconds between retries.
-function retry {
-    local attempts=$1
-    shift
-    local delay=$1
-    shift
-    local i
-
-    for ((i=0; i < attempts; i++)); do
-        run "$@"
-        if [ "$status" -eq 0 ]; then
-            echo "$output"
-            return 0
-        fi
-        sleep $delay
-    done
-
-    echo "Command \"$@\" failed $attempts times. Status: $status. Output: $output" >&2
-    false
-}
--- a/test/lib/ssl/dhparam.pem
+++ b/test/lib/ssl/dhparam.pem
@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA1cae6HqPSgicEuAuSCf6Ii3d6qMX9Ta8lnwoX0JQ0CWK7mzaiiIi
+dY7oHmc4cq0S3SH+g0tdLP9yqygFS9hdUGINwS2VV6poj2/vdL/dUshegyxpEH58
+nofCPnFDeKkcPDMYAlGS8zjp60TsBkRJKcrxxwnjod1Q5mWuMN5KH3sxs842udKH
+0nHFE9kKW/NfXb+EGsjpocGpf786cGuCO2d00THsoItOEcM9/aI8DX1QcyxAHR6D
+HaYTFJnyyx8Q44u27M15idI4pbNoKORlotiuOwCTGYCfbN14aOV+Ict7aSF8FWpP
+48j9SMNuIu2DlF9pNLo6fsrOjYY3c9X12wIBAg==
+-----END DH PARAMETERS-----
--- a/test/lib/ssl/nginx-proxy.bats.crt
+++ b/test/lib/ssl/nginx-proxy.bats.crt
@ -1,24 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIID7TCCAtWgAwIBAgIJAOGkf5EnexJVMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYD
-VQQGEwJVUzERMA8GA1UECAwIVmlyZ2luaWExDzANBgNVBAcMBlJlc3RvbjERMA8G
-A1UECgwIRmFrZSBPcmcxGzAZBgNVBAMMEioubmdpbngtcHJveHkuYmF0czEpMCcG
-CSqGSIb3DQEJARYad2VibWFzdGVyQG5naW54LXByb3h5LmJhdHMwHhcNMTYwNDIw
-MTUzOTUxWhcNMjYwNDE4MTUzOTUxWjCBjDELMAkGA1UEBhMCVVMxETAPBgNVBAgM
-CFZpcmdpbmlhMQ8wDQYDVQQHDAZSZXN0b24xETAPBgNVBAoMCEZha2UgT3JnMRsw
-GQYDVQQDDBIqLm5naW54LXByb3h5LmJhdHMxKTAnBgkqhkiG9w0BCQEWGndlYm1h
-c3RlckBuZ2lueC1wcm94eS5iYXRzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEA0Amkj3iaQn8Z2CW6n24zSuWu2OoLCkHZAk8eprkI4kKoPBvjusynkm8E
-phq65jebToHoldfuQ0wM61DzhD15bHwS3x9CrOVbShsmdnGALz+wdR0/4Likx50I
-YZdecTOAlkoZudnX5FZ4ngOxjqcym7p5T8TrSS97a0fx99gitZY0p+Nu2tip4o3t
-WBMs+SoPWTlQ1SrSmL8chC8O2knyBl/w1nHmDnMuR6FGcHdhLncApw9t5spgfv7p
-OrMF4tQxJQNk10TnflmEMkGmy+pfk2e0cQ1Kwp3Nmzm7ECkggxxyjU3ihKiFK+09
-8aSCi7gDAY925+mV6LZ5oLMpO3KJvQIDAQABo1AwTjAdBgNVHQ4EFgQU+NvFo37z
-9Dyq8Mu82SPtV7q1gYQwHwYDVR0jBBgwFoAU+NvFo37z9Dyq8Mu82SPtV7q1gYQw
-DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAI1ityDV0UsCVHSpB2LN+
-QXlk8XS0ACIJ8Q0hbOj3BmYrdAVglG4P6upDEueaaxwsaBTagkTP8nxZ9dhfZHyZ
-5YLNwYsiG5iqb8e0ecHx3uJT/0YiXn/8rBvxEZna4Fl8seGdp7BjOWUAS2Nv8tn4
-EJJvRdfX/O8XgPc95DM4lwQ/dvyWmavMI4lnl0n1IQV9WPGaIQhYPU9WEQK6iMUB
-o1kx8YbOJQD0ZBRfqpriNt1/8ylkkSYYav8QT9JFvQFCWEvaX71QF+cuOwC7ZYBH
-4ElXwEUrYBHKiPo0q0VsTtMvLh7h/T5czrIhG/NpfVJPtQOk8aVwNScL3/n+TGU8
-6g==
-----END CERTIFICATE-----
--- a/test/lib/ssl/nginx-proxy.bats.key
+++ b/test/lib/ssl/nginx-proxy.bats.key
@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQCaSPeJpCfxnY
-JbqfbjNK5a7Y6gsKQdkCTx6muQjiQqg8G+O6zKeSbwSmGrrmN5tOgeiV1+5DTAzr
-UPOEPXlsfBLfH0Ks5VtKGyZ2cYAvP7B1HT/guKTHnQhhl15xM4CWShm52dfkVnie
-A7GOpzKbunlPxOtJL3trR/H32CK1ljSn427a2Knije1YEyz5Kg9ZOVDVKtKYvxyE
-Lw7aSfIGX/DWceYOcy5HoUZwd2EudwCnD23mymB+/uk6swXi1DElA2TXROd+WYQy
-QabL6l+TZ7RxDUrCnc2bObsQKSCDHHKNTeKEqIUr7T3xpIKLuAMBj3bn6ZXotnmg
-syk7com9AgMBAAECggEAa7wCp3XqVPNjW+c1/ShhkbDeWmDhtL8i9aopkmeSbTHd
-07sRtQQU56Vsf+Sp010KpZ5q52Z6cglpS1eRtHLtdbvPPhL/QXBJVVg4E/B1VIKk
-DBJIqUSVuPXeiEOOWgs01R+ssO1ae1o4foQlKF33vGPWPPQacL0RKh6I9TPNzcD7
-n4rujlHk72N/bNydyK2rnyKB4vAI5TbZPLps+Xe123CmgZnW3JClcWV9B4foRmiu
-a5Iq1WYAK2GYKbYwgqDRyYBC27m91a7U31pE4GQD+xQdlz6kcOlCU5hAcPK3h7j0
-fLQqn8g+YAtc0nBKKB4NZe3QEzTiVMorT0VitxI71QKBgQDnirardZaXOFzYGzB3
-j+FGB9BUW54hnHr5BxOYrfmEJ5umJjJWaGupfYrQsPArrJP1//WbqVZIPvdQParD
-mQhLmSp1r/VNzGB6pISmzU1ZGDHsmBxYseh366om5YBQUFU2vmbil9VkrkM4fsJG
-tcS9V/nVY/EM7Yp3PzjfLlhC1wKBgQDmA1YJmnZvIbLp3PoKqM69QiCLKztVm7nX
-xpu3b3qbXEzXkt2sP5PHmr+s13hOPQFKRJ2hk4UN9WqpnFoHw5E5eWWhSa/peUZm
-r10Y5XspiFtRHHiu6ABXB49eB4fen+vHEZHKyRJ4rFthKjjBHdNPC8bmwnT3jE85
-/8a26FLZiwKBgQDXEi8JZslBn9YF2oOTm28KCLoHka551AsaA+u892T8z3mxxGsf
-fhD7N6TYonIEb2Jkr6OpOortwqcgvpc+5oghCJ27AX2fDUdUxDp/YdYF+wZsmQJD
-lMW1lo7PYIBmmaf9mLCiq5xIz+GauYul+LNNmUl0YEgI1SC4EV63WCodswKBgDMX
-GJxHd/kVViVGFTAa8NjvAEWJU8OfNHduQRZMp8IsjVDw6VYiRRP4Fo0wyyMtv8Sc
-WxsRpmNEWO3VsdW5pd9LTLy3nmBQtMeIOjiWeHXwOMBaf5/yHmk2X6z2JULY6Mkt
-6OFPKlAtkJqTg0m58z7Ckeqd1NdLjimG27+y+PwjAoGAFt0cbC1Ust2BE6YEspSX
-ofpAnJsyKrbF9iVUyXDUP99sdqYQfPJ5uqPGkP59lJGkTLtebuitqi6FCyrsT6Fq
-AWLiExbqebAqcuAZw2S+iuK27S4rrkjVGF53J7vH3rOzCBUXaRx6GKfTjUqedHdg
-9Kw+LP6IFnMTb+EGLo+GqHs=
-----END PRIVATE KEY-----
--- a/test/multiple-hosts.bats
+++ b/test/multiple-hosts.bats
@ -1,43 +0,0 @@
-#!/usr/bin/env bats
-load test_helpers
-SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE}
-
-function setup {
-	# make sure to stop any web container before each test so we don't
-	# have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set
-	stop_bats_containers web
-}
-
-
-@test "[$TEST_FILE] start a nginx-proxy container" {
-	run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro
-	assert_success
-	docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events"
-}
-
-@test "[$TEST_FILE] nginx-proxy forwards requests for 2 hosts" {
-	# WHEN a container runs a web server with VIRTUAL_HOST set for multiple hosts
-	prepare_web_container bats-multiple-hosts-1 80 -e VIRTUAL_HOST=multiple-hosts-1-A.bats,multiple-hosts-1-B.bats
-	dockergen_wait_for_event $SUT_CONTAINER start bats-multiple-hosts-1
-	sleep 1
-
-	# THEN querying the proxy without Host header → 503
-	run curl_container $SUT_CONTAINER / --head
-	assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r'
-
-	# THEN querying the proxy with unknown Host header → 503
-	run curl_container $SUT_CONTAINER /data --header "Host: webFOO.bats" --head
-	assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r'
-
-	# THEN
-	run curl_container $SUT_CONTAINER /data --header 'Host: multiple-hosts-1-A.bats'
-	assert_output "answer from port 80"
-
-	# THEN
-	run curl_container $SUT_CONTAINER /data --header 'Host: multiple-hosts-1-B.bats'
-	assert_output "answer from port 80"
-}
-
-@test "[$TEST_FILE] stop all bats containers" {
-	stop_bats_containers
-}
--- a/test/multiple-ports.bats
+++ b/test/multiple-ports.bats
@ -1,64 +0,0 @@
-#!/usr/bin/env bats
-load test_helpers
-SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE}
-
-function setup {
-	# make sure to stop any web container before each test so we don't
-	# have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set
-	stop_bats_containers web
-}
-
-
-@test "[$TEST_FILE] start a nginx-proxy container" {
-	# GIVEN nginx-proxy
-	run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro
-	assert_success
-	docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events"
-}
-
-
-@test "[$TEST_FILE] nginx-proxy defaults to the service running on port 80" {
-	# WHEN
-	prepare_web_container bats-web-${TEST_FILE}-1 "80 90" -e VIRTUAL_HOST=web.bats
-	dockergen_wait_for_event $SUT_CONTAINER start bats-web-${TEST_FILE}-1
-	sleep 1
-
-	# THEN
-	assert_response_is_from_port 80
-}
-
-
-@test "[$TEST_FILE] VIRTUAL_PORT=90 while port 80 is also exposed" {
-	# GIVEN
-	prepare_web_container bats-web-${TEST_FILE}-2 "80 90" -e VIRTUAL_HOST=web.bats -e VIRTUAL_PORT=90
-	dockergen_wait_for_event $SUT_CONTAINER start bats-web-${TEST_FILE}-2
-	sleep 1
-
-	# THEN
-	assert_response_is_from_port 90
-}
-
-
-@test "[$TEST_FILE] single exposed port != 80" {
-	# GIVEN
-	prepare_web_container bats-web-${TEST_FILE}-3 1234 -e VIRTUAL_HOST=web.bats
-	dockergen_wait_for_event $SUT_CONTAINER start bats-web-${TEST_FILE}-3
-	sleep 1
-
-	# THEN
-	assert_response_is_from_port 1234
-}
-
-@test "[$TEST_FILE] stop all bats containers" {
-	stop_bats_containers
-}
-
-
-# assert querying nginx-proxy provides a response from the expected port of the web container
-# $1 port we are expecting an response from
-function assert_response_is_from_port {
-	local -r port=$1
-	run curl_container $SUT_CONTAINER /data --header "Host: web.bats"
-	assert_output "answer from port $port"
-}
-
--- a/test/pytest.ini
+++ b/test/pytest.ini
@ -0,0 +1,3 @@
+[pytest]
+# disable the creation of the `.cache` folders
+addopts = -p no:cacheprovider --ignore=requirements --ignore=certs -r s -v
--- a/test/pytest.sh
+++ b/test/pytest.sh
@ -0,0 +1,24 @@
+#!/bin/bash
+###############################################################################
+#                                                                             #
+# This script is meant to run the test suite from a Docker container.         #
+#                                                                             #
+# This is usefull when you want to run the test suite from Mac or             #
+# Docker Toolbox.                                                             #
+#                                                                             #
+###############################################################################
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ARGS="$@"
+
+# check requirements
+echo "> Building nginx-proxy-tester image..."
+docker build -t nginx-proxy-tester -f $DIR/requirements/Dockerfile-nginx-proxy-tester $DIR/requirements
+
+# run the nginx-proxy-tester container setting the correct value for the working dir in order for 
+# docker-compose to work properly when run from within that container.
+exec docker run --rm -it \
+	-v ${DIR}:/${DIR} \
+	-w ${DIR} \
+	-v /var/run/docker.sock:/var/run/docker.sock \
+	nginx-proxy-tester ${ARGS}
--- a/test/requirements/Dockerfile-nginx-proxy-tester
+++ b/test/requirements/Dockerfile-nginx-proxy-tester
@ -0,0 +1,10 @@
+FROM python:2.7-alpine
+
+# Note: we're using alpine because it has openssl 1.0.2, which we need for testing
+RUN apk add --update bash openssl curl && rm -rf /var/cache/apk/*
+
+COPY python-requirements.txt /requirements.txt
+RUN pip install -r /requirements.txt
+
+WORKDIR /test
+ENTRYPOINT ["pytest"]
--- a/test/requirements/README.md
+++ b/test/requirements/README.md
@ -0,0 +1,52 @@
+This directory contains resources to build Docker images tests depend on
+
+# Build images
+
+    ./build.sh   
+
+
+# python-requirements.txt
+
+If you want to run the test suite from your computer, you need python and a few python modules.
+The _python-requirements.txt_ file describes the python modules required. To install them, use
+pip:
+
+    pip install -r python-requirements.txt
+
+If you don't want to run the test from your computer, you can run the tests from a docker container, see the _pytest.sh_ script.
+
+
+# Images
+
+## web
+
+This container will run one or many webservers, each of them listening on a single port.
+
+Ports are specified using the `WEB_PORTS` environment variable:
+
+    docker run -d -e WEB_PORTS=80 web  # will create a container running one webserver listening on port 80
+    docker run -d -e WEB_PORTS="80 81" web  # will create a container running two webservers, one listening on port 80 and a second one listening on port 81
+
+The webserver answers on two paths:
+
+- `/headers`
+- `/port`
+
+```
+$ docker run -d -e WEB_PORTS=80 -p 80:80 web
+$ curl http://127.0.0.1:80/headers
+Host: 127.0.0.1
+User-Agent: curl/7.47.0
+Accept: */*
+
+$ curl http://127.0.0.1:80/port
+answer from port 80
+
+```
+
+
+## nginx-proxy-tester
+
+This is an optional requirement which is usefull if you cannot (or don't want to) install pytest and its requirements on your computer. In this case, you can use the `nginx-proxy-tester` docker image to run the test suite from a Docker container.
+
+To use this image, it is mandatory to run the container using the `pytest.sh` shell script. The script will build the image and run a container from it with the appropriate volumes and settings.
--- a/test/requirements/build.sh
+++ b/test/requirements/build.sh
@ -0,0 +1,6 @@
+#!/bin/bash
+set -e
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+docker build -t web $DIR/web
--- a/test/requirements/python-requirements.txt
+++ b/test/requirements/python-requirements.txt
@ -0,0 +1,5 @@
+backoff==1.3.2
+docker-compose==1.11.2
+docker==2.1.0
+pytest==3.0.5
+requests==2.11.1
--- a/test/requirements/web/Dockerfile
+++ b/test/requirements/web/Dockerfile
@ -0,0 +1,8 @@
+# Docker Image running one (or multiple) webservers listening on all given ports from WEB_PORTS environment variable
+
+FROM python:3
+COPY ./webserver.py /
+COPY ./entrypoint.sh /
+WORKDIR /opt
+ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
+
--- a/test/requirements/web/entrypoint.sh
+++ b/test/requirements/web/entrypoint.sh
@ -0,0 +1,15 @@
+#!/bin/bash
+set -u
+
+trap '[ ${#PIDS[@]} -gt 0 ] && kill -TERM ${PIDS[@]}' TERM
+declare -a PIDS
+
+for port in $WEB_PORTS; do
+	echo starting a web server listening on port $port;
+	/webserver.py $port &
+	PIDS+=($!)
+done
+
+wait ${PIDS[@]}
+trap - TERM
+wait ${PIDS[@]}
--- a/test/requirements/web/webserver.py
+++ b/test/requirements/web/webserver.py
@ -0,0 +1,38 @@
+#!/usr/bin/env python3
+
+import os, sys, re
+import http.server
+import socketserver
+
+class Handler(http.server.SimpleHTTPRequestHandler):
+    def do_GET(self):
+
+        response_body = ""
+        response_code = 200
+
+        if self.path == "/headers":
+            response_body += self.headers.as_string()
+        elif self.path == "/port":
+            response_body += "answer from port %s\n" % PORT
+        elif re.match("/status/(\d+)", self.path):
+            result = re.match("/status/(\d+)", self.path)
+            response_code = int(result.group(1))
+            response_body += "answer with response code %s\n" % response_code
+        elif self.path == "/":
+            response_body += "I'm %s\n" % os.environ['HOSTNAME']
+        else:
+            response_body += "No route for this path!\n"
+            response_code = 404
+
+        self.send_response(response_code)
+        self.send_header("Content-Type", "text/plain")
+        self.end_headers()
+
+        if (len(response_body)):
+            self.wfile.write(response_body.encode())
+
+if __name__ == '__main__':
+    PORT = int(sys.argv[1])
+    socketserver.TCPServer.allow_reuse_address = True
+    httpd = socketserver.TCPServer(('0.0.0.0', PORT), Handler)
+    httpd.serve_forever()
--- a/test/ssl.bats
+++ b/test/ssl.bats
@ -1,117 +0,0 @@
-#!/usr/bin/env bats
-load test_helpers
-SUT_CONTAINER=bats-nginx-proxy-${TEST_FILE}
-
-function setup {
-	# make sure to stop any web container before each test so we don't
-	# have any unexpected contaiener running with VIRTUAL_HOST or VIRUTAL_PORT set
-	stop_bats_containers web
-}
-
-
-@test "[$TEST_FILE] start a nginx-proxy container" {
-	run nginxproxy $SUT_CONTAINER -v /var/run/docker.sock:/tmp/docker.sock:ro -v ${DIR}/lib/ssl:/etc/nginx/certs:ro
-	assert_success
-	docker_wait_for_log $SUT_CONTAINER 9 "Watching docker events"
-}
-
-@test "[$TEST_FILE] test SSL for VIRTUAL_HOST=*.nginx-proxy.bats" {
-	# WHEN
-	prepare_web_container bats-ssl-hosts-1 "80 443" \
-		-e VIRTUAL_HOST=*.nginx-proxy.bats \
-		-e CERT_NAME=nginx-proxy.bats
-	dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-1
-	sleep 1
-
-	# THEN
-	assert_301 test.nginx-proxy.bats
-	assert_200_https test.nginx-proxy.bats
-}
-
-@test "[$TEST_FILE] test HTTPS_METHOD=nohttp" {
-	# WHEN
-	prepare_web_container bats-ssl-hosts-2 "80 443" \
-		-e VIRTUAL_HOST=*.nginx-proxy.bats \
-		-e CERT_NAME=nginx-proxy.bats \
-		-e HTTPS_METHOD=nohttp
-	dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-2
-	sleep 1
-
-	# THEN
-	assert_503 test.nginx-proxy.bats
-	assert_200_https test.nginx-proxy.bats
-}
-
-@test "[$TEST_FILE] test HTTPS_METHOD=noredirect" {
-	# WHEN
-	prepare_web_container bats-ssl-hosts-3 "80 443" \
-		-e VIRTUAL_HOST=*.nginx-proxy.bats \
-		-e CERT_NAME=nginx-proxy.bats \
-		-e HTTPS_METHOD=noredirect
-	dockergen_wait_for_event $SUT_CONTAINER start bats-ssl-hosts-3
-	sleep 1
-
-	# THEN
-	assert_200 test.nginx-proxy.bats
-	assert_200_https test.nginx-proxy.bats
-}
-
-
-@test "[$TEST_FILE] stop all bats containers" {
-	stop_bats_containers
-}
-
-
-# assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response
-# $1 Host HTTP header to use when querying nginx-proxy
-function assert_200 {
-	local -r host=$1
-
-	run curl_container $SUT_CONTAINER / --head --header "Host: $host"
-	assert_output -l 0 $'HTTP/1.1 200 OK\r'
-}
-
-# assert that querying nginx-proxy with the given Host header produces a `HTTP 503` response
-# $1 Host HTTP header to use when querying nginx-proxy
-function assert_503 {
-	local -r host=$1
-
-	run curl_container $SUT_CONTAINER / --head --header "Host: $host"
-	assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r'
-}
-
-# assert that querying nginx-proxy with the given Host header produces a `HTTP 503` response
-# $1 Host HTTP header to use when querying nginx-proxy
-function assert_301 {
-	local -r host=$1
-
-	run curl_container $SUT_CONTAINER / --head --header "Host: $host"
-	assert_output -l 0 $'HTTP/1.1 301 Moved Permanently\r'
-}
-
-# assert that querying nginx-proxy with the given Host header produces a `HTTP 200` response
-# $1 Host HTTP header to use when querying nginx-proxy
-function assert_200_https {
-	local -r host=$1
-
-	run curl_container_https $SUT_CONTAINER / --head --header "Host: $host"
-	assert_output -l 0 $'HTTP/1.1 200 OK\r'
-}
-
-# assert that querying nginx-proxy with the given Host header produces a `HTTP 503` response
-# $1 Host HTTP header to use when querying nginx-proxy
-function assert_503_https {
-	local -r host=$1
-
-	run curl_container_https $SUT_CONTAINER / --head --header "Host: $host"
-	assert_output -l 0 $'HTTP/1.1 503 Service Temporarily Unavailable\r'
-}
-
-# assert that querying nginx-proxy with the given Host header produces a `HTTP 503` response
-# $1 Host HTTP header to use when querying nginx-proxy
-function assert_301_https {
-	local -r host=$1
-
-	run curl_container_https $SUT_CONTAINER / --head --header "Host: $host"
-	assert_output -l 0 $'HTTP/1.1 301 Moved Permanently\r'
-}
--- a/test/stress_tests/README.md
+++ b/test/stress_tests/README.md
@ -0,0 +1 @@
+This directory contains tests that showcase scenarios known to break the expected behavior of nginx-proxy.
--- a/test/stress_tests/test_deleted_cert/README.md
+++ b/test/stress_tests/test_deleted_cert/README.md
@ -0,0 +1,5 @@
+Test the behavior of nginx-proxy when restarted after deleting a certificate file is was using.
+
+1. nginx-proxy is created with a virtual host having a certificate
+1. while nginx-proxy is running, the certificate file is deleted
+1. nginx-proxy is then restarted (without removing the container)
--- a/test/stress_tests/test_deleted_cert/certs/web.nginx-proxy.crt
+++ b/test/stress_tests/test_deleted_cert/certs/web.nginx-proxy.crt
@ -0,0 +1,70 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4096 (0x1000)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O=nginx-proxy test suite, CN=www.nginx-proxy.tld
+        Validity
+            Not Before: Feb 17 23:20:54 2017 GMT
+            Not After : Jul  5 23:20:54 2044 GMT
+        Subject: CN=web.nginx-proxy
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b6:27:63:a5:c6:e8:f4:7a:94:0e:cc:a2:62:76:
+                    6d:5d:33:6f:cf:19:fc:e7:e5:bb:0e:0e:d0:7c:4f:
+                    73:4c:48:2b:17:d1:4d:d5:9f:42:08:73:84:54:8c:
+                    86:d2:c5:da:59:01:3f:42:22:e0:36:f0:dc:ab:de:
+                    0a:bd:26:2b:22:13:87:a6:1f:23:ef:0e:99:27:8b:
+                    15:4a:1b:ef:93:c9:6b:91:de:a0:02:0c:62:bb:cc:
+                    56:37:e8:25:92:c3:1f:f1:69:d8:7c:a8:33:e0:89:
+                    ce:14:67:a0:39:77:88:91:e6:a3:07:97:90:22:88:
+                    d0:79:18:63:fb:6f:7e:ee:2b:42:7e:23:f5:e7:da:
+                    e9:ee:6a:fa:96:65:9f:e1:2b:15:49:c8:cd:2d:ce:
+                    86:4f:2c:2a:67:79:bf:41:30:14:cc:f6:0f:14:74:
+                    9e:b6:d3:d0:3b:f0:1b:b8:e8:19:2a:fd:d6:fd:dc:
+                    4b:4e:65:7d:9b:bf:37:7e:2d:35:22:2e:74:90:ce:
+                    41:35:3d:41:a0:99:db:97:1f:bf:3e:18:3c:48:fb:
+                    da:df:c6:4e:4e:b9:67:b8:10:d5:a5:13:03:c4:b7:
+                    65:e7:aa:f0:14:4b:d3:4d:ea:fe:8f:69:cf:50:21:
+                    63:27:cf:9e:4c:67:15:7b:3f:3b:da:cb:17:80:61:
+                    1e:25
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:web.nginx-proxy
+    Signature Algorithm: sha256WithRSAEncryption
+         09:31:be:db:4e:b0:b6:68:da:ae:5b:16:51:29:fc:9f:61:b6:
+         5a:2f:3c:35:ef:67:76:97:b0:34:4e:3b:b4:d6:88:19:4f:84:
+         2e:73:d3:c0:3a:4c:41:54:6c:bb:67:89:67:ad:25:55:d7:d4:
+         80:fe:a7:3f:3d:9e:f1:34:96:d8:da:5a:78:51:c0:63:f1:52:
+         29:35:55:f4:7d:70:1c:d3:96:62:7f:64:86:81:52:27:c4:c6:
+         10:13:c6:73:56:4d:32:d0:b3:c3:c8:2c:25:83:e4:2b:1d:d4:
+         74:30:e5:85:af:2d:b6:a5:6b:fe:5d:d3:3c:00:58:94:f4:6a:
+         f5:a6:1d:cf:f9:ed:d5:27:ed:13:24:b2:4f:2b:f3:b8:e4:af:
+         0c:1d:fe:e0:6a:01:5e:a2:44:ff:3e:96:fa:6c:39:a3:51:37:
+         f3:72:55:d8:2d:29:6e:de:95:b9:d8:e3:1e:65:a5:9c:0d:79:
+         2d:39:ab:c7:ac:16:b6:a5:71:4b:35:a4:6c:72:47:1b:72:9c:
+         67:58:c1:fc:f6:7f:a7:73:50:7b:d6:27:57:74:a1:31:38:a7:
+         31:e3:b9:d4:c9:45:33:ec:ed:16:cf:c5:bd:d0:03:b1:45:3f:
+         68:0d:91:5c:26:4e:37:05:74:ed:3e:75:5e:ca:5e:ee:e2:51:
+         4b:da:08:99
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAdugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwPzEfMB0GA1UECgwWbmdp
+bngtcHJveHkgdGVzdCBzdWl0ZTEcMBoGA1UEAwwTd3d3Lm5naW54LXByb3h5LnRs
+ZDAeFw0xNzAyMTcyMzIwNTRaFw00NDA3MDUyMzIwNTRaMBoxGDAWBgNVBAMMD3dl
+Yi5uZ2lueC1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALYn
+Y6XG6PR6lA7MomJ2bV0zb88Z/Ofluw4O0HxPc0xIKxfRTdWfQghzhFSMhtLF2lkB
+P0Ii4Dbw3KveCr0mKyITh6YfI+8OmSeLFUob75PJa5HeoAIMYrvMVjfoJZLDH/Fp
+2HyoM+CJzhRnoDl3iJHmoweXkCKI0HkYY/tvfu4rQn4j9efa6e5q+pZln+ErFUnI
+zS3Ohk8sKmd5v0EwFMz2DxR0nrbT0DvwG7joGSr91v3cS05lfZu/N34tNSIudJDO
+QTU9QaCZ25cfvz4YPEj72t/GTk65Z7gQ1aUTA8S3Zeeq8BRL003q/o9pz1AhYyfP
+nkxnFXs/O9rLF4BhHiUCAwEAAaMeMBwwGgYDVR0RBBMwEYIPd2ViLm5naW54LXBy
+b3h5MA0GCSqGSIb3DQEBCwUAA4IBAQAJMb7bTrC2aNquWxZRKfyfYbZaLzw172d2
+l7A0Tju01ogZT4Quc9PAOkxBVGy7Z4lnrSVV19SA/qc/PZ7xNJbY2lp4UcBj8VIp
+NVX0fXAc05Zif2SGgVInxMYQE8ZzVk0y0LPDyCwlg+QrHdR0MOWFry22pWv+XdM8
+AFiU9Gr1ph3P+e3VJ+0TJLJPK/O45K8MHf7gagFeokT/Ppb6bDmjUTfzclXYLSlu
+3pW52OMeZaWcDXktOavHrBa2pXFLNaRsckcbcpxnWMH89n+nc1B71idXdKExOKcx
+47nUyUUz7O0Wz8W90AOxRT9oDZFcJk43BXTtPnVeyl7u4lFL2giZ
+-----END CERTIFICATE-----
--- a/test/stress_tests/test_deleted_cert/certs/web.nginx-proxy.key
+++ b/test/stress_tests/test_deleted_cert/certs/web.nginx-proxy.key
@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAtidjpcbo9HqUDsyiYnZtXTNvzxn85+W7Dg7QfE9zTEgrF9FN
+1Z9CCHOEVIyG0sXaWQE/QiLgNvDcq94KvSYrIhOHph8j7w6ZJ4sVShvvk8lrkd6g
+Agxiu8xWN+glksMf8WnYfKgz4InOFGegOXeIkeajB5eQIojQeRhj+29+7itCfiP1
+59rp7mr6lmWf4SsVScjNLc6GTywqZ3m/QTAUzPYPFHSettPQO/AbuOgZKv3W/dxL
+TmV9m783fi01Ii50kM5BNT1BoJnblx+/Phg8SPva38ZOTrlnuBDVpRMDxLdl56rw
+FEvTTer+j2nPUCFjJ8+eTGcVez872ssXgGEeJQIDAQABAoIBAGQCMFW+ZfyEqHGP
+rMA+oUEAkqy0agSwPwky3QjDXlxNa0uCYSeebtTRB6CcHxHuCzm+04puN4gyqhW6
+rU64fAoTivCMPGBuNWxekmvD9r+/YM4P2u4E+th9EgFT9f0kII+dO30FpKXtQzY0
+xuWGWXcxl+T9M+eiEkPKPmq4BoqgTDo5ty7qDv0ZqksGotKFmdYbtSvgBAueJdwu
+VWJvenI9F42ExBRKOW1aldiRiaYBCLiCVPKJtOg9iuOP9RHUL1SE8xy5I5mm78g3
+a13ji3BNq3yS+VhGjQ7zDy1V1jGupLoJw4I7OThu8hy+B8Vt8EN/iqakufOkjlTN
+xTJ33CkCgYEA5Iymg0NTjWk6aEkFa9pERjfUWqdVp9sWSpFFZZgi55n7LOx6ohi3
+vuLim3is/gYfK2kU/kHGZZLPnT0Rdx0MbOB4XK0CAUlqtUd0IyO4jMZ06g4/kn3N
+e2jLdCCIBoEQuLk4ELxj2mHsLQhEvDrg7nzU2WpTHHhvJbIbDWOAxhsCgYEAzAgv
+rKpanF+QDf4yeKHxAj2rrwRksTw4Pe7ZK/bog/i+HIVDA70vMapqftHbual/IRrB
+JL7hxskoJ/h9c1w4xkWDjqkSKz8/Ihr4dyPfWyGINWbx/rarT/m5MU5SarScoK7o
+Xgb25x+W+61rtI+2JhVRGO86+JiAeT4LkAX88L8CgYAwHHug/jdEeXZWJakCfzwI
+HBCT1M3vO+uBXvtg25ndb0i0uENIhDOJ93EEkW65Osis9r34mBgPocwaqZRXosHO
+2aH8wF6/rpjL+HK2QvrCh7Rs4Pr494qeA/1wQLjhxaGjgToQK9hJTHvPLwJpLWvU
+SGr2Ka+9Oo0LPmb7dorRKQKBgQCLsNcjOodLJMp2KiHYIdfmlt6itzlRd09yZ8Nc
+rHHJWVagJEUbnD1hnbHIHlp3pSqbObwfMmlWNoc9xo3tm6hrZ1CJLgx4e5b3/Ms8
+ltznge/F0DPDFsH3wZwfu+YFlJ7gDKCfL9l/qEsxCS0CtJobPOEHV1NivNbJK8ey
+1ca19QKBgDTdMOUsobAmDEkPQIpxfK1iqYAB7hpRLi79OOhLp23NKeyRNu8FH9fo
+G3DZ4xUi6hP2bwiYugMXDyLKfvxbsXwQC84kGF8j+bGazKNhHqEC1OpYwmaTB3kg
+qL9cHbjWySeRdIsRY/eWmiKjUwmiO54eAe1HWUdcsuz8yM3xf636
+-----END RSA PRIVATE KEY-----
--- a/test/stress_tests/test_deleted_cert/docker-compose.yml
+++ b/test/stress_tests/test_deleted_cert/docker-compose.yml
@ -0,0 +1,17 @@
+web:
+  image: web
+  expose:
+  - "81"
+  environment:
+    WEB_PORTS: 81
+    VIRTUAL_HOST: web.nginx-proxy
+
+
+reverseproxy:
+  image: jwilder/nginx-proxy:test
+  container_name: reverseproxy
+  environment:
+    DEBUG: "true"
+  volumes:
+  - /var/run/docker.sock:/tmp/docker.sock:ro
+  - ./tmp_certs:/etc/nginx/certs:ro
--- a/test/stress_tests/test_deleted_cert/test_restart_while_missing_cert.py
+++ b/test/stress_tests/test_deleted_cert/test_restart_while_missing_cert.py
@ -0,0 +1,73 @@
+import logging
+import os
+from os.path import join, isfile
+from shutil import copy
+from time import sleep
+
+import pytest
+from requests import ConnectionError
+
+script_dir = os.path.dirname(__file__)
+
+pytestmark = pytest.mark.xfail()  # TODO delete this marker once those issues are fixed
+
+
+@pytest.yield_fixture(scope="module", autouse=True)
+def certs():
+    """
+    pytest fixture that provides cert and key files into the tmp_certs directory
+    """
+    file_names = ("web.nginx-proxy.crt", "web.nginx-proxy.key")
+    logging.info("copying server cert and key files into tmp_certs")
+    for f_name in file_names:
+        copy(join(script_dir, "certs", f_name), join(script_dir, "tmp_certs"))
+    yield
+    logging.info("cleaning up the tmp_cert directory")
+    for f_name in file_names:
+        if isfile(join(script_dir, "tmp_certs", f_name)):
+            os.remove(join(script_dir, "tmp_certs", f_name))
+
+###############################################################################
+
+
+def test_unknown_virtual_host_is_503(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://foo.nginx-proxy/")
+    assert r.status_code == 503
+
+
+def test_http_web_is_301(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy/port", allow_redirects=False)
+    assert r.status_code == 301
+
+
+def test_https_web_is_200(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web.nginx-proxy/port")
+    assert r.status_code == 200
+    assert 'answer from port 81\n' in r.text
+
+
+@pytest.mark.incremental
+def test_delete_cert_and_restart_reverseproxy(docker_compose):
+    os.remove(join(script_dir, "tmp_certs", "web.nginx-proxy.crt"))
+    docker_compose.containers.get("reverseproxy").restart()
+    sleep(3)  # give time for the container to initialize
+    assert "running" == docker_compose.containers.get("reverseproxy").status
+
+
+@pytest.mark.incremental
+def test_unknown_virtual_host_is_still_503(nginxproxy):
+    r = nginxproxy.get("http://foo.nginx-proxy/")
+    assert r.status_code == 503
+
+
+@pytest.mark.incremental
+def test_http_web_is_now_200(nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy/port", allow_redirects=False)
+    assert r.status_code == 200
+    assert "answer from port 81\n" == r.text
+
+
+@pytest.mark.incremental
+def test_https_web_is_now_broken_since_there_is_no_cert(nginxproxy):
+    with pytest.raises(ConnectionError):
+        nginxproxy.get("https://web.nginx-proxy/port")
--- a/test/stress_tests/test_deleted_cert/tmp_certs/.gitignore
+++ b/test/stress_tests/test_deleted_cert/tmp_certs/.gitignore
@ -0,0 +1,2 @@
+*
+!.gitignore
--- a/test/stress_tests/test_unreachable_network/README.md
+++ b/test/stress_tests/test_unreachable_network/README.md
@ -0,0 +1,59 @@
+# nginx-proxy template is not considered when a container is not reachable
+
+Having a container with the `VIRTUAL_HOST` environment variable set but on a network not reachable from the nginx-proxy container will result in nginx-proxy serving the default nginx welcome page for all requests.
+
+Furthermore, if the nginx-proxy in such state is restarted, the nginx process will crash and the container stops.
+
+In the generated nginx config file, we can notice the presence of an empty `upstream {}` block.
+
+This can be fixed by merging [PR-585](https://github.com/jwilder/nginx-proxy/pull/585).
+
+## How to reproduce
+
+1. a first web container is created on network `netA`
+1. a second web container is created on network `netB`
+1. nginx-proxy is created with access to `netA` only
+
+
+## Erratic behavior
+
+- nginx serves the default welcome page for all requests to `/` and error 404 for any other path
+- nginx-container crash on restart
+
+Log shows:
+
+```
+webB_1          | starting a web server listening on port 82
+webA_1          | starting a web server listening on port 81
+reverseproxy    | forego     | starting dockergen.1 on port 5000
+reverseproxy    | forego     | starting nginx.1 on port 5100
+reverseproxy    | dockergen.1 | 2017/02/20 01:10:24 Generated '/etc/nginx/conf.d/default.conf' from 3 containers
+reverseproxy    | dockergen.1 | 2017/02/20 01:10:24 Running 'nginx -s reload'
+reverseproxy    | dockergen.1 | 2017/02/20 01:10:24 Error running notify command: nginx -s reload, exit status 1
+reverseproxy    | dockergen.1 | 2017/02/20 01:10:24 Watching docker events
+reverseproxy    | dockergen.1 | 2017/02/20 01:10:24 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
+reverseproxy    | reverseproxy    | forego     | starting dockergen.1 on port 5000  <---- nginx-proxy container restarted
+reverseproxy    | forego     | starting nginx.1 on port 5100
+reverseproxy    | dockergen.1 | 2017/02/20 01:10:24 Generated '/etc/nginx/conf.d/default.conf' from 3 containers
+reverseproxy    | dockergen.1 | 2017/02/20 01:10:24 Running 'nginx -s reload'
+reverseproxy    | dockergen.1 | 2017/02/20 01:10:24 Error running notify command: nginx -s reload, exit status 1
+reverseproxy    | dockergen.1 | 2017/02/20 01:10:24 Watching docker events
+reverseproxy    | dockergen.1 | 2017/02/20 01:10:24 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
+reverseproxy    | forego     | starting dockergen.1 on port 5000
+reverseproxy    | forego     | starting nginx.1 on port 5100
+reverseproxy    | nginx.1    | 2017/02/20 01:11:02 [emerg] 17#17: no servers are inside upstream in /etc/nginx/conf.d/default.conf:64
+reverseproxy    | forego     | starting nginx.1 on port 5200
+reverseproxy    | forego     | sending SIGTERM to nginx.1
+reverseproxy    | forego     | sending SIGTERM to dockergen.1
+reverseproxy exited with code 0
+reverseproxy exited with code 0
+
+```
+
+## Expected behavior
+
+- no default nginx welcome page should be served
+- nginx is able to forward requests to containers of `netA`
+- nginx respond with error 503 for unknown virtual hosts
+- nginx is not able to forward requests to containers of `netB` and responds with an error
+- nginx should survive restarts
--- a/test/stress_tests/test_unreachable_network/docker-compose.yml
+++ b/test/stress_tests/test_unreachable_network/docker-compose.yml
@ -0,0 +1,35 @@
+version: "2"
+
+networks:
+  netA:
+  netB:
+
+services:
+  reverseproxy:
+    container_name: reverseproxy
+    networks:
+      - netA
+    image: jwilder/nginx-proxy:test
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+
+  webA:
+    networks:
+      - netA
+    image: web
+    expose:
+      - 81
+    environment:
+      WEB_PORTS: 81
+      VIRTUAL_HOST: webA.nginx-proxy
+
+  webB:
+    networks:
+      - netB
+    image: web
+    expose:
+      - 82
+    environment:
+      WEB_PORTS: 82
+      VIRTUAL_HOST: webB.nginx-proxy
+
--- a/test/stress_tests/test_unreachable_network/test_unreachable_net.py
+++ b/test/stress_tests/test_unreachable_network/test_unreachable_net.py
@ -0,0 +1,35 @@
+from time import sleep
+
+import pytest
+import requests
+
+pytestmark = pytest.mark.xfail()  # TODO delete this marker once #585 is merged
+
+
+def test_default_nginx_welcome_page_should_not_be_served(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://whatever.nginx-proxy/", allow_redirects=False)
+    assert "<title>Welcome to nginx!</title>" not in r.text
+
+
+def test_unknown_virtual_host_is_503(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://unknown.nginx-proxy/", allow_redirects=False)
+    assert r.status_code == 503
+
+
+def test_http_web_a_is_forwarded(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://webA.nginx-proxy/port", allow_redirects=False)
+    assert r.status_code == 200
+    assert "answer from port 81\n" == r.text
+
+
+def test_http_web_b_gets_an_error(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://webB.nginx-proxy/", allow_redirects=False)
+    assert "<title>Welcome to nginx!</title>" not in r.text
+    with pytest.raises(requests.exceptions.HTTPError):
+        r.raise_for_status()
+
+
+def test_reverseproxy_survive_restart(docker_compose):
+    docker_compose.containers.get("reverseproxy").restart()
+    sleep(2)  # give time for the container to initialize
+    assert docker_compose.containers.get("reverseproxy").status == "running"
--- a/test/test_DOCKER_HOST_unix_socket.py
+++ b/test/test_DOCKER_HOST_unix_socket.py
@ -0,0 +1,15 @@
+import pytest
+
+def test_unknown_virtual_host(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://nginx-proxy/port")
+    assert r.status_code == 503
+
+def test_forwards_to_web1(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web1.nginx-proxy.tld/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 81\n"
+
+def test_forwards_to_web2(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web2.nginx-proxy.tld/port")
+    assert r.status_code == 200
+    assert r.text == "answer from port 82\n" 
--- a/test/test_DOCKER_HOST_unix_socket.yml
+++ b/test/test_DOCKER_HOST_unix_socket.yml
@ -0,0 +1,24 @@
+web1:
+  image: web
+  expose:
+    - "81"
+  environment:
+    WEB_PORTS: 81
+    VIRTUAL_HOST: web1.nginx-proxy.tld
+
+web2:
+  image: web
+  expose:
+    - "82"
+  environment:
+    WEB_PORTS: 82
+    VIRTUAL_HOST: web2.nginx-proxy.tld
+
+
+sut:
+  image: jwilder/nginx-proxy:test
+  volumes:
+    - /var/run/docker.sock:/f00.sock:ro
+    - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+  environment:
+    DOCKER_HOST: unix:///f00.sock
--- a/test/test_composev2.py
+++ b/test/test_composev2.py
@ -0,0 +1,10 @@
+import pytest
+
+def test_unknown_virtual_host(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://nginx-proxy/")
+    assert r.status_code == 503
+
+def test_forwards_to_whoami(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.local/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 81\n"
--- a/test/test_composev2.yml
+++ b/test/test_composev2.yml
@ -0,0 +1,15 @@
+version: '2'
+services:
+  nginx-proxy:
+    image: jwilder/nginx-proxy:test
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+
+  web:
+    image: web
+    expose:
+      - "81"
+    environment:
+      WEB_PORTS: 81
+      VIRTUAL_HOST: web.nginx-proxy.local
--- a/test/test_custom/my_custom_proxy_settings.conf
+++ b/test/test_custom/my_custom_proxy_settings.conf
@ -0,0 +1 @@
+add_header  X-test  f00;
--- a/test/test_custom/my_custom_proxy_settings_bar.conf
+++ b/test/test_custom/my_custom_proxy_settings_bar.conf
@ -0,0 +1 @@
+add_header  X-test  bar;
--- a/test/test_custom/test_defaults-location.py
+++ b/test/test_custom/test_defaults-location.py
@ -0,0 +1,28 @@
+import pytest
+
+def test_custom_default_conf_does_not_apply_to_unknown_vhost(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://nginx-proxy/")
+    assert r.status_code == 503
+    assert "X-test" not in r.headers
+
+def test_custom_default_conf_applies_to_web1(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web1.nginx-proxy.local/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 81\n"
+    assert "X-test" in r.headers
+    assert "f00" == r.headers["X-test"]
+
+def test_custom_default_conf_applies_to_web2(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web2.nginx-proxy.local/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 82\n"
+    assert "X-test" in r.headers
+    assert "f00" == r.headers["X-test"]
+
+
+def test_custom_default_conf_is_overriden_for_web3(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web3.nginx-proxy.local/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 83\n"
+    assert "X-test" in r.headers
+    assert "bar" == r.headers["X-test"]
--- a/test/test_custom/test_defaults-location.yml
+++ b/test/test_custom/test_defaults-location.yml
@ -0,0 +1,31 @@
+nginx-proxy:
+  image: jwilder/nginx-proxy:test
+  volumes:
+    - /var/run/docker.sock:/tmp/docker.sock:ro
+    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+    - ./my_custom_proxy_settings.conf:/etc/nginx/vhost.d/default_location:ro
+    - ./my_custom_proxy_settings_bar.conf:/etc/nginx/vhost.d/web3.nginx-proxy.local_location:ro
+
+web1:
+  image: web
+  expose:
+    - "81"
+  environment:
+    WEB_PORTS: 81
+    VIRTUAL_HOST: web1.nginx-proxy.local
+
+web2:
+  image: web
+  expose:
+    - "82"
+  environment:
+    WEB_PORTS: 82
+    VIRTUAL_HOST: web2.nginx-proxy.local
+
+web3:
+  image: web
+  expose:
+    - "83"
+  environment:
+    WEB_PORTS: 83
+    VIRTUAL_HOST: web3.nginx-proxy.local
--- a/test/test_custom/test_defaults.py
+++ b/test/test_custom/test_defaults.py
@ -0,0 +1,20 @@
+import pytest
+
+def test_custom_conf_does_not_apply_to_unknown_vhost(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://nginx-proxy/")
+    assert r.status_code == 503
+    assert "X-test" not in r.headers
+
+def test_custom_conf_applies_to_web1(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web1.nginx-proxy.local/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 81\n"
+    assert "X-test" in r.headers
+    assert "f00" == r.headers["X-test"]
+
+def test_custom_conf_applies_to_web2(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web2.nginx-proxy.local/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 82\n"
+    assert "X-test" in r.headers
+    assert "f00" == r.headers["X-test"]
--- a/test/test_custom/test_defaults.yml
+++ b/test/test_custom/test_defaults.yml
@ -0,0 +1,24 @@
+version: '2'
+services:
+  nginx-proxy:
+    image: jwilder/nginx-proxy:test
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+      - ./my_custom_proxy_settings.conf:/etc/nginx/proxy.conf:ro
+
+  web1:
+    image: web
+    expose:
+      - "81"
+    environment:
+      WEB_PORTS: 81
+      VIRTUAL_HOST: web1.nginx-proxy.local
+
+  web2:
+    image: web
+    expose:
+      - "82"
+    environment:
+      WEB_PORTS: 82
+      VIRTUAL_HOST: web2.nginx-proxy.local
--- a/test/test_custom/test_location-per-vhost.py
+++ b/test/test_custom/test_location-per-vhost.py
@ -0,0 +1,22 @@
+import pytest
+
+def test_custom_conf_does_not_apply_to_unknown_vhost(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://nginx-proxy/")
+    assert r.status_code == 503
+    assert "X-test" not in r.headers
+
+def test_custom_conf_applies_to_web1(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web1.nginx-proxy.local/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 81\n"
+    assert "X-test" in r.headers
+    assert "f00" == r.headers["X-test"]
+
+def test_custom_conf_does_not_apply_to_web2(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web2.nginx-proxy.local/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 82\n"
+    assert "X-test" not in r.headers
+
+def test_custom_block_is_present_in_nginx_generated_conf(docker_compose, nginxproxy):
+    assert "include /etc/nginx/vhost.d/web1.nginx-proxy.local_location;" in nginxproxy.get_conf()
--- a/test/test_custom/test_location-per-vhost.yml
+++ b/test/test_custom/test_location-per-vhost.yml
@ -0,0 +1,24 @@
+version: '2'
+services:
+  nginx-proxy:
+    image: jwilder/nginx-proxy:test
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+      - ./my_custom_proxy_settings.conf:/etc/nginx/vhost.d/web1.nginx-proxy.local_location:ro
+
+  web1:
+    image: web
+    expose:
+      - "81"
+    environment:
+      WEB_PORTS: 81
+      VIRTUAL_HOST: web1.nginx-proxy.local
+
+  web2:
+    image: web
+    expose:
+      - "82"
+    environment:
+      WEB_PORTS: 82
+      VIRTUAL_HOST: web2.nginx-proxy.local
--- a/test/test_custom/test_per-vhost.py
+++ b/test/test_custom/test_per-vhost.py
@ -0,0 +1,19 @@
+import pytest
+
+def test_custom_conf_does_not_apply_to_unknown_vhost(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://nginx-proxy/")
+    assert r.status_code == 503
+    assert "X-test" not in r.headers
+
+def test_custom_conf_applies_to_web1(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web1.nginx-proxy.local/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 81\n"
+    assert "X-test" in r.headers
+    assert "f00" == r.headers["X-test"]
+
+def test_custom_conf_does_not_apply_to_web2(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web2.nginx-proxy.local/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 82\n"
+    assert "X-test" not in r.headers
--- a/test/test_custom/test_per-vhost.yml
+++ b/test/test_custom/test_per-vhost.yml
@ -0,0 +1,24 @@
+version: '2'
+services:
+  nginx-proxy:
+    image: jwilder/nginx-proxy:test
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+      - ./my_custom_proxy_settings.conf:/etc/nginx/vhost.d/web1.nginx-proxy.local:ro
+
+  web1:
+    image: web
+    expose:
+      - "81"
+    environment:
+      WEB_PORTS: 81
+      VIRTUAL_HOST: web1.nginx-proxy.local
+
+  web2:
+    image: web
+    expose:
+      - "82"
+    environment:
+      WEB_PORTS: 82
+      VIRTUAL_HOST: web2.nginx-proxy.local
--- a/test/test_custom/test_proxy-wide.py
+++ b/test/test_custom/test_proxy-wide.py
@ -0,0 +1,20 @@
+import pytest
+
+def test_custom_conf_does_not_apply_to_unknown_vhost(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://nginx-proxy/")
+    assert r.status_code == 503
+    assert "X-test" not in r.headers
+
+def test_custom_conf_applies_to_web1(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web1.nginx-proxy.local/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 81\n"
+    assert "X-test" in r.headers
+    assert "f00" == r.headers["X-test"]
+
+def test_custom_conf_applies_to_web2(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web2.nginx-proxy.local/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 82\n"
+    assert "X-test" in r.headers
+    assert "f00" == r.headers["X-test"]
--- a/test/test_custom/test_proxy-wide.yml
+++ b/test/test_custom/test_proxy-wide.yml
@ -0,0 +1,24 @@
+version: '2'
+services:
+  nginx-proxy:
+    image: jwilder/nginx-proxy:test
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+      - ./my_custom_proxy_settings.conf:/etc/nginx/conf.d/my_custom_proxy_settings.conf:ro
+
+  web1:
+    image: web
+    expose:
+      - "81"
+    environment:
+      WEB_PORTS: 81
+      VIRTUAL_HOST: web1.nginx-proxy.local
+
+  web2:
+    image: web
+    expose:
+      - "82"
+    environment:
+      WEB_PORTS: 82
+      VIRTUAL_HOST: web2.nginx-proxy.local
--- a/test/test_default-host.py
+++ b/test/test_default-host.py
@ -0,0 +1,7 @@
+import pytest
+
+
+def test_fallback_on_default(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://unknown.nginx-proxy.tld/port")
+    assert r.status_code == 200
+    assert r.text == "answer from port 81\n"
--- a/test/test_default-host.yml
+++ b/test/test_default-host.yml
@ -0,0 +1,18 @@
+# GIVEN a webserver with VIRTUAL_HOST set to web1.tld
+web1:
+  image: web
+  expose:
+    - "81"
+  environment:
+    WEB_PORTS: 81
+    VIRTUAL_HOST: web1.tld
+
+
+# WHEN nginx-proxy runs with DEFAULT_HOST set to web1.tld
+sut:
+  image: jwilder/nginx-proxy:test
+  volumes:
+    - /var/run/docker.sock:/tmp/docker.sock:ro
+    - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+  environment:
+    DEFAULT_HOST: web1.tld
--- a/test/test_dockergen/.gitignore
+++ b/test/test_dockergen/.gitignore
@ -0,0 +1 @@
+nginx.tmpl
--- a/test/test_dockergen/test_dockergen_v2.py
+++ b/test/test_dockergen/test_dockergen_v2.py
@ -0,0 +1,38 @@
+import os
+import docker
+import logging
+import pytest
+
+
+@pytest.yield_fixture(scope="module")
+def nginx_tmpl():
+    """
+    pytest fixture which extracts the the nginx config template from
+    the jwilder/nginx-proxy:test image
+    """
+    script_dir = os.path.dirname(__file__)
+    logging.info("extracting nginx.tmpl from jwilder/nginx-proxy:test")
+    docker_client = docker.from_env()
+    print(docker_client.containers.run(
+        image='jwilder/nginx-proxy:test',
+        remove=True,
+        volumes=['{current_dir}:{current_dir}'.format(current_dir=script_dir)],
+        entrypoint='sh',
+        command='-xc "cp /app/nginx.tmpl {current_dir} && chmod 777 {current_dir}/nginx.tmpl"'.format(
+            current_dir=script_dir),
+        stderr=True))
+    yield
+    logging.info("removing nginx.tmpl")
+    os.remove(os.path.join(script_dir, "nginx.tmpl"))
+
+
+def test_unknown_virtual_host_is_503(nginx_tmpl, docker_compose, nginxproxy):
+    r = nginxproxy.get("http://unknown.nginx.container.docker/")
+    assert r.status_code == 503
+
+
+def test_forwards_to_whoami(nginx_tmpl, docker_compose, nginxproxy):
+    r = nginxproxy.get("http://whoami.nginx.container.docker/")
+    assert r.status_code == 200
+    whoami_container = docker_compose.containers.get("whoami")
+    assert r.text == "I'm %s\n" % whoami_container.id[:12]
--- a/test/test_dockergen/test_dockergen_v2.yml
+++ b/test/test_dockergen/test_dockergen_v2.yml
@ -0,0 +1,27 @@
+version: '2'
+
+services:
+  nginx:
+    image: nginx
+    container_name: nginx
+    volumes:
+      - /etc/nginx/conf.d
+      - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+
+  dockergen:
+    image: jwilder/docker-gen
+    command: -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
+    volumes_from:
+      - nginx
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl
+
+  web:
+    image: web
+    container_name: whoami
+    expose:
+      - "80"
+    environment:
+      WEB_PORTS: 80
+      VIRTUAL_HOST: whoami.nginx.container.docker
--- a/test/test_dockergen/test_dockergen_v3.py
+++ b/test/test_dockergen/test_dockergen_v3.py
@ -0,0 +1,66 @@
+import os
+import docker
+import logging
+import pytest
+import re
+
+def versiontuple(v):
+    """
+    >>> versiontuple("1.12.3")
+    (1, 12, 3)
+
+    >>> versiontuple("1.13.0")
+    (1, 13, 0)
+
+    >>> versiontuple("17.03.0-ce")
+    (17, 3, 0)
+
+    >>> versiontuple("17.03.0-ce") < (1, 13)
+    False
+    """
+    return tuple(map(int, (v.split('-')[0].split("."))))
+
+
+raw_version = docker.from_env().version()['Version']
+pytestmark = pytest.mark.skipif(
+    versiontuple(raw_version) < (1, 13),
+    reason="Docker compose syntax v3 requires docker engine v1.13 or later (got %s)" % raw_version)
+
+
+@pytest.yield_fixture(scope="module")
+def nginx_tmpl():
+    """
+    pytest fixture which extracts the the nginx config template from
+    the jwilder/nginx-proxy:test image
+    """
+    script_dir = os.path.dirname(__file__)
+    logging.info("extracting nginx.tmpl from jwilder/nginx-proxy:test")
+    docker_client = docker.from_env()
+    print(docker_client.containers.run(
+        image='jwilder/nginx-proxy:test',
+        remove=True,
+        volumes=['{current_dir}:{current_dir}'.format(current_dir=script_dir)],
+        entrypoint='sh',
+        command='-xc "cp /app/nginx.tmpl {current_dir} && chmod 777 {current_dir}/nginx.tmpl"'.format(
+            current_dir=script_dir),
+        stderr=True))
+    yield
+    logging.info("removing nginx.tmpl")
+    os.remove(os.path.join(script_dir, "nginx.tmpl"))
+
+
+def test_unknown_virtual_host_is_503(nginx_tmpl, docker_compose, nginxproxy):
+    r = nginxproxy.get("http://unknown.nginx.container.docker/")
+    assert r.status_code == 503
+
+
+def test_forwards_to_whoami(nginx_tmpl, docker_compose, nginxproxy):
+    r = nginxproxy.get("http://whoami.nginx.container.docker/")
+    assert r.status_code == 200
+    whoami_container = docker_compose.containers.get("whoami")
+    assert r.text == "I'm %s\n" % whoami_container.id[:12]
+
+
+if __name__ == '__main__':
+    import doctest
+    doctest.testmod()
--- a/test/test_dockergen/test_dockergen_v3.yml
+++ b/test/test_dockergen/test_dockergen_v3.yml
@ -0,0 +1,28 @@
+version: '3'
+services:
+  nginx:
+    image: nginx
+    container_name: nginx
+    volumes:
+      - nginx_conf:/etc/nginx/conf.d
+      - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+
+  dockergen:
+    image: jwilder/docker-gen
+    command: -notify-sighup nginx -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - ./nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl
+      - nginx_conf:/etc/nginx/conf.d
+
+  web:
+    image: web
+    container_name: whoami
+    expose:
+      - "80"
+    environment:
+      WEB_PORTS: 80
+      VIRTUAL_HOST: whoami.nginx.container.docker
+
+volumes:
+  nginx_conf: {}
--- a/test/test_events.py
+++ b/test/test_events.py
@ -0,0 +1,46 @@
+"""
+Test that nginx-proxy detects new containers
+"""
+from time import sleep
+
+import pytest
+from docker.errors import NotFound
+
+
+@pytest.yield_fixture()
+def web1(docker_compose):
+    """
+    pytest fixture creating a web container with `VIRTUAL_HOST=web1.nginx-proxy` listening on port 81.
+    """
+    container = docker_compose.containers.run(
+        name="web1",
+        image="web",
+        detach=True,
+        environment={
+            "WEB_PORTS": "81",
+            "VIRTUAL_HOST": "web1.nginx-proxy"
+        },
+        ports={"81/tcp": None}
+    )
+    sleep(2)  # give it some time to initialize and for docker-gen to detect it
+    yield container
+    try:
+        docker_compose.containers.get("web1").remove(force=True)
+    except NotFound:
+        pass
+
+
+def test_nginx_proxy_behavior_when_alone(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://nginx-proxy/")
+    assert r.status_code == 503
+
+
+def test_new_container_is_detected(web1, nginxproxy):
+    r = nginxproxy.get("http://web1.nginx-proxy/port")
+    assert r.status_code == 200
+    assert "answer from port 81\n" == r.text
+
+    web1.remove(force=True)
+    sleep(2)
+    r = nginxproxy.get("http://web1.nginx-proxy/port")
+    assert r.status_code == 503
--- a/test/test_events.yml
+++ b/test/test_events.yml
@ -0,0 +1,5 @@
+nginxproxy:
+  image: jwilder/nginx-proxy:test
+  volumes:
+    - /var/run/docker.sock:/tmp/docker.sock:ro
+    - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
--- a/test/test_headers/certs/web.nginx-proxy.tld.crt
+++ b/test/test_headers/certs/web.nginx-proxy.tld.crt
@ -0,0 +1,70 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4096 (0x1000)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O=nginx-proxy test suite, CN=www.nginx-proxy.tld
+        Validity
+            Not Before: Jan 13 03:06:39 2017 GMT
+            Not After : May 31 03:06:39 2044 GMT
+        Subject: CN=web.nginx-proxy.tld
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:95:56:c7:0d:48:a5:2b:3c:65:49:3f:26:e1:38:
+                    2b:61:30:56:e4:92:d7:63:e0:eb:ad:ac:f9:33:9b:
+                    b2:31:f1:39:13:0b:e5:43:7b:c5:bd:8a:85:c8:d9:
+                    3d:d8:ac:71:ba:16:e7:81:96:b2:ab:ae:c6:c0:bd:
+                    be:a7:d1:96:8f:b2:9b:df:ba:f9:4d:a1:3b:7e:21:
+                    4a:cd:b6:45:f9:6d:79:50:bf:24:8f:c1:6b:c1:09:
+                    19:5b:62:cb:96:e8:04:14:20:e8:d4:16:62:6a:f2:
+                    37:c1:96:e2:9d:53:05:0b:52:1d:e7:68:92:db:8b:
+                    36:68:cd:8d:5b:02:ff:12:f0:ac:5d:0c:c4:e0:7a:
+                    55:a2:49:60:9f:ff:47:1f:52:73:55:4d:d4:f2:d1:
+                    62:a2:f4:50:9d:c9:f6:f1:43:b3:dc:57:e1:31:76:
+                    b4:e0:a4:69:7e:f2:6d:34:ae:b9:8d:74:26:7b:d9:
+                    f6:07:00:ef:4b:36:61:b3:ef:7a:a1:36:3a:b6:d0:
+                    9e:f8:b8:a9:0d:4c:30:a2:ed:eb:ab:6b:eb:2e:e2:
+                    0b:28:be:f7:04:b1:e9:e0:84:d6:5d:31:77:7c:dc:
+                    d2:1f:d4:1d:71:6f:6f:6c:6d:1b:bf:31:e2:5b:c3:
+                    52:d0:14:fc:8b:fb:45:ea:41:ec:ca:c7:3b:67:12:
+                    c4:df
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:web.nginx-proxy.tld
+    Signature Algorithm: sha256WithRSAEncryption
+         4e:48:7d:81:66:ba:2f:50:3d:24:42:61:3f:1f:de:cf:ec:1b:
+         1b:bd:0a:67:b6:62:c8:79:9d:31:a0:fd:a9:61:ce:ff:69:bf:
+         0e:f4:f7:e6:15:2b:b0:f0:e4:f2:f4:d2:8f:74:02:b1:1e:4a:
+         a8:6f:26:0a:77:32:29:cf:dc:b5:61:82:3e:58:47:61:92:f0:
+         0c:20:25:f8:41:4d:34:09:44:bc:39:9e:aa:82:06:83:13:8b:
+         1e:2c:3d:cf:cd:1a:f7:77:39:38:e0:a3:a7:f3:09:da:02:8d:
+         73:75:38:b4:dd:24:a7:f9:03:db:98:c6:88:54:87:dc:e0:65:
+         4c:95:c5:39:9c:00:30:dc:f0:d3:2c:19:ca:f1:f4:6c:c6:d9:
+         b5:c4:4a:c7:bc:a1:2e:88:7b:b5:33:d0:ff:fb:48:5e:3e:29:
+         fa:58:e5:03:de:d8:17:de:ed:96:fc:7e:1f:fe:98:f6:be:99:
+         38:87:51:c0:d3:b7:9a:0f:26:92:e5:53:1b:d6:25:4c:ac:48:
+         f3:29:fc:74:64:9d:07:6a:25:57:24:aa:a7:70:fa:8f:6c:a7:
+         2b:b7:9d:81:46:10:32:93:b9:45:6d:0f:16:18:b2:21:1f:f3:
+         30:24:62:3f:e1:6c:07:1d:71:28:cb:4c:bb:f5:39:05:f9:b2:
+         5b:a0:05:1b
+-----BEGIN CERTIFICATE-----
+MIIC+zCCAeOgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwPzEfMB0GA1UECgwWbmdp
+bngtcHJveHkgdGVzdCBzdWl0ZTEcMBoGA1UEAwwTd3d3Lm5naW54LXByb3h5LnRs
+ZDAeFw0xNzAxMTMwMzA2MzlaFw00NDA1MzEwMzA2MzlaMB4xHDAaBgNVBAMME3dl
+Yi5uZ2lueC1wcm94eS50bGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCVVscNSKUrPGVJPybhOCthMFbkktdj4OutrPkzm7Ix8TkTC+VDe8W9ioXI2T3Y
+rHG6FueBlrKrrsbAvb6n0ZaPspvfuvlNoTt+IUrNtkX5bXlQvySPwWvBCRlbYsuW
+6AQUIOjUFmJq8jfBluKdUwULUh3naJLbizZozY1bAv8S8KxdDMTgelWiSWCf/0cf
+UnNVTdTy0WKi9FCdyfbxQ7PcV+ExdrTgpGl+8m00rrmNdCZ72fYHAO9LNmGz73qh
+Njq20J74uKkNTDCi7eura+su4gsovvcEsenghNZdMXd83NIf1B1xb29sbRu/MeJb
+w1LQFPyL+0XqQezKxztnEsTfAgMBAAGjIjAgMB4GA1UdEQQXMBWCE3dlYi5uZ2lu
+eC1wcm94eS50bGQwDQYJKoZIhvcNAQELBQADggEBAE5IfYFmui9QPSRCYT8f3s/s
+Gxu9Cme2Ysh5nTGg/alhzv9pvw709+YVK7Dw5PL00o90ArEeSqhvJgp3MinP3LVh
+gj5YR2GS8AwgJfhBTTQJRLw5nqqCBoMTix4sPc/NGvd3OTjgo6fzCdoCjXN1OLTd
+JKf5A9uYxohUh9zgZUyVxTmcADDc8NMsGcrx9GzG2bXESse8oS6Ie7Uz0P/7SF4+
+KfpY5QPe2Bfe7Zb8fh/+mPa+mTiHUcDTt5oPJpLlUxvWJUysSPMp/HRknQdqJVck
+qqdw+o9spyu3nYFGEDKTuUVtDxYYsiEf8zAkYj/hbAcdcSjLTLv1OQX5slugBRs=
+-----END CERTIFICATE-----
--- a/test/test_headers/certs/web.nginx-proxy.tld.key
+++ b/test/test_headers/certs/web.nginx-proxy.tld.key
@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAlVbHDUilKzxlST8m4TgrYTBW5JLXY+Drraz5M5uyMfE5Ewvl
+Q3vFvYqFyNk92KxxuhbngZayq67GwL2+p9GWj7Kb37r5TaE7fiFKzbZF+W15UL8k
+j8FrwQkZW2LLlugEFCDo1BZiavI3wZbinVMFC1Id52iS24s2aM2NWwL/EvCsXQzE
+4HpVoklgn/9HH1JzVU3U8tFiovRQncn28UOz3FfhMXa04KRpfvJtNK65jXQme9n2
+BwDvSzZhs+96oTY6ttCe+LipDUwwou3rq2vrLuILKL73BLHp4ITWXTF3fNzSH9Qd
+cW9vbG0bvzHiW8NS0BT8i/tF6kHsysc7ZxLE3wIDAQABAoIBAEmK7IecKMq7+V0y
+3mC3GpXICmKR9cRX9XgX4LkLiZuSoXrBtuuevmhzGSMp6I0VjwQHV4a3wdFORs6Q
+Ip3eVvj5Ck4Jc9BJAFVC6+WWR6tnwACFwOmSZRAw/O3GH2B3bdrDwiT/yQPFuLN7
+LKoxQiCrFdLp6rh3PBosb9pMBXU7k/HUazIdgmSKg6/JIoo/4Gwyid04TF/4MI2l
+RscxtP5/ANtS8VgwBEqhgdafRJ4KnLEpgvswgIQvUKmduVhZQlzd0LMY8FbhKVqz
+Utg8gsXaTyH6df/nmgUIInxLMz/MKPnMkv99fS6Sp/hvYlGpLZFWBJ6unMq3lKEr
+LMbHfIECgYEAxB+5QWdVqG2r9loJlf8eeuNeMPml4P8Jmi5RKyJC7Cww6DMlMxOS
+78ZJfl4b3ZrWuyvhjOfX/aTq7kQaF1BI9o3KJBH8k6EtO4gI8KeNmDONyQk9zsrn
+ru8Zwr7hVbAo8fCXxCnmPzhDLsYg6f3BVOsQWoX2SFYKZ1GvkPfIReECgYEAwu6G
+qtgFb57Vim10ecfWGM6vrPxvyfqP+zlH/p4nR+aQ+2sFbt27D0B1byWBRZe4KQyw
+Vq6XiQ09Fk6MJr8E8iAr9GXPPHcqlYI6bbNc6YOP3jVSKut0tQdTUOHll4kYIY+h
+RS3VA3+BA//ADpWpywu+7RZRbaIECA+U2a224r8CgYB5PCMIixgoRaNHZeEHF+1/
+iY1wOOKRcxY8eOU0BLnZxHd3EiasrCzoi2pi80nGczDKAxYqRCcAZDHVl8OJJdf0
+kTGjmnrHx5pucmkUWn7s1vGOlGfgrQ0K1kLWX6hrj7m/1Tn7yOrLqbvd7hvqiTI5
+jBVP3/+eN5G2zIf61TC4AQKBgCX2Q92jojNhsF58AHHy+/vqzIWYx8CC/mVDe4TX
+kfjLqzJ7XhyAK/zFZdlWaX1/FYtRAEpxR+uV226rr1mgW7s3jrfS1/ADmRRyvyQ8
+CP0k9PCmW7EmF51lptEanRbMyRlIGnUZfuFmhF6eAO4WMXHsgKs1bHg4VCapuihG
+T1aLAoGACRGn1UxFuBGqtsh2zhhsBZE7GvXKJSk/eP7QJeEXUNpNjCpgm8kIZM5K
+GorpL7PSB8mwVlDl18TpMm3P7nz6YkJYte+HdjO7pg59H39Uvtg3tZnIrFxNxVNb
+YF62/yHfk2AyTgjQZQUSmDS84jq1zUK4oS90lxr+u8qwELTniMs=
+-----END RSA PRIVATE KEY-----
--- a/test/test_headers/test_http.py
+++ b/test/test_headers/test_http.py
@ -0,0 +1,81 @@
+import pytest
+
+def test_arbitrary_headers_are_passed_on(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.tld/headers", headers={'Foo': 'Bar'})
+    assert r.status_code == 200
+    assert "Foo: Bar\n" in r.text
+
+
+##### Testing the handling of X-Forwarded-For #####
+
+def test_X_Forwarded_For_is_generated(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "X-Forwarded-For:" in r.text
+
+def test_X_Forwarded_For_is_passed_on(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.tld/headers", headers={'X-Forwarded-For': '1.2.3.4'})
+    assert r.status_code == 200
+    assert "X-Forwarded-For: 1.2.3.4, " in r.text
+
+
+##### Testing the handling of X-Forwarded-Proto #####
+
+def test_X_Forwarded_Proto_is_generated(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "X-Forwarded-Proto: http" in r.text
+
+def test_X_Forwarded_Proto_is_passed_on(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.tld/headers", headers={'X-Forwarded-Proto': 'f00'})
+    assert r.status_code == 200
+    assert "X-Forwarded-Proto: f00\n" in r.text
+
+
+##### Testing the handling of X-Forwarded-Port #####
+
+def test_X_Forwarded_Port_is_generated(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "X-Forwarded-Port: 80\n" in r.text
+
+def test_X_Forwarded_Port_is_passed_on(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.tld/headers", headers={'X-Forwarded-Port': '1234'})
+    assert r.status_code == 200
+    assert "X-Forwarded-Port: 1234\n" in r.text
+
+
+##### Testing the handling of X-Forwarded-Ssl #####
+
+def test_X_Forwarded_Ssl_is_generated(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "X-Forwarded-Ssl: off\n" in r.text
+
+def test_X_Forwarded_Ssl_is_overwritten(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.tld/headers", headers={'X-Forwarded-Ssl': 'f00'})
+    assert r.status_code == 200
+    assert "X-Forwarded-Ssl: off\n" in r.text
+
+
+##### Other headers
+
+def test_X_Real_IP_is_generated(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "X-Real-IP: " in r.text
+
+def test_Host_is_passed_on(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "Host: web.nginx-proxy.tld" in r.text
+
+def test_httpoxy_safe(docker_compose, nginxproxy):
+    """
+    See https://httpoxy.org/
+    nginx-proxy should suppress the `Proxy` header
+    """
+    r = nginxproxy.get("http://web.nginx-proxy.tld/headers", headers={'Proxy': 'tcp://some.hacker.com'})
+    assert r.status_code == 200
+    assert "Proxy:" not in r.text
+    
--- a/test/test_headers/test_http.yml
+++ b/test/test_headers/test_http.yml
@ -0,0 +1,14 @@
+web:
+  image: web
+  expose:
+    - "80"
+  environment:
+    WEB_PORTS: 80
+    VIRTUAL_HOST: web.nginx-proxy.tld
+
+
+sut:
+  image: jwilder/nginx-proxy:test
+  volumes:
+    - /var/run/docker.sock:/tmp/docker.sock:ro
+    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
--- a/test/test_headers/test_https.py
+++ b/test/test_headers/test_https.py
@ -0,0 +1,82 @@
+import pytest
+
+
+def test_arbitrary_headers_are_passed_on(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web.nginx-proxy.tld/headers", headers={'Foo': 'Bar'})
+    assert r.status_code == 200
+    assert "Foo: Bar\n" in r.text
+
+
+##### Testing the handling of X-Forwarded-For #####
+
+def test_X_Forwarded_For_is_generated(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "X-Forwarded-For:" in r.text
+
+def test_X_Forwarded_For_is_passed_on(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web.nginx-proxy.tld/headers", headers={'X-Forwarded-For': '1.2.3.4'})
+    assert r.status_code == 200
+    assert "X-Forwarded-For: 1.2.3.4, " in r.text
+
+
+##### Testing the handling of X-Forwarded-Proto #####
+
+def test_X_Forwarded_Proto_is_generated(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "X-Forwarded-Proto: https" in r.text
+
+def test_X_Forwarded_Proto_is_passed_on(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web.nginx-proxy.tld/headers", headers={'X-Forwarded-Proto': 'f00'})
+    assert r.status_code == 200
+    assert "X-Forwarded-Proto: f00\n" in r.text
+
+
+##### Testing the handling of X-Forwarded-Port #####
+
+def test_X_Forwarded_Port_is_generated(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "X-Forwarded-Port: 443\n" in r.text
+
+def test_X_Forwarded_Port_is_passed_on(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web.nginx-proxy.tld/headers", headers={'X-Forwarded-Port': '1234'})
+    assert r.status_code == 200
+    assert "X-Forwarded-Port: 1234\n" in r.text
+
+
+##### Testing the handling of X-Forwarded-Ssl #####
+
+def test_X_Forwarded_Ssl_is_generated(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "X-Forwarded-Ssl: on\n" in r.text
+
+def test_X_Forwarded_Ssl_is_overwritten(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web.nginx-proxy.tld/headers", headers={'X-Forwarded-Ssl': 'f00'})
+    assert r.status_code == 200
+    assert "X-Forwarded-Ssl: on\n" in r.text
+
+
+##### Other headers
+
+def test_X_Real_IP_is_generated(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "X-Real-IP: " in r.text
+
+def test_Host_is_passed_on(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web.nginx-proxy.tld/headers")
+    assert r.status_code == 200
+    assert "Host: web.nginx-proxy.tld" in r.text
+
+def test_httpoxy_safe(docker_compose, nginxproxy):
+    """
+    See https://httpoxy.org/
+    nginx-proxy should suppress the `Proxy` header
+    """
+    r = nginxproxy.get("https://web.nginx-proxy.tld/headers", headers={'Proxy': 'tcp://some.hacker.com'})
+    assert r.status_code == 200
+    assert "Proxy:" not in r.text
+    
--- a/test/test_headers/test_https.yml
+++ b/test/test_headers/test_https.yml
@ -0,0 +1,16 @@
+web:
+  image: web
+  expose:
+    - "80"
+  environment:
+    WEB_PORTS: 80
+    VIRTUAL_HOST: web.nginx-proxy.tld
+
+
+sut:
+  image: jwilder/nginx-proxy:test
+  volumes:
+    - /var/run/docker.sock:/tmp/docker.sock:ro
+    - ./certs/web.nginx-proxy.tld.crt:/etc/nginx/certs/web.nginx-proxy.tld.crt:ro
+    - ./certs/web.nginx-proxy.tld.key:/etc/nginx/certs/web.nginx-proxy.tld.key:ro
+    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
--- a/test/test_helpers.bash
+++ b/test/test_helpers.bash
@ -1,184 +0,0 @@
-# Test if requirements are met
-(
-	type docker &>/dev/null || ( echo "docker is not available"; exit 1 )
-)>&2
-
-
-# set a few global variables
-SUT_IMAGE=jwilder/nginx-proxy:bats
-TEST_FILE=$(basename $BATS_TEST_FILENAME .bats)
-
-
-# load the Bats stdlib (see https://github.com/sstephenson/bats/pull/110)
-DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
-export BATS_LIB="${DIR}/lib/bats"
-load "${BATS_LIB}/batslib.bash"
-
-
-# load additional bats helpers
-load ${DIR}/lib/helpers.bash
-load ${DIR}/lib/docker_helpers.bash
-
-
-# Define functions specific to our test suite
-
-# run the SUT docker container 
-# and makes sure it remains started
-# and displays the nginx-proxy start logs
-#
-# $1 container name
-# $@ other options for the `docker run` command
-function nginxproxy {
-	local -r container_name=$1
-	shift
-	docker_clean $container_name \
-	&& docker run -d \
-		--label bats-type="nginx-proxy" \
-		--name $container_name \
-		"$@" \
-		$SUT_IMAGE \
-	&& wait_for_nginxproxy_container_to_start $container_name \
-	&& docker logs $container_name
-}
-
-
-# wait until the nginx-proxy container is ready to operate
-#
-# $1 container name
-function wait_for_nginxproxy_container_to_start {
-	local -r container_name=$1
-	sleep .5s  # give time to eventually fail to initialize
-
-	function is_running {
-		run docker_running_state $container_name
-		assert_output "true"
-	}
-	retry 3 1 is_running
-}
-
-
-# Send a HTTP request to container $1 for path $2 and 
-# Additional curl options can be passed as $@
-#
-# $1 container name
-# $2 HTTP path to query
-# $@ additional options to pass to the curl command
-function curl_container {
-	local -r container=$1
-	local -r path=$2
-	shift 2
-	docker run --label bats-type="curl" appropriate/curl --silent \
-		--connect-timeout 5 \
-		--max-time 20 \
-		"$@" \
-		http://$(docker_ip $container)${path}
-}
-
-# Send a HTTPS request to container $1 for path $2 and 
-# Additional curl options can be passed as $@
-#
-# $1 container name
-# $2 HTTPS path to query
-# $@ additional options to pass to the curl command
-function curl_container_https {
-	local -r container=$1
-	local -r path=$2
-	shift 2
-	docker run --label bats-type="curl" appropriate/curl --silent \
-		--connect-timeout 5 \
-		--max-time 20 \
-		--insecure \
-		"$@" \
-		https://$(docker_ip $container)${path}
-}
-
-# start a container running (one or multiple) webservers listening on given ports
-#
-# $1 container name
-# $2 container port(s). If multiple ports, provide them as a string: "80 90" with a space as a separator
-# $@ `docker run` additional options
-function prepare_web_container {
-	local -r container_name=$1
-	local -r ports=$2
-	shift 2
-	local -r options="$@"
-
-	local expose_option=""
-	IFS=$' \t\n' # See https://github.com/sstephenson/bats/issues/89
-	for port in $ports; do
-		expose_option="${expose_option}--expose=$port "
-	done
-
-	(	# used for debugging purpose. Will be display if test fails
-		echo "container_name: $container_name"
-		echo "ports: $ports"
-		echo "options: $options"
-		echo "expose_option: $expose_option"
-	)>&2
-	
-	docker_clean $container_name
-
-	# GIVEN a container exposing 1 webserver on ports 1234
-	run docker run -d \
-		--label bats-type="web" \
-		--name $container_name \
-		$expose_option \
-		-w /var/www/ \
-		$options \
-		-e PYTHON_PORTS="$ports" \
-		python:3 bash -c "
-			trap '[ \${#PIDS[@]} -gt 0 ] && kill -TERM \${PIDS[@]}' TERM
-			declare -a PIDS
-			for port in \$PYTHON_PORTS; do
-				echo starting a web server listening on port \$port;
-				mkdir /var/www/\$port
-				cd /var/www/\$port
-				echo \"answer from port \$port\" > data
-				python -m http.server \$port &
-				PIDS+=(\$!)
-			done
-			wait \${PIDS[@]}
-			trap - TERM
-			wait \${PIDS[@]}
-		"
-	assert_success
-
-	# THEN querying directly port works
-	IFS=$' \t\n' # See https://github.com/sstephenson/bats/issues/89
-	for port in $ports; do
-		run retry 5 1s docker run --label bats-type="curl" appropriate/curl --silent --fail http://$(docker_ip $container_name):$port/data
-		assert_output "answer from port $port"
-	done
-}
-
-# stop all containers with the "bats-type" label (matching the optionally supplied value)
-#
-# $1 optional label value
-function stop_bats_containers {
-	local -r value=$1
-
-	if [ -z "$value" ]; then
-		CIDS=( $(docker ps -q --filter "label=bats-type") )
-	else
-		CIDS=( $(docker ps -q --filter "label=bats-type=$value") )
-	fi
-
-	if [ ${#CIDS[@]} -gt 0 ]; then
-		docker stop ${CIDS[@]} >&2
-	fi
-}
-
-# wait for a docker-gen container to receive a specified event from a
-# container with the specified ID/name
-#
-# $1 docker-gen container name
-# $2 event
-# $3 ID/name of container to receive event from
-function dockergen_wait_for_event {
-	local -r container=$1
-	local -r event=$2
-	local -r other=$3
-	local -r did=$(docker_id "$other")
-	docker_wait_for_log "$container" 9 "Received event $event for container ${did:0:12}"
-}
-
--- a/test/test_ipv6.py
+++ b/test/test_ipv6.py
@ -0,0 +1,35 @@
+import pytest
+
+
+def test_unknown_virtual_host_ipv4(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://nginx-proxy/port")
+    assert r.status_code == 503
+
+
+def test_forwards_to_web1_ipv4(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web1.nginx-proxy.tld/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 81\n"
+
+
+def test_forwards_to_web2_ipv4(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web2.nginx-proxy.tld/port")
+    assert r.status_code == 200
+    assert r.text == "answer from port 82\n" 
+
+
+def test_unknown_virtual_host_ipv6(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://nginx-proxy/port", ipv6=True)
+    assert r.status_code == 503
+
+
+def test_forwards_to_web1_ipv6(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web1.nginx-proxy.tld/port", ipv6=True)
+    assert r.status_code == 200   
+    assert r.text == "answer from port 81\n"
+
+
+def test_forwards_to_web2_ipv6(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web2.nginx-proxy.tld/port", ipv6=True)
+    assert r.status_code == 200
+    assert r.text == "answer from port 82\n" 
--- a/test/test_ipv6.yml
+++ b/test/test_ipv6.yml
@ -0,0 +1,24 @@
+web1:
+  image: web
+  expose:
+    - "81"
+  environment:
+    WEB_PORTS: 81
+    VIRTUAL_HOST: web1.nginx-proxy.tld
+
+web2:
+  image: web
+  expose:
+    - "82"
+  environment:
+    WEB_PORTS: 82
+    VIRTUAL_HOST: web2.nginx-proxy.tld
+
+
+sut:
+  image: jwilder/nginx-proxy:test
+  volumes:
+    - /var/run/docker.sock:/tmp/docker.sock:ro
+    - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+  environment:
+    ENABLE_IPV6: "true"
--- a/test/test_multiple-hosts.py
+++ b/test/test_multiple-hosts.py
@ -0,0 +1,16 @@
+import pytest
+
+
+def test_unknown_virtual_host_is_503(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://unknown.nginx-proxy.tld/port")
+    assert r.status_code == 503
+
+def test_webA_is_forwarded(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://webA.nginx-proxy.tld/port")
+    assert r.status_code == 200
+    assert r.text == "answer from port 81\n"
+
+def test_webB_is_forwarded(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://webB.nginx-proxy.tld/port")
+    assert r.status_code == 200
+    assert r.text == "answer from port 81\n"
--- a/test/test_multiple-hosts.yml
+++ b/test/test_multiple-hosts.yml
@ -0,0 +1,14 @@
+web:
+  image: web
+  expose:
+    - "81"
+  environment:
+    WEB_PORTS: 81
+    VIRTUAL_HOST: webA.nginx-proxy.tld,webB.nginx-proxy.tld
+
+
+sut:
+  image: jwilder/nginx-proxy:test
+  volumes:
+    - /var/run/docker.sock:/tmp/docker.sock:ro
+    - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
--- a/test/test_multiple-networks.py
+++ b/test/test_multiple-networks.py
@ -0,0 +1,15 @@
+import pytest
+
+def test_unknown_virtual_host(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://nginx-proxy/")
+    assert r.status_code == 503
+
+def test_forwards_to_web1(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web1.nginx-proxy.local/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 81\n"
+
+def test_forwards_to_web2(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web2.nginx-proxy.local/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 82\n"
--- a/test/test_multiple-networks.yml
+++ b/test/test_multiple-networks.yml
@ -0,0 +1,35 @@
+version: '2'
+
+networks:
+  net1: {}
+  net2: {}
+
+services:
+  nginx-proxy:
+    image: jwilder/nginx-proxy:test
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+    networks:
+      - net1
+      - net2
+
+  web1:
+    image: web
+    expose:
+      - "81"
+    environment:
+      WEB_PORTS: 81
+      VIRTUAL_HOST: web1.nginx-proxy.local
+    networks:
+      - net1
+
+  web2:
+    image: web
+    expose:
+      - "82"
+    environment:
+      WEB_PORTS: 82
+      VIRTUAL_HOST: web2.nginx-proxy.local
+    networks:
+      - net2
--- a/test/test_multiple-ports/test_VIRTUAL_PORT.py
+++ b/test/test_multiple-ports/test_VIRTUAL_PORT.py
@ -0,0 +1,7 @@
+import pytest
+
+
+def test_answer_is_served_from_chosen_port(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.tld/port")
+    assert r.status_code == 200
+    assert "answer from port 90\n" in r.text
--- a/test/test_multiple-ports/test_VIRTUAL_PORT.yml
+++ b/test/test_multiple-ports/test_VIRTUAL_PORT.yml
@ -0,0 +1,15 @@
+web:
+  image: web
+  expose:
+    - "80"
+    - "90"
+  environment:
+    WEB_PORTS: "80 90"
+    VIRTUAL_HOST: "web.nginx-proxy.tld"
+    VIRTUAL_PORT: 90
+
+sut:
+  image: jwilder/nginx-proxy:test
+  volumes:
+    - /var/run/docker.sock:/tmp/docker.sock:ro
+    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
--- a/test/test_multiple-ports/test_default-80.py
+++ b/test/test_multiple-ports/test_default-80.py
@ -0,0 +1,7 @@
+import pytest
+
+
+def test_answer_is_served_from_port_80_by_default(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.tld/port")
+    assert r.status_code == 200
+    assert "answer from port 80\n" in r.text
--- a/test/test_multiple-ports/test_default-80.yml
+++ b/test/test_multiple-ports/test_default-80.yml
@ -0,0 +1,14 @@
+web:
+  image: web
+  expose:
+    - "80"
+    - "81"
+  environment:
+    WEB_PORTS: "80 81"
+    VIRTUAL_HOST: "web.nginx-proxy.tld"
+
+sut:
+  image: jwilder/nginx-proxy:test
+  volumes:
+    - /var/run/docker.sock:/tmp/docker.sock:ro
+    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
--- a/test/test_multiple-ports/test_single-port-not-80.py
+++ b/test/test_multiple-ports/test_single-port-not-80.py
@ -0,0 +1,7 @@
+import pytest
+
+
+def test_answer_is_served_from_exposed_port_even_if_not_80(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web.nginx-proxy.tld/port")
+    assert r.status_code == 200
+    assert "answer from port 81\n" in r.text
--- a/test/test_multiple-ports/test_single-port-not-80.yml
+++ b/test/test_multiple-ports/test_single-port-not-80.yml
@ -0,0 +1,14 @@
+web:
+  image: web
+  expose:
+    - "81"
+  environment:
+    WEB_PORTS: "81"
+    VIRTUAL_HOST: "web.nginx-proxy.tld"
+
+
+sut:
+  image: jwilder/nginx-proxy:test
+  volumes:
+    - /var/run/docker.sock:/tmp/docker.sock:ro
+    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
--- a/test/test_nominal.py
+++ b/test/test_nominal.py
@ -0,0 +1,24 @@
+import pytest
+from requests import ConnectionError
+
+
+def test_unknown_virtual_host(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://nginx-proxy/port")
+    assert r.status_code == 503
+
+
+def test_forwards_to_web1(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web1.nginx-proxy.tld/port")
+    assert r.status_code == 200   
+    assert r.text == "answer from port 81\n"
+
+
+def test_forwards_to_web2(docker_compose, nginxproxy):
+    r = nginxproxy.get("http://web2.nginx-proxy.tld/port")
+    assert r.status_code == 200
+    assert r.text == "answer from port 82\n" 
+
+
+def test_ipv6_is_disabled_by_default(docker_compose, nginxproxy):
+    with pytest.raises(ConnectionError):
+        nginxproxy.get("http://nginx-proxy/port", ipv6=True)
--- a/test/test_nominal.yml
+++ b/test/test_nominal.yml
@ -0,0 +1,22 @@
+web1:
+  image: web
+  expose:
+    - "81"
+  environment:
+    WEB_PORTS: 81
+    VIRTUAL_HOST: web1.nginx-proxy.tld
+
+web2:
+  image: web
+  expose:
+    - "82"
+  environment:
+    WEB_PORTS: 82
+    VIRTUAL_HOST: web2.nginx-proxy.tld
+
+
+sut:
+  image: jwilder/nginx-proxy:test
+  volumes:
+    - /var/run/docker.sock:/tmp/docker.sock:ro
+    - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
--- a/test/test_ssl/certs/nginx-proxy.tld.crt
+++ b/test/test_ssl/certs/nginx-proxy.tld.crt
@ -0,0 +1,70 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4096 (0x1000)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O=nginx-proxy test suite, CN=www.nginx-proxy.tld
+        Validity
+            Not Before: Jan 10 00:08:52 2017 GMT
+            Not After : May 28 00:08:52 2044 GMT
+        Subject: CN=*.nginx-proxy.tld
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:cb:45:f4:14:9b:fe:64:85:79:4a:36:8d:3d:d1:
+                    27:d0:7c:36:28:30:e6:73:80:6f:7c:49:23:d0:6c:
+                    17:e4:44:c0:77:4d:9a:c2:bc:24:84:e3:a5:4d:ba:
+                    d2:da:51:7b:a1:2a:12:d4:c0:19:55:69:2c:22:27:
+                    2d:1a:f6:fc:4b:7f:e9:cb:a8:3c:e8:69:b8:d2:4f:
+                    de:4e:50:e2:d0:74:30:7c:42:5a:ae:aa:85:a5:b1:
+                    71:4d:c9:7e:86:8b:62:8c:3e:0d:e3:3b:c3:f5:81:
+                    0b:8c:68:79:fe:bf:10:fb:ae:ec:11:49:6d:64:5e:
+                    1a:7d:b3:92:93:4e:96:19:3a:98:04:a7:66:b2:74:
+                    61:2d:41:13:0c:a4:54:0d:2c:78:fd:b4:a3:e8:37:
+                    78:9a:de:fa:bc:2e:a8:0f:67:14:58:ce:c3:87:d5:
+                    14:0e:8b:29:7d:48:19:b2:a9:f5:b4:e8:af:32:21:
+                    67:15:7e:43:52:8b:20:cf:9f:38:43:bf:fd:c8:24:
+                    7f:52:a3:88:f2:f1:4a:14:91:2a:6e:91:6f:fb:7d:
+                    6a:78:c6:6d:2e:dd:1e:4c:2b:63:bb:3a:43:9c:91:
+                    f9:df:d3:08:13:63:86:7d:ce:e8:46:cf:f1:6c:1f:
+                    ca:f7:4c:de:d8:4b:e0:da:bc:06:d9:87:0f:ff:96:
+                    45:85
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:*.nginx-proxy.tld
+    Signature Algorithm: sha256WithRSAEncryption
+         6e:a5:0e:e4:d3:cc:d5:b7:fc:34:75:89:4e:98:8c:e7:08:06:
+         a8:5b:ec:13:7d:83:99:a2:61:b8:d5:12:6e:c5:b4:53:4e:9a:
+         22:cd:ad:14:30:6a:7d:58:d7:23:d9:a4:2a:96:a0:40:9e:50:
+         9f:ce:f2:fe:8c:dd:9a:ac:99:39:5b:89:2d:ca:e5:3e:c3:bc:
+         03:04:1c:12:d9:6e:b8:9f:f0:3a:be:12:44:7e:a4:21:86:73:
+         af:d5:00:51:3f:2c:56:70:34:8f:26:b0:7f:b0:cf:cf:7f:f9:
+         40:6f:00:29:c4:cf:c3:b7:c2:49:3d:3f:b0:26:78:87:b9:c7:
+         6c:1b:aa:6a:1a:dd:c5:eb:f2:69:ba:6d:46:0b:92:49:b5:11:
+         3c:eb:48:c7:2f:fb:33:a6:6a:82:a2:ab:f8:1e:5f:7d:e3:b7:
+         f2:fd:f5:88:a5:09:4d:a0:bc:f4:3b:cd:d2:8b:d7:57:1f:86:
+         3b:d2:3e:a4:92:21:b0:02:0b:e9:e0:c4:1c:f1:78:e2:58:a7:
+         26:5f:4c:29:c8:23:f0:6e:12:3f:bd:ad:44:7b:0b:bd:db:ba:
+         63:8d:07:c6:9d:dc:46:cc:63:40:ba:5e:45:82:dd:9a:e5:50:
+         e8:e7:d7:27:88:fc:6f:1d:8a:e7:5c:49:28:aa:10:29:75:28:
+         c7:52:de:f9
+-----BEGIN CERTIFICATE-----
+MIIC9zCCAd+gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwPzEfMB0GA1UECgwWbmdp
+bngtcHJveHkgdGVzdCBzdWl0ZTEcMBoGA1UEAwwTd3d3Lm5naW54LXByb3h5LnRs
+ZDAeFw0xNzAxMTAwMDA4NTJaFw00NDA1MjgwMDA4NTJaMBwxGjAYBgNVBAMMESou
+bmdpbngtcHJveHkudGxkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+y0X0FJv+ZIV5SjaNPdEn0Hw2KDDmc4BvfEkj0GwX5ETAd02awrwkhOOlTbrS2lF7
+oSoS1MAZVWksIictGvb8S3/py6g86Gm40k/eTlDi0HQwfEJarqqFpbFxTcl+hoti
+jD4N4zvD9YELjGh5/r8Q+67sEUltZF4afbOSk06WGTqYBKdmsnRhLUETDKRUDSx4
+/bSj6Dd4mt76vC6oD2cUWM7Dh9UUDospfUgZsqn1tOivMiFnFX5DUosgz584Q7/9
+yCR/UqOI8vFKFJEqbpFv+31qeMZtLt0eTCtjuzpDnJH539MIE2OGfc7oRs/xbB/K
+90ze2Evg2rwG2YcP/5ZFhQIDAQABoyAwHjAcBgNVHREEFTATghEqLm5naW54LXBy
+b3h5LnRsZDANBgkqhkiG9w0BAQsFAAOCAQEAbqUO5NPM1bf8NHWJTpiM5wgGqFvs
+E32DmaJhuNUSbsW0U06aIs2tFDBqfVjXI9mkKpagQJ5Qn87y/ozdmqyZOVuJLcrl
+PsO8AwQcEtluuJ/wOr4SRH6kIYZzr9UAUT8sVnA0jyawf7DPz3/5QG8AKcTPw7fC
+ST0/sCZ4h7nHbBuqahrdxevyabptRguSSbURPOtIxy/7M6ZqgqKr+B5ffeO38v31
+iKUJTaC89DvN0ovXVx+GO9I+pJIhsAIL6eDEHPF44linJl9MKcgj8G4SP72tRHsL
+vdu6Y40Hxp3cRsxjQLpeRYLdmuVQ6OfXJ4j8bx2K51xJKKoQKXUox1Le+Q==
+-----END CERTIFICATE-----
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`This directory contains tests that showcase scenarios known to break the expected behavior of nginx-proxy.`