diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..4ff3bd7
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,2 @@
+# Always use LF endings.
+* text eol=lf
\ No newline at end of file
diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
index 51367db..a6bf80a 100644
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@@ -53,7 +53,7 @@ jobs:
           platforms: linux/amd64,linux/arm/v7,linux/arm64
           tags: |
             bfren/nginx-proxy:dev
-            bfren/nginx-proxy:${{ steps.version.outputs.contents }}-beta
+            bfren/nginx-proxy:${{ steps.version.outputs.contents }}-dev
       -
         name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}
diff --git a/Dockerfile b/Dockerfile
index 877aeb6..70389bc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM bfren/nginx:nginx1.24-alpine3.18-5.0.16
+FROM bfren/nginx:nginx1.28-alpine3.22-6.5.7
 
 LABEL org.opencontainers.image.source="https://github.com/bfren/docker-nginx-proxy"
 
@@ -8,42 +8,37 @@ ARG BF_VERSION
 # port 80 is already exposed by the base image
 EXPOSE 443
 
+COPY ./overlay /
+
 ENV \
-    # the base domain of the proxy server (will be used when SSL bindings fail)
-    PROXY_DOMAIN= \
-    # clean all config and certificates before doing anything else
-    PROXY_CLEAN_INSTALL=0 \
+    # the root domain of the proxy server (will be used when SSL bindings fail)
+    BF_PROXY_DOMAIN= \
+    # delete all config and certificates before doing anything else
+    BF_PROXY_CLEAN_INSTALL=0 \
     # enable automatic certificate updating
-    PROXY_ENABLE_AUTO_UPDATE=1 \
-    # enable NAXSI web application firewall
-    PROXY_ENABLE_NAXSI=0 \
-    # use hardened mode (remove old / insecure ciphers and protocols)
-    PROXY_HARDEN=0 \
+    BF_PROXY_ENABLE_AUTO_UPDATE=1 \
+    # use hardened mode (e.g. remove old / insecure ciphers and protocols)
+    BF_PROXY_HARDEN=0 \
     # used for renewal notification emails
-    PROXY_LETS_ENCRYPT_EMAIL= \
+    BF_PROXY_GETSSL_EMAIL= \
     # set to 1 to use live instead of staging server
-    PROXY_LETS_ENCRYPT_LIVE=0 \
+    BF_PROXY_GETSSL_USE_LIVE_SERVER=0 \
+    # the renew window number of days - certificates with more than this will not renew (Nu duration)
+    BF_PROXY_GETSSL_RENEW_WINDOW=14day \
+    # set to 1 to skip local HTTP token check
+    BF_PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK=0 \
     # set to the number of bits to use for generating private key
-    PROXY_SSL_KEY_BITS=4096 \
+    BF_PROXY_SSL_KEY_BITS=4096 \
     # set to the number of bits to use for generating DHPARAM
-    PROXY_SSL_DHPARAM_BITS=4096 \
+    BF_PROXY_SSL_DHPARAM_BITS=4096 \
+    # the period of time before self-generated SSL certificates will expire (Nu duration)
+    BF_PROXY_SSL_EXPIRY=36500day \
     # canonical domain name redirection
-    PROXY_SSL_REDIRECT_TO_CANONICAL=0 \
-    # set to true to skip local HTTP token check
-    PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK="false" \
-    # if both are set, on first startup will generate SSL config and request certs
-    PROXY_AUTO_PRIMARY= \
-    PROXY_AUTO_UPSTREAM= \
-    # optional - add aliases to the auto-generated conf.json on first startup
-    PROXY_AUTO_ALIASES= \
-    # optional - mark the Nginx config as custom so it isn't regenerated on future startups
-    PROXY_AUTO_CUSTOM=0 \
+    BF_PROXY_SSL_REDIRECT_TO_CANONICAL=0 \
     # upstream DNS resolver, set to Docker's internal resolver by default
-    PROXY_UPSTREAM_DNS_RESOLVER=127.0.0.11 \
-    # the number of seconds before the maintenance page will auto-refresh
-    PROXY_MAINTENANCE_REFRESH_SECONDS=6
-
-COPY ./overlay /
+    BF_PROXY_UPSTREAM_DNS_RESOLVER=127.0.0.11 \
+    # the number of seconds before the maintenance page will automatically refresh (Nu duration)
+    BF_PROXY_MAINTENANCE_REFRESH=6sec
 
 RUN bf-install
 
diff --git a/LICENSE b/LICENSE
index 06c6f55..b48eea3 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020-2024 bfren
+Copyright (c) 2020-2025 bfren
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/README.md b/README.md
index 964041a..a3c2aa1 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
 
 [Docker Repository](https://hub.docker.com/r/bfren/nginx-proxy) - [bfren ecosystem](https://github.com/bfren/docker)
 
-Nginx Proxy which uses [getssl](https://github.com/srvrco/getssl) to automate requesting and renewing SSL certificates via Let's Encrypt.  Certificates are checked for renewal every day - the last check can be viewed in the `/ssl` volume.  Also includes [NAXSI](https://github.com/nbs-system/naxsi), a web application firewall.
+Nginx Proxy which uses [getssl](https://github.com/srvrco/getssl) to automate requesting and renewing SSL certificates via Let's Encrypt.  Certificates are checked for renewal every day - the last check can be viewed in the `/ssl` volume.
 
 As of v4, configuration is handled via a JSON file - see ssl-conf-sample.json for an example and ssl-conf-schema.json for the full file definition.
 
@@ -34,23 +34,18 @@ For SSL certificate requests to work correctly, ports 80 and 443 need mapping fr
 
 ## Environment Variables
 
-| Variable                              | Values                | Description                                                                                                                                   | Default               |
-| ------------------------------------- | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
-| `PROXY_AUTO_PRIMARY`                  | URI                   | If set (along with PROXY_AUTO_UPSTREAM) SSL config will be generated on first startup.                                                        | *None*                |
-| `PROXY_AUTO_UPSTREAM`                 | URI                   | If set (along with PROXY_AUTO_PRIMARY) SSL config will be generated on first startup.                                                         | *None*                |
-| `PROXY_AUTO_ALIASES`                  | string of URIs        | Add aliases to the auto-generated conf.json on first startup.                                                                                 | *None*                |
-| `PROXY_AUTO_CUSTOM`                   | 0 or 1                | Mark the auto-generated SSL config to 'custom' so the Nginx configuration is not regenerated on startup.                                      | 0                     |
-| `PROXY_CLEAN_INSTALL`                 | 0 or 1                | If 1, all Nginx and SSL configuration and certificates will be deleted and regenerated.                                                       | 0                     |
-| `PROXY_DOMAIN`                        | URI                   | The base domain of the proxy server - will be used to handle unbound requests.                                                                | *None* - **required** |
-| `PROXY_ENABLE_NAXSI`                  | 0 or 1                | If 1, NAXSI web application firewall will be enabled for all sites.                                                                           | 0                     |
-| `PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK`  | true or false         | Set to true to enable `getssl`'s [skip HTTP token check](https://github.com/srvrco/getssl/wiki/Config-variables#skip_http_token_checkfalse).  | false                 |
-| `PROXY_HARDEN`                        | 0 or 1                | If 1, only modern SSL ciphers and protocols will be enabled (some older devices may not be able to access it).                                | 0                     |
-| `PROXY_LETS_ENCRYPT_EMAIL`            | A valid email address | Used by Lets Encrypt for notification emails.                                                                                                 | *None* - **required** |
-| `PROXY_LETS_ENCRYPT_LIVE`             | 0 or 1                | Only set to 1 (to request live certificates) when your config is correct - Lets Encrypt rate limit certificate requests.                      | 0                     |
-| `PROXY_MAINTENANCE_REFRESH_SECONDS`   | A valid integer       | The number of seconds to count down before the maintenance page auto-refreshes.                                                               | 6                     |
-| `PROXY_SSL_DHPARAM_BITS`              | A valid integer       | The size of your DHPARAM variables - adjust down only if you have limited processing resources.                                               | 4096                  |
-| `PROXY_SSL_REDIRECT_TO_CANONICAL`     | 0 or 1                | If 1, all requests will be redirected to the primary domain (defined in `conf.json`).                                                         | 0                     |
-| `PROXY_UPSTREAM_DNS_RESOLVER`         | IP address            | Upstream DNS resolver - set to Docker's by default.                                                                                           | 127.0.0.11            |
+| Variable                                  | Values                | Description                                                                                                                                   | Default               |
+| ----------------------------------------- | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
+| `BF_PROXY_CLEAN_INSTALL`                  | 0 or 1                | If 1, all Nginx and SSL configuration and certificates will be deleted and regenerated.                                                       | 0                     |
+| `BF_PROXY_DOMAIN`                         | URI                   | The base domain of the proxy server - will be used to handle unbound requests.                                                                | *None* - **required** |
+| `BF_PROXY_GETSSL_EMAIL`                   | A valid email address | Used by Lets Encrypt for notification emails.                                                                                                 | *None* - **required** |
+| `BF_PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK`   | true or false         | Set to true to enable `getssl`'s [skip HTTP token check](https://github.com/srvrco/getssl/wiki/Config-variables#skip_http_token_checkfalse).  | false                 |
+| `BF_PROXY_GETSSL_USE_LIVE_SERVER`         | 0 or 1                | Only set to 1 (to request live certificates) when your config is correct - Lets Encrypt rate limit certificate requests.                      | 0                     |
+| `BF_PROXY_HARDEN`                         | 0 or 1                | If 1, only modern SSL ciphers and protocols will be enabled (some older devices may not be able to access it).                                | 0                     |
+| `BF_PROXY_MAINTENANCE_REFRESH_SECONDS`    | A valid integer       | The number of seconds to count down before the maintenance page auto-refreshes.                                                               | 6                     |
+| `BF_PROXY_SSL_DHPARAM_BITS`               | A valid integer       | The size of your DHPARAM variables - adjust down only if you have limited processing resources.                                               | 4096                  |
+| `BF_PROXY_SSL_REDIRECT_TO_CANONICAL`      | 0 or 1                | If 1, all requests will be redirected to the primary domain (defined in `conf.json`).                                                         | 0                     |
+| `BF_PROXY_UPSTREAM_DNS_RESOLVER`          | IP address            | Upstream DNS resolver - set to Docker's by default.                                                                                           | 127.0.0.11            |
 
 ## Helper Functions
 
@@ -83,4 +78,4 @@ The image contains a handful of useful Nginx configuration 'helper' files, which
 
 ## Copyright
 
-> Copyright (c) 2020-2024 [bfren](https://bfren.dev) (unless otherwise stated)
+> Copyright (c) 2020-2025 [bfren](https://bfren.dev) (unless otherwise stated)
diff --git a/VERSION b/VERSION
index a52e7a4..fa5fce0 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-7.1.5
\ No newline at end of file
+8.0.0
\ No newline at end of file
diff --git a/VERSION_MAJOR b/VERSION_MAJOR
index c793025..301160a 100644
--- a/VERSION_MAJOR
+++ b/VERSION_MAJOR
@@ -1 +1 @@
-7
\ No newline at end of file
+8
\ No newline at end of file
diff --git a/VERSION_MINOR b/VERSION_MINOR
index 986084f..b293f64 100644
--- a/VERSION_MINOR
+++ b/VERSION_MINOR
@@ -1 +1 @@
-7.1
\ No newline at end of file
+8.0
\ No newline at end of file
diff --git a/overlay/etc/bf/ch.d/20-proxy b/overlay/etc/bf/ch.d/20-proxy
index fc78aca..cc04658 100644
--- a/overlay/etc/bf/ch.d/20-proxy
+++ b/overlay/etc/bf/ch.d/20-proxy
@@ -1,5 +1,2 @@
-/etc/naxsi www:www 0640 0750
-/etc/nginx/sites www:www 0640 0750
-/etc/ssl/certs www:www 0640 0750
 /sites www:www 0640 0750
 /ssl www:www 0640 0750
diff --git a/overlay/etc/bf/init.d/20-env b/overlay/etc/bf/init.d/20-env
deleted file mode 100644
index 8a6f6dd..0000000
--- a/overlay/etc/bf/init.d/20-env
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/command/with-contenv bash
-
-set -euo pipefail
-export BF_E=`basename ${0}`
-
-
-#======================================================================================================================
-# Define environment variables.
-#======================================================================================================================
-
-PROXY_LIB=${BF_LIB}/proxy
-bf-env "PROXY_LIB" "${PROXY_LIB}"
-bf-env "PROXY_GETSSL" "${PROXY_LIB}/getssl"
-
-PROXY_SSL=/ssl
-bf-env "PROXY_SSL" ${PROXY_SSL}
-bf-env "PROXY_SSL_CONF" "${PROXY_SSL}/conf.json"
-bf-env "PROXY_SSL_DHPARAM" "${PROXY_SSL}/dhparam.pem"
-
-PROXY_SSL_CERTS=${PROXY_SSL}/certs
-bf-env "PROXY_SSL_CERTS" "${PROXY_SSL_CERTS}"
-
-PROXY_GETSSL_CFG=getssl.cfg
-bf-env "PROXY_GETSSL_CFG" "${PROXY_GETSSL_CFG}"
-bf-env "PROXY_GETSSL_GLOBAL_CFG" "${PROXY_SSL_CERTS}/${PROXY_GETSSL_CFG}"
-bf-env "PROXY_GETSSL_ACCOUNT_KEY" "${PROXY_SSL_CERTS}/account.key"
-
-bf-env "PROXY_SITES" "/sites"
-
-PROXY_ACME_CHALLENGE=.well-known/acme-challenge
-bf-env "PROXY_ACME_CHALLENGE" "${PROXY_ACME_CHALLENGE}"
-bf-env "PROXY_WWW_ACME_CHALLENGE" "${NGINX_WWW}/${PROXY_ACME_CHALLENGE}"
-
-if [ "${PROXY_GETSSL_DEBUG-}" = "1" ] ; then
-    bf-env "PROXY_GETSSL_FLAGS" "-d -U"
-else
-    bf-env "PROXY_GETSSL_FLAGS" "-U"
-fi
-
-if [ -n "${PROXY_URI-}" ] ; then
-    bf-notok "Please rename your PROXY_URI environment variable to PROXY_DOMAIN."
-    bf-env "PROXY_DOMAIN" "${PROXY_URI}"
-fi
diff --git a/overlay/etc/bf/init.d/20-env.nu b/overlay/etc/bf/init.d/20-env.nu
new file mode 100644
index 0000000..4b83a25
--- /dev/null
+++ b/overlay/etc/bf/init.d/20-env.nu
@@ -0,0 +1,35 @@
+use bf
+bf env load
+
+# Set environment variables
+def main []: nothing -> nothing {
+    bf env set "PROXY_GETSSL" "/usr/bin/getssl"
+
+    let proxy_ssl = "/ssl"
+    bf env set "PROXY_SSL" $proxy_ssl
+    bf env set "PROXY_SSL_CONF" $"($proxy_ssl)/conf.json"
+    bf env set "PROXY_SSL_DHPARAM" $"($proxy_ssl)/dhparam.pem"
+
+    let proxy_ssl_certs = $"($proxy_ssl)/certs"
+    let proxy_getssl_config = "getssl.cfg"
+    bf env set "PROXY_SSL_CERTS" $proxy_ssl_certs
+    bf env set "PROXY_GETSSL_CFG" $proxy_getssl_config
+    bf env set "PROXY_GETSSL_GLOBAL_CFG" $"($proxy_ssl_certs)/($proxy_getssl_config)"
+    bf env set "PROXY_GETSSL_ACCOUNT_KEY" $"($proxy_ssl_certs)/account.key"
+
+    let proxy_sites = "/sites"
+    bf env set "PROXY_SITES" $proxy_sites
+
+    let proxy_acme_challenge = ".well-known/acme-challenge"
+    bf env set "PROXY_ACME_CHALLENGE" $proxy_acme_challenge
+    bf env set "PROXY_WWW_ACME_CHALLENGE" $"(bf env NGINX_WWW)/($proxy_acme_challenge)"
+
+    let getssl_flags = match (bf env check PROXY_GETSSL_DEBUG) {
+        true => "-d -U"
+        false => "-U"
+    }
+    bf env set "PROXY_GETSSL_FLAGS" $getssl_flags
+
+    # return nothing
+    return
+}
diff --git a/overlay/etc/bf/init.d/21-nginx-conf.nu b/overlay/etc/bf/init.d/21-nginx-conf.nu
new file mode 100644
index 0000000..4e5f95a
--- /dev/null
+++ b/overlay/etc/bf/init.d/21-nginx-conf.nu
@@ -0,0 +1,6 @@
+use bf
+use bf/nginx/proxy nginx
+bf env load
+
+# Generate Nginx server SSL configuration file
+def main []: nothing -> nothing { nginx generate_server_conf }
diff --git a/overlay/etc/bf/init.d/21-ssl-conf b/overlay/etc/bf/init.d/21-ssl-conf
deleted file mode 100644
index 1d92e73..0000000
--- a/overlay/etc/bf/init.d/21-ssl-conf
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/command/with-contenv bash
-
-set -euo pipefail
-export BF_E=`basename ${0}`
-
-
-#======================================================================================================================
-# Generate Nginx SSL configuration file.
-#======================================================================================================================
-
-if [ "${PROXY_HARDEN}" = "1" ] ; then
-    TEMPLATE="modern"
-else
-    TEMPLATE="intermediate"
-fi
-
-bf-echo "Using ${TEMPLATE} SSL configuration."
-bf-esh ${BF_TEMPLATES}/ssl-${TEMPLATE}.conf.esh /etc/nginx/http.d/ssl.conf
-bf-done
diff --git a/overlay/etc/bf/init.d/22-ssl-init b/overlay/etc/bf/init.d/22-ssl-init
deleted file mode 100644
index 41baef6..0000000
--- a/overlay/etc/bf/init.d/22-ssl-init
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/command/with-contenv bash
-
-set -euo pipefail
-export BF_E=`basename ${0}`
-
-
-#======================================================================================================================
-# Check for clean install.
-#======================================================================================================================
-
-if [ "${PROXY_CLEAN_INSTALL}" = "1" ] ; then
-
-    bf-echo "Clean install detected..."
-    bf-rmrf "${PROXY_GETSSL_GLOBAL_CFG}"
-    bf-rmrf "${PROXY_SSL_DHPARAM}"
-    bf-rmrf "${PROXY_SSL_CERTS}/*"
-    bf-rmrf "${PROXY_SITES}/*"
-    bf-done
-
-fi
-
-
-#======================================================================================================================
-# If there is no SSL configuration file, and auto environment variables are set, generate config.
-#======================================================================================================================
-
-if [ ! -f "${PROXY_SSL_CONF}" ] && [ -n "${PROXY_AUTO_PRIMARY-}" ] && [ -n "${PROXY_AUTO_UPSTREAM-}" ] ; then
-
-    # generate conf
-    bf-echo "Generating conf.json using auto environment variables."
-    bf-esh ${BF_TEMPLATES}/conf.json.esh ${PROXY_SSL_CONF}
-    bf-env "PROXY_AUTO" "1"
-
-    # if there are aliases enable canonical redirection
-    [[ -n "${PROXY_AUTO_ALIASES-}" ]] && bf-env "PROXY_SSL_REDIRECT_TO_CANONICAL" "1"
-
-    # initialise all domains (proxy plus auto)
-    ssl-init -a
-
-
-#======================================================================================================================
-# Run initialisation script only for the proxy domain.
-#======================================================================================================================
-
-else
-
-    ssl-init -d "proxy"
-
-fi
diff --git a/overlay/etc/bf/init.d/22-ssl-init.nu b/overlay/etc/bf/init.d/22-ssl-init.nu
new file mode 100644
index 0000000..91ff37f
--- /dev/null
+++ b/overlay/etc/bf/init.d/22-ssl-init.nu
@@ -0,0 +1,15 @@
+use bf
+use bf/nginx/proxy
+bf env load
+
+# Initialise SSL global config and proxy domain
+def main []: nothing -> nothing {
+    # setup for a clean install
+    if (bf env check PROXY_CLEAN_INSTALL) {
+        bf write "Clean install detected."
+        proxy init setup_clean_install
+    }
+
+    # initialise only the root domain
+    proxy init --root
+}
diff --git a/overlay/etc/bf/init.d/23-maintenance.nu b/overlay/etc/bf/init.d/23-maintenance.nu
new file mode 100644
index 0000000..bdaf4d9
--- /dev/null
+++ b/overlay/etc/bf/init.d/23-maintenance.nu
@@ -0,0 +1,11 @@
+use bf
+use bf/nginx/proxy maintenance
+bf env load
+
+# Generate maintenance helper config and html page
+def main []: nothing -> nothing {
+    bf write "Generating maintenance files."
+    maintenance generate_helper_conf
+    maintenance generate_html
+    return
+}
diff --git a/overlay/etc/bf/init.d/23-naxsi b/overlay/etc/bf/init.d/23-naxsi
deleted file mode 100644
index 1c40f96..0000000
--- a/overlay/etc/bf/init.d/23-naxsi
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/command/with-contenv bash
-
-set -euo pipefail
-export BF_E=`basename ${0}`
-
-
-#======================================================================================================================
-# Generate NAXSI configuration.
-#======================================================================================================================
-
-if [ "${PROXY_ENABLE_NAXSI-}" = "1" ] ; then
-
-    bf-echo "Generating NAXSI files."
-    bf-esh ${BF_TEMPLATES}/naxsi.conf.esh /etc/nginx/helpers/naxsi.conf
-    bf-done
-
-else
-
-    bf-echo "NAXSI not enabled."
-
-fi
diff --git a/overlay/etc/bf/init.d/24-maintenance b/overlay/etc/bf/init.d/24-maintenance
deleted file mode 100644
index 14c6521..0000000
--- a/overlay/etc/bf/init.d/24-maintenance
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/command/with-contenv bash
-
-set -euo pipefail
-export BF_E=`basename ${0}`
-
-
-#======================================================================================================================
-# Generate maintenance configuration helper and page.
-#======================================================================================================================
-
-bf-echo "Generating maintenance files."
-bf-esh ${BF_TEMPLATES}/proxy-maintenance.conf.esh /etc/nginx/helpers/proxy-maintenance.conf
-bf-esh ${BF_TEMPLATES}/maintenance.html.esh ${NGINX_PUBLIC}/maintenance.html
-bf-done
diff --git a/overlay/etc/bf/templates/conf.json.esh b/overlay/etc/bf/templates/conf.json.esh
index 2f2b840..59141ee 100644
--- a/overlay/etc/bf/templates/conf.json.esh
+++ b/overlay/etc/bf/templates/conf.json.esh
@@ -2,9 +2,9 @@
     "$schema": "https://raw.githubusercontent.com/bfren/docker-nginx-proxy/main/ssl-conf-schema.json",
     "domains": [
         {
-            "primary": "<%= ${PROXY_AUTO_PRIMARY} %>",
-            "upstream": "<%= ${PROXY_AUTO_UPSTREAM} %>"<% if [ -n "${PROXY_AUTO_ALIASES-}" ] ; then %>,
-            "aliases": [ "<%= ${PROXY_AUTO_ALIASES// /\", \"} %>" ]<% fi ; if [ "${PROXY_AUTO_CUSTOM-}" = "1" ] ; then %>,
+            "primary": "<%= ${PRIMARY} %>",
+            "upstream": "<%= ${UPSTREAM} %>"<% if [ -n "${ALIASES}" ] ; then %>,
+            "aliases": [ <%= ${ALIASES} %> ]<% fi ; if [ "${CUSTOM}" = "1" ] ; then %>,
             "custom": true<% fi %>
         }
     ]
diff --git a/overlay/etc/bf/templates/getssl-global.conf.esh b/overlay/etc/bf/templates/getssl.cfg.esh
similarity index 81%
rename from overlay/etc/bf/templates/getssl-global.conf.esh
rename to overlay/etc/bf/templates/getssl.cfg.esh
index c3ffc93..b8ba48a 100644
--- a/overlay/etc/bf/templates/getssl-global.conf.esh
+++ b/overlay/etc/bf/templates/getssl.cfg.esh
@@ -3,7 +3,7 @@
 # Uncomment and modify any variables you need
 # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 #
-<% if [ "${PROXY_LETS_ENCRYPT_LIVE}" = "1" ] ; then %>
+<% if [ "${USE_LIVE_SERVER}" = "1" ] ; then %>
 # The staging server is best for testing
 #CA="https://acme-staging-v02.api.letsencrypt.org"
 # This server issues full certificates, however has rate limits
@@ -19,9 +19,9 @@ CA="https://acme-staging-v02.api.letsencrypt.org"
 #AGREEMENT=""
 
 # Set an email address associated with your account - generally set at account level rather than domain.
-ACCOUNT_EMAIL=<%= ${PROXY_LETS_ENCRYPT_EMAIL} %>
+ACCOUNT_EMAIL="<%= ${ACCOUNT_EMAIL} %>"
 ACCOUNT_KEY_LENGTH=4096
-ACCOUNT_KEY="<%= ${PROXY_GETSSL_ACCOUNT_KEY} %>"
+ACCOUNT_KEY="<%= ${ACCOUNT_KEY} %>"
 
 # Account key and private key types - can be rsa, prime256v1, secp384r1 or secp521r1
 #ACCOUNT_KEY_TYPE="rsa"
@@ -29,13 +29,13 @@ PRIVATE_KEY_ALG="rsa"
 #REUSE_PRIVATE_KEY="true"
 
 # The command needed to reload apache / nginx or whatever you use
-#RELOAD_CMD=""
+RELOAD_CMD="nginx-reload"
 
 # The time period within which you want to allow renewal of a certificate
 #  this prevents hitting some of the rate limits.
 # Creating a file called FORCE_RENEWAL in the domain directory allows one-off overrides
 # of this setting
-RENEW_ALLOW="30"
+RENEW_ALLOW="<%= "${RENEW_ALLOW}" %>"
 
 # Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
 # smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
@@ -49,4 +49,7 @@ CHECK_REMOTE="true"
 #DNS_ADD_COMMAND=
 #DNS_DEL_COMMAND=
 
-SKIP_HTTP_TOKEN_CHECK=<%= ${PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK} %>
+# If set to "true" then the script will not check that the url
+# "http://yourdomain.com/.well-known/acme-challenge/token" can be reached after
+# uploading the token.
+SKIP_HTTP_TOKEN_CHECK="<%= ${SKIP_HTTP_TOKEN_CHECK} %>"
diff --git a/overlay/etc/bf/templates/maintenance.html.esh b/overlay/etc/bf/templates/maintenance.html.esh
index 63ad1ad..3cad07a 100644
--- a/overlay/etc/bf/templates/maintenance.html.esh
+++ b/overlay/etc/bf/templates/maintenance.html.esh
@@ -11,9 +11,9 @@
 <body>
 <h1>Maintenance</h1>
 <p>The site you requested is temporarily down for maintenance.  Please try again later.</p>
-<p class="muted">This page will auto-refresh in <span id="remaining"><%= "${PROXY_MAINTENANCE_REFRESH_SECONDS}" %></span>s.</p>
+<p class="muted">This page will auto-refresh in <span id="remaining"><%= "${REFRESH_SECONDS}" %></span>s.</p>
 <script type="text/javascript">
-    let remaining = <%= "${PROXY_MAINTENANCE_REFRESH_SECONDS}" %>;
+    let remaining = <%= "${REFRESH_SECONDS}" %>;
     let countdown = function () {
         // reload the page
         if (remaining == 0) {
diff --git a/overlay/etc/bf/templates/naxsi.conf.esh b/overlay/etc/bf/templates/naxsi.conf.esh
deleted file mode 100644
index f7b2728..0000000
--- a/overlay/etc/bf/templates/naxsi.conf.esh
+++ /dev/null
@@ -1,14 +0,0 @@
-<% if [ "${PROXY_ENABLE_NAXSI}" = "1" ] ; then -%>
-# enable NAXSI
-SecRulesEnabled;
-# enable learning mode
-LearningMode;
-# define where blocked requests go
-DeniedUrl "/denied.html";
-# checkRules, determining when naxsi needs to take action
-CheckRule "$SQL >= 8" BLOCK;
-CheckRule "$RFI >= 8" BLOCK;
-CheckRule "$TRAVERSAL >= 4" BLOCK;
-CheckRule "$EVADE >= 4" BLOCK;
-CheckRule "$XSS >= 8" BLOCK;
-<% fi %>
diff --git a/overlay/etc/bf/templates/nginx-acme-challenge.part.esh b/overlay/etc/bf/templates/nginx-acme-challenge.part.esh
index ee85cbc..c3a7595 100644
--- a/overlay/etc/bf/templates/nginx-acme-challenge.part.esh
+++ b/overlay/etc/bf/templates/nginx-acme-challenge.part.esh
@@ -1,6 +1,6 @@
     # allow acme challenge from anywhere (so SSL certificates can still be requested,
     # but all other requests can be blocked from outside the local network, for example)
-    location ^~ /<%= "${PROXY_ACME_CHALLENGE}" %> {
+    location ^~ /<%= "${ACME_CHALLENGE}" %> {
         allow                       all;
         root                        <%= "${NGINX_WWW}" %>;
     }
\ No newline at end of file
diff --git a/overlay/etc/bf/templates/nginx-proxy.conf.esh b/overlay/etc/bf/templates/nginx-root.conf.esh
similarity index 93%
rename from overlay/etc/bf/templates/nginx-proxy.conf.esh
rename to overlay/etc/bf/templates/nginx-root.conf.esh
index 34099e7..eae8625 100644
--- a/overlay/etc/bf/templates/nginx-proxy.conf.esh
+++ b/overlay/etc/bf/templates/nginx-root.conf.esh
@@ -4,7 +4,7 @@
 #
 # Use environment variable PROXY_DOMAIN to change this file.
 #
-# Copyright (c) 2021-2024 bfren
+# Copyright (c) 2021-2025 bfren
 #======================================================================================================================
 
 #======================================================================================================================
@@ -19,7 +19,7 @@ server {
 <%+ ./nginx-acme-challenge.part.esh %>
 
     location / {
-        # redirect all other requests to HTTPS using PROXY_DOMAIN
+        # redirect all other requests to HTTPS using DOMAIN_NAME
         return                      301 <%= "https://${DOMAIN_NAME}" %>$request_uri;
     }
 }
@@ -34,7 +34,7 @@ server {
     listen                          443 ssl http2 default_server;
     listen                          [::]:443 ssl http2 default_server;
 
-    # redirect to PROXY_DOMAIN to avoid certificate errors
+    # redirect to DOMAIN_NAME to avoid certificate errors
     if ($host != <%= "${DOMAIN_NAME}" %>) {
         return                      301 <%= "https://${DOMAIN_NAME}" %>$request_uri;
     }
diff --git a/overlay/etc/bf/templates/nginx-site.conf.esh b/overlay/etc/bf/templates/nginx-site.conf.esh
index b63ddb9..5d6b148 100644
--- a/overlay/etc/bf/templates/nginx-site.conf.esh
+++ b/overlay/etc/bf/templates/nginx-site.conf.esh
@@ -1,4 +1,4 @@
-<% if [ "${DOMAIN_NGXCONF}" = "true" ] ; then -%>
+<% if [ "${IS_CUSTOM}" = "true" ] ; then -%>
 #======================================================================================================================
 # You can make changes to this file.
 #
@@ -15,7 +15,7 @@
 #   "custom": true
 # This will cause this file to be regenerated next time the container is started.
 #
-# Copyright (c) 2021-2024 bfren
+# Copyright (c) 2021-2025 bfren
 #======================================================================================================================
 <% else -%>
 #======================================================================================================================
@@ -29,7 +29,7 @@
 #   "custom": true
 # This will stop this file being generated next time the container is started.
 #
-# Copyright (c) 2021-2024 bfren
+# Copyright (c) 2021-2025 bfren
 #======================================================================================================================
 <% fi %>
 #======================================================================================================================
@@ -44,8 +44,8 @@ include                             <%= "${CUSTOM_CONF}/${DOMAIN_NAME}[.]upstrea
 #======================================================================================================================
 
 server {
-    # serve site for these domain names only
-    server_name                     <%= "${SERVER_NAMES}" %>;
+    # serve HTTP site for these domain names
+    server_name                     <%= "${DOMAIN_NAMES}" %>;
 
     # listen on HTTP port for both IPv4 and IPv6
     listen                          80;
@@ -54,7 +54,7 @@ server {
 <%+ ./nginx-acme-challenge.part.esh %>
 
     location / {
-<% if [ "${PROXY_SSL_REDIRECT_TO_CANONICAL}" = "1" ] ; then -%>
+<% if [ "${REDIRECT_TO_CANONICAL}" = "true" ] ; then -%>
         # redirect all other requests to HTTPS using primary domain name
         return                      301 <%= "https://${DOMAIN_NAME}" %>$request_uri;
 <% else -%>
@@ -70,14 +70,15 @@ server {
 #======================================================================================================================
 
 server {
-    # serve site for these domain names only
-    server_name                     <%= "${SERVER_NAMES}" %>;
+    # serve HTTPS site for these domain names
+    server_name                     <%= "${DOMAIN_NAMES}" %>;
 
     # listen on SSL port for both IPv4 and IPv6, and enable HTTP/2
-    listen                          443 ssl http2;
-    listen                          [::]:443 ssl http2;
+    listen                          443 ssl;
+    listen                          [::]:443 ssl;
+    http2                           on;
 
-<% if [ "${PROXY_SSL_REDIRECT_TO_CANONICAL}" = "1" ] ; then -%>
+<% if [ "${REDIRECT_TO_CANONICAL}" = "true" ] ; then -%>
     # redirect to primary (canonical) domain name
     if ($host != <%= "${DOMAIN_NAME}" %>) {
         return                      301 <%= "https://${DOMAIN_NAME}" %>$request_uri;
@@ -88,7 +89,7 @@ server {
     location / {
         # set resolver to Docker's internal DNS resolver and use an upstream variable so Nginx will always start,
         # even if $upstream is not available - h/t https://stackoverflow.com/a/54719226/8199362
-        resolver                    <%= "${PROXY_UPSTREAM_DNS_RESOLVER}" %> valid=30s;
+        resolver                    <%= "${DNS_RESOLVER}" %> valid=30s;
         set $upstream               <%= "${UPSTREAM}" %>;
 
         # proxy to the upstream server, enabling best-practice proxy and security headers
@@ -99,12 +100,6 @@ server {
         # block AI bots
         include                     helpers/nginx-block-ai-bots.conf;
 
-    <% if [ "${PROXY_ENABLE_NAXSI-}" = "1" ] ; then -%>
-        # enable NAXSI web application firewall with custom rules
-        include                     helpers/naxsi.conf;
-        include                     <%= "${CUSTOM_CONF}/*.rules" %>;
-    <% fi -%>
-
         # use maintenance page (defined in helpers/proxy-maintenance.conf - see below) when there's an upstream error
         error_page                  502 503 504 /maintenance.html;
 
diff --git a/overlay/etc/bf/templates/nginx-ssl-certs.part.esh b/overlay/etc/bf/templates/nginx-ssl-certs.part.esh
index 5e1f26d..4fe2b53 100644
--- a/overlay/etc/bf/templates/nginx-ssl-certs.part.esh
+++ b/overlay/etc/bf/templates/nginx-ssl-certs.part.esh
@@ -1,5 +1,5 @@
     # paths to SSL certificates and configuration
-    ssl_certificate                 <%= "${PROXY_SSL_CERTS}/${DOMAIN_NAME}/fullchain.crt" %>;
-    ssl_certificate_key             <%= "${PROXY_SSL_CERTS}/${DOMAIN_NAME}.key" %>;
-    ssl_trusted_certificate         <%= "${PROXY_SSL_CERTS}/${DOMAIN_NAME}/chain.crt" %>;
-    ssl_dhparam                     <%= "${PROXY_SSL_DHPARAM}" %>;
\ No newline at end of file
+    ssl_trusted_certificate         <%= "${CERTS}/${DOMAIN_NAME}/chain.crt" %>;
+    ssl_certificate                 <%= "${CERTS}/${DOMAIN_NAME}/fullchain.crt" %>;
+    ssl_certificate_key             <%= "${CERTS}/${DOMAIN_NAME}.key" %>;
+    ssl_dhparam                     <%= "${DHPARAM}" %>;
\ No newline at end of file
diff --git a/overlay/etc/bf/templates/proxy-maintenance.conf.esh b/overlay/etc/bf/templates/proxy-maintenance.conf.esh
index 7cba56c..1a1d31d 100644
--- a/overlay/etc/bf/templates/proxy-maintenance.conf.esh
+++ b/overlay/etc/bf/templates/proxy-maintenance.conf.esh
@@ -1,3 +1,3 @@
 location = /maintenance.html {
-    root                                <%= "${NGINX_PUBLIC}" %>;
+    root                                <%= "${PUBLIC}" %>;
 }
\ No newline at end of file
diff --git a/overlay/etc/bf/templates/ssl-intermediate.conf.esh b/overlay/etc/bf/templates/ssl-intermediate.conf.esh
index 3385b34..bf9a6e6 100644
--- a/overlay/etc/bf/templates/ssl-intermediate.conf.esh
+++ b/overlay/etc/bf/templates/ssl-intermediate.conf.esh
@@ -1,6 +1,7 @@
 #======================================================================================================================
 # SSL
-# Using Mozilla's SSL Configuration Generator with 'Intermediate' settings - https://ssl-config.mozilla.org/
+# Using Mozilla's SSL Configuration Generator with 'Intermediate' settings
+# See https://ssl-config.mozilla.org/#server=nginx&config=intermediate
 #======================================================================================================================
 
 ssl_protocols                   TLSv1.2 TLSv1.3;
diff --git a/overlay/etc/bf/templates/ssl-modern.conf.esh b/overlay/etc/bf/templates/ssl-modern.conf.esh
index 14674d8..661afd3 100644
--- a/overlay/etc/bf/templates/ssl-modern.conf.esh
+++ b/overlay/etc/bf/templates/ssl-modern.conf.esh
@@ -1,6 +1,7 @@
 #======================================================================================================================
 # SSL
-# Using Mozilla's SSL Configuration Generator with 'Modern' settings - https://ssl-config.mozilla.org/
+# Using Mozilla's SSL Configuration Generator with 'Modern' settings
+# See https://ssl-config.mozilla.org/#server=nginx&config=modern
 #======================================================================================================================
 
 ssl_protocols                   TLSv1.3;
diff --git a/overlay/etc/naxsi/core.rules b/overlay/etc/naxsi/core.rules
deleted file mode 100644
index 4e51aad..0000000
--- a/overlay/etc/naxsi/core.rules
+++ /dev/null
@@ -1,97 +0,0 @@
-# See https://github.com/wargio/naxsi/blob/main/naxsi_rules/naxsi_core.rules
-
-##################################
-## INTERNAL RULES IDS:1-999     ##
-##################################
-#@MainRule "msg:weird request, unable to parse" id:1;
-#@MainRule "msg:request too big, stored on disk and not parsed" id:2;
-#@MainRule "msg:invalid hex encoding, null bytes" id:10;
-#@MainRule "msg:unknown content-type" id:11;
-#@MainRule "msg:invalid formatted url" id:12;
-#@MainRule "msg:invalid POST format" id:13;
-#@MainRule "msg:invalid POST boundary" id:14;
-#@MainRule "msg:invalid JSON" id:15;
-#@MainRule "msg:empty POST" id:16;
-#@MainRule "msg:libinjection_sql" id:17;
-#@MainRule "msg:libinjection_xss" id:18;
-#@MainRule "msg:no generic rules" id:19;
-#@MainRule "msg:bad utf8" id:20;
-#@MainRule "msg:illegal host header" id:21;
-
-##################################
-## SQL Injections IDs:1000-1099 ##
-##################################
-MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile|bigint" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
-MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
-MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
-## Hardcore rules
-MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
-MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
-MainRule "str:|" "msg:mysql keyword (|)"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
-MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
-## end of hardcore rules
-MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
-MainRule "str:;" "msg:semicolon" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
-MainRule "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
-MainRule "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
-MainRule "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
-MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
-MainRule "str:," "msg:comma" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
-MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
-MainRule "str:@@" "msg:double arobase (@@)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017;
-MainRule "rx:::json|to_json|jsonb?_build|jsonb?_object|jsonb?_each|jsonb?_extract|jsonb?_typeof|jsonb?_array|jsonb_set|json_query|json_keys" "msg:json functions and operators" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1018;
-
-###############################
-## OBVIOUS RFI IDs:1100-1199 ##
-###############################
-MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
-MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
-MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
-MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
-MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
-MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
-MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106;
-MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107;
-MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108;
-MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109;
-MainRule "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110;
-MainRule "str:zip://" "msg:zip:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1111;
-MainRule "str:expect://" "msg:expect:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1112;
-MainRule "str:input://" "msg:input:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1113;
-
-#######################################
-## Directory traversal IDs:1200-1299 ##
-#######################################
-MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
-MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
-MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
-MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
-MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
-#MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;
-MainRule "str:/..;/" "msg:dir traversal bypass" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1207;
-MainRule "str:/.;/" "msg:dir traversal bypass" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1208;
-MainRule "str:/.%2e/" "msg:dir traversal bypass" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1209;
-MainRule "str:/%2e./" "msg:dir traversal bypass" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1210;
-
-########################################
-## Cross Site Scripting IDs:1300-1399 ##
-########################################
-MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
-MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
-MainRule "str:[" "msg:open square backet ([), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
-MainRule "str:]" "msg:close square bracket (]), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
-MainRule "str:~" "msg:tilde (~) character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
-MainRule "str:`"  "msg:grave accent (`)" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
-MainRule "rx:%[23]."  "msg:double encoding" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
-
-####################################
-## Evading tricks IDs: 1400-1500 ##
-####################################
-MainRule "str:&#" "msg:utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
-MainRule "str:%U" "msg:M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
-
-#############################
-## File uploads: 1500-1600 ##
-#############################
-MainRule "rx:\.ph|\.asp|\.ht|\.jsp" "msg:asp/php/jsp/htaccess file upload" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;
-MainRule "rx:^[\.a-z0-9_\- ]+$" negative "msg:uploaded filename contains non-printable ascii chars" "mz:FILE_EXT" "s:$UPLOAD:8" id:1501;
diff --git a/overlay/etc/nginx/http.d/naxsi-rules.conf b/overlay/etc/nginx/http.d/naxsi-rules.conf
deleted file mode 100644
index 69469aa..0000000
--- a/overlay/etc/nginx/http.d/naxsi-rules.conf
+++ /dev/null
@@ -1 +0,0 @@
-include                         /etc/naxsi/*.rules;
\ No newline at end of file
diff --git a/overlay/etc/nu/scripts/bf/nginx/proxy/conf.nu b/overlay/etc/nu/scripts/bf/nginx/proxy/conf.nu
new file mode 100644
index 0000000..eabc9df
--- /dev/null
+++ b/overlay/etc/nu/scripts/bf/nginx/proxy/conf.nu
@@ -0,0 +1,6 @@
+use bf
+
+# Load ssl configuration
+export def get_domains []: nothing -> list<record<primary: string, upstream: string, aliases: list, custom: bool>> {
+    bf env "PROXY_SSL_CONF" | open --raw $in | from json | get domains
+}
diff --git a/overlay/etc/nu/scripts/bf/nginx/proxy/getssl.nu b/overlay/etc/nu/scripts/bf/nginx/proxy/getssl.nu
new file mode 100644
index 0000000..10e7e19
--- /dev/null
+++ b/overlay/etc/nu/scripts/bf/nginx/proxy/getssl.nu
@@ -0,0 +1,106 @@
+use bf
+
+# Generate getssl global configuration file if it does not already exist
+export def generate_global_conf []: nothing -> nothing {
+    let getssl_cfg = bf env "PROXY_GETSSL_GLOBAL_CFG"
+    if ($getssl_cfg | bf fs is_not_file) {
+        # get environment variables
+        let e = {
+            USE_LIVE_SERVER: (bf env "PROXY_GETSSL_USE_LIVE_SERVER")
+            ACCOUNT_EMAIL: (bf env "PROXY_GETSSL_EMAIL")
+            ACCOUNT_KEY: (bf env "PROXY_GETSSL_ACCOUNT_KEY")
+            RENEW_ALLOW: (bf env "PROXY_GETSSL_RENEW_WINDOW" | into duration | $in / 1day)
+            SKIP_HTTP_TOKEN_CHECK: (bf env check "PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK" | into string)
+        }
+
+        # generate configuration
+        with-env $e { bf esh template $getssl_cfg }
+    } else {
+        bf write debug " .. getssl global configuration file already exists." getssl/generate_global_conf
+    }
+}
+
+# Generate getssl site configuration file
+export def generate_site_conf [
+    domain: string      # the domain to generate getssl config for
+]: nothing -> string {
+    # check for existing getssl config
+    let certs = bf env "PROXY_SSL_CERTS"
+    let file = $"($certs)/($domain)/(bf env "PROXY_GETSSL_CFG")"
+    if ($file | path exists) {
+        bf write debug " .. getssl configuration file already exists." getssl/generate_site_conf
+        return $file
+    }
+
+    # build arguments
+    let args = [
+        (bf env --safe "PROXY_GETSSL_FLAGS")
+        "-w" # set working directory
+        (bf env "PROXY_SSL_CERTS")
+        "-c" # create default configuration files
+        $domain
+    ] | compact --empty # in case BF_PROXY_GETSSL_FLAGS is not set
+
+    # execute getssl
+    bf write debug " .. getssl configuration file already exists." getssl/generate_site_conf
+    { ^getssl ...$args } | bf handle
+
+    # return cfg file path
+    $file
+}
+
+# Update getssl site configuration file with domain-specific values
+export def update_site_conf [
+    domain: record      # the domain to generate getssl config for
+]: nothing -> string {
+    # get variables
+    let certs = bf env "PROXY_SSL_CERTS"
+    let file = $"($certs)/($domain.primary)/(bf env "PROXY_GETSSL_CFG")"
+
+    # SANS
+    let sans = $domain | get --optional aliases | default [] | str join ","
+    replace -q "SANS" $sans $file
+
+    # certificate
+    let cert = $"($certs)/($domain.primary)"
+    replace -q "DOMAIN_CERT_LOCATION" $"($cert).crt" $file
+    replace -q "DOMAIN_KEY_LOCATION" $"($cert).key" $file
+
+    # ACL
+    let acl = bf env "PROXY_WWW_ACME_CHALLENGE"
+    replace "ACL" $"\(\"($acl)\"\)" $file
+    replace -q "USE_SINGLE_ACL" "true" $file
+
+    # return cfg file path
+    $file
+}
+
+# Replace a value in a given config file
+export def replace [
+    key: string         # config key to replace
+    value: string       # config value to set
+    file: string        # file path to load / save
+    --add-quotes (-q)   # add double quotes to the value before inserting
+]: nothing -> nothing {
+    # do nothing for empty key
+    if ($key | is-empty) { return }
+
+    # add quotes
+    let quoted_value = match $add_quotes { true => $"\"($value)\"" false => $value }
+
+    # replace value
+    let find = $"^#?($key).*$"
+    load_cfg $key $file | str replace --all --multiline --regex $find $"($key)=($quoted_value)" | save --force $file
+}
+
+# Load cfg file and ensure the given key exists
+export def load_cfg [
+    key: string
+    file: string
+] {
+    let cfg = open --raw $file
+    match ($cfg | str contains $key) {
+        true => $cfg
+        false => ($cfg | append $"#($key)=" | str join (char newline))
+    }
+}
diff --git a/overlay/etc/nu/scripts/bf/nginx/proxy/init.nu b/overlay/etc/nu/scripts/bf/nginx/proxy/init.nu
new file mode 100644
index 0000000..6c18408
--- /dev/null
+++ b/overlay/etc/nu/scripts/bf/nginx/proxy/init.nu
@@ -0,0 +1,84 @@
+use bf
+use conf.nu
+use getssl.nu
+use nginx.nu
+use ssl.nu
+
+# Initialise SSL for the specified domain(s).
+# Order of precedence:
+#   1. `init --all`
+#   2. `init --root`
+#   3. `init --domain xxxxxx`
+export def main [
+    --all (-a)              # Initialise root and all configured domains
+    --domain (-d): string   # The domain to be initialised
+    --root (-r)             # Initialise root domain
+]: nothing -> nothing {
+    # generate getssl configuration
+    bf write "Creating getssl global configuration file." init
+    getssl generate_global_conf
+
+    # generate DHPARAM file
+    bf write "Generating DHPARAM." init
+    ssl generate_dhparam
+
+    # closure to run init procedure
+    let init_domain = {|x: record|
+        bf write $"Initialising ($x.primary)." init
+
+        # generate Nginx config
+        bf write " .. generating Nginx configuration file." init
+        nginx generate_site_conf $x
+
+        # generate site getssl conf
+        bf write " .. generating getssl configuration file." init
+        getssl generate_site_conf $x.primary
+        getssl update_site_conf $x
+
+        # generate temporary SSL files
+        bf write " .. generating temporary SSL certificates and keys." init
+        ssl generate_temp_certs $x.primary
+        ssl create_pem $x.primary
+    }
+
+    # initialise domain(s)
+    if $all {
+        get_all | each $init_domain
+    } else if $root {
+        do $init_domain (get_root)
+    } else if $domain {
+        do $init_domain (get_single $domain)
+    } else {
+        bf write error "Incorrect usage - try `init --help`." init
+    }
+
+    # done
+    bf write ok "Done." init
+}
+
+# Check for clean install and delete.
+export def setup_clean_install []: nothing -> nothing {
+    bf write debug " .. removing SSL config and certificates:" init/setup_clean_install
+    bf env "PROXY_GETSSL_GLOBAL_CFG" | remove
+    bf env "PROXY_SITES" | $"($in)/*" | remove
+    bf env "PROXY_SSL_CERTS" | $"($in)/*" | remove
+    bf env "PROXY_SSL_DHPARAM" | remove
+}
+
+# Remove file(s) by converting input into a glob before calling `rm`.
+def remove []: string -> nothing {
+    let file = $in | into glob
+    bf write debug $"    ($file)" init/remove
+    rm --force --recursive $file
+}
+
+# Retrieve all configured domain record.
+export def get_all []: nothing -> list<record> { conf get_domains }
+
+# Retrieve a single domain record.
+export def get_single [
+    domain: string  # The domain to initialise
+]: nothing -> record { conf get_domains | where primary == $domain | into record }
+
+# Retrieve the root domain record.
+export def get_root []: nothing -> record { get_single (bf env "PROXY_DOMAIN") }
diff --git a/overlay/etc/nu/scripts/bf/nginx/proxy/maintenance.nu b/overlay/etc/nu/scripts/bf/nginx/proxy/maintenance.nu
new file mode 100644
index 0000000..975709a
--- /dev/null
+++ b/overlay/etc/nu/scripts/bf/nginx/proxy/maintenance.nu
@@ -0,0 +1,18 @@
+use bf
+use bf esh template
+
+# Generate Nginx configuration to map the maintenance html file
+export def generate_helper_conf []: nothing -> string {
+    let e = {
+        PUBLIC: (bf env NGINX_PUBLIC)
+    }
+    with-env $e { template $"(bf env NGINX_ETC_HELPERS)/proxy-maintenance.conf" }
+}
+
+# Generate maintenance HTML file
+export def generate_html []: nothing -> string {
+    let e = {
+        REFRESH_SECONDS: (bf env PROXY_MAINTENANCE_REFRESH | into duration | $in / 1sec)
+    }
+    with-env $e { template $"(bf env NGINX_PUBLIC)/maintenance.html" }
+}
diff --git a/overlay/etc/nu/scripts/bf/nginx/proxy/mod.nu b/overlay/etc/nu/scripts/bf/nginx/proxy/mod.nu
new file mode 100644
index 0000000..d659339
--- /dev/null
+++ b/overlay/etc/nu/scripts/bf/nginx/proxy/mod.nu
@@ -0,0 +1,6 @@
+export module conf.nu
+export module getssl.nu
+export module init.nu
+export module maintenance.nu
+export module nginx.nu
+export module ssl.nu
diff --git a/overlay/etc/nu/scripts/bf/nginx/proxy/nginx.nu b/overlay/etc/nu/scripts/bf/nginx/proxy/nginx.nu
new file mode 100644
index 0000000..37cb6cf
--- /dev/null
+++ b/overlay/etc/nu/scripts/bf/nginx/proxy/nginx.nu
@@ -0,0 +1,102 @@
+use bf
+use conf.nu
+
+# Generate Nginx SSL config
+export def generate_server_conf []: nothing -> nothing {
+    # get the template name
+    let template = match (bf env check PROXY_HARDEN) {
+        true => "modern"
+        false => "intermediate"
+    }
+
+    # generate config file
+    bf write $"Using ($template) SSL configuration." nginx/generate_server_conf
+    bf esh $"(bf env "ETC_TEMPLATES")/ssl-($template).conf.esh" "/etc/nginx/http.d/ssl.conf"
+
+    # return nothing
+    return
+}
+
+# Generate Nginx site config
+export def generate_site_conf [
+    domain: record      # the domain record to generate config for
+]: nothing -> string {
+    # get type-hinted variables
+    let primary: string = $domain | get primary
+    let upstream: string = $domain | get upstream
+    let aliases: list<string> = $domain | get --optional aliases | default []
+    let custom: bool = $domain | get --optional custom | default false
+    let is_root = $primary == (bf env "PROXY_DOMAIN")
+
+    # generate paths
+    let site = $"(bf env PROXY_SITES)/($primary)"
+    let conf = $"($site).conf"
+    let conf_d = $"($site).d"
+    let template = $"(bf env "ETC_TEMPLATES")/nginx-(match ($is_root) { true => "root" false => "site" }).conf.esh"
+
+    # ensure custom site config directory exists
+    if ($conf_d | bf fs is_not_dir) { mkdir $conf_d }
+
+    # check for existing configuration file
+    if ($conf | path exists) {
+        bf write debug "    config file already exists." nginx/generate_site_conf
+        return $conf
+    }
+
+    # set environment values
+    let e = {
+        ACME_CHALLENGE: (bf env "PROXY_ACME_CHALLENGE")
+        CERTS: (bf env "PROXY_SSL_CERTS")
+        CUSTOM_CONF: $conf_d
+        DHPARAM: (bf env "PROXY_SSL_DHPARAM")
+        DNS_RESOLVER: (bf env "PROXY_UPSTREAM_DNS_RESOLVER")
+        DOMAIN_NAME: $primary
+        DOMAIN_NAMES: ($primary | append $aliases | str join " ")
+        IS_CUSTOM: ($custom | into string)
+        NGINX_PUBLIC: (bf env "NGINX_PUBLIC")
+        NGINX_WWW: (bf env "NGINX_WWW")
+        REDIRECT_TO_CANONICAL: (bf env check "PROXY_SSL_REDIRECT_TO_CANONICAL" | into string)
+        UPSTREAM: $upstream
+    }
+
+    # generate config file
+    bf write debug "    generating config file." nginx/generate_site_conf
+    with-env $e { bf esh $template $conf }
+
+    # return path to config file
+    $conf
+}
+
+# Regenerate Nginx site config for a specified domain
+export def regenerate_site_conf [
+    domain: record      # the domain record to regenerate nginx config for
+    --clean (-c)        # if set, the config directory will be removed as well
+    --force (-f)        # if set, custom config files will be removed as well
+]: nothing -> string {
+
+    bf write $"Regenerating Nginx config for ($domain.primary)..." nginx/regenerate_site_conf
+    let site = $"(bf env PROXY_SITES)/($domain.primary)"
+    let conf = $"($site).conf"
+    let conf_d = $"($site).d"
+
+    # remove config directory if clean is enabled
+    if $clean {
+        bf write debug "    removing config directory." nginx/regenerate_site_conf
+        rm --force --recursive $conf_d
+    }
+
+    # remove custom config only if force is enabled
+    let custom: bool = $domain | get --optional custom | default false
+    if $custom {
+        if $force {
+            bf write debug "    force enabled, removing custom config file." nginx/regenerate_site_conf
+            rm --force $conf
+        }
+    } else {
+        bf write debug "    removing standard config file." nginx/regenerate_site_conf
+        rm --force $conf
+    }
+
+    # generate new config
+    generate_site_conf $domain
+}
diff --git a/overlay/etc/nu/scripts/bf/nginx/proxy/ssl.nu b/overlay/etc/nu/scripts/bf/nginx/proxy/ssl.nu
new file mode 100644
index 0000000..feb6cb4
--- /dev/null
+++ b/overlay/etc/nu/scripts/bf/nginx/proxy/ssl.nu
@@ -0,0 +1,80 @@
+use bf
+
+export const KEY_SUFFIX = ".key"
+export const CRT_SUFFIX = "/fullchain.crt"
+export const CHAIN_KEY_SUFFIX = "/chain.key"
+export const CHAIN_CRT_SUFFIX = "/chain.crt"
+export const PEM_SUFFIX = ".pem"
+
+# Generate a DHPARAM file if it does not already exist
+export def generate_dhparam []: nothing -> nothing {
+    let dhparam = bf env "PROXY_SSL_DHPARAM"
+    if ($dhparam | bf fs is_not_file) {
+        # don't use bf handle here so we can see progress
+        ^openssl dhparam (bf env "PROXY_SSL_DHPARAM_BITS") | save --force $dhparam
+    } else {
+        bf write debug $" .. ($dhparam) already exists." ssl/generate_dhparam
+    }
+}
+
+# Generate temporary SSL certificates for a domain
+export def generate_temp_certs [
+    domain: string      # the domain to generate temporary SSL for
+]: nothing -> nothing {
+    # get variables
+    let base = $"(bf env "PROXY_SSL_CERTS")/($domain)"
+    let key = $"($base)($KEY_SUFFIX)"
+    let crt = $"($base)($CRT_SUFFIX)"
+    let chain_key = $"($base)($CHAIN_KEY_SUFFIX)"
+    let chain_crt = $"($base)($CHAIN_CRT_SUFFIX)"
+
+    # do nothing if the domain certificate already exists
+    if ($crt | path exists) {
+        bf write debug " .. certificate already exists." ssl/generate_temp_certs
+        return
+    }
+
+    # closure to generate a certificate
+    let generate_cert = {|cn: string, keyout: string, crtout: string|
+        let args = [
+            -x509
+            -sha256
+            -nodes
+            -days (bf env "PROXY_SSL_EXPIRY" | into duration | $in / 1day)
+            -newkey rsa:(bf env "PROXY_SSL_KEY_BITS")
+            -keyout $keyout
+            -out $crtout
+            -subj $"/C=NA/ST=NA/L=NA/O=NA/OU=NA/CN=($cn)"
+        ]
+        { ^openssl req ...$args } | bf handle
+    }
+
+    # generate certificates
+    do $generate_cert $domain $key $crt
+    do $generate_cert $domain $chain_key $chain_crt
+}
+
+# Create a PEM_SUFFIX file from a domain certificate and key
+export def create_pem [
+    domain: string      # the domain to generate a PEM_SUFFIX file for
+]: nothing -> string {
+    # get variables
+    let base = $"(bf env "PROXY_SSL_CERTS")/($domain)"
+    let key_file = $"($base)($KEY_SUFFIX)"
+    let crt_file = $"($base)($CRT_SUFFIX)"
+    let pem_file = $"($base)/($domain)($PEM_SUFFIX)"
+
+    # return error if files do not exist
+    if ($key_file | bf fs is_not_file) or ($crt_file | bf fs is_not_file) {
+        bf write notok $"Unable to locate certificate or key file for ($domain)." ssl/create_pem
+        return ""
+    }
+
+    # create pem file
+    let key = open --raw $key_file
+    let crt = open --raw $crt_file
+    echo $"($key)(char newline)($crt)" | save --force $pem_file
+
+    # return path to pem file
+    $pem_file
+}
diff --git a/overlay/etc/nu/scripts/tests/conf.nu b/overlay/etc/nu/scripts/tests/conf.nu
new file mode 100644
index 0000000..c576a92
--- /dev/null
+++ b/overlay/etc/nu/scripts/tests/conf.nu
@@ -0,0 +1,22 @@
+use std assert
+use bf
+use bf/nginx/proxy conf *
+use vars.nu *
+
+
+#======================================================================================================================
+# get_domains
+#======================================================================================================================
+
+export def get_domains__returns_list_of_domains [] {
+    let conf = { "domains": [ (generate_domain) ] }
+    let file = mktemp -t
+    $conf | to json | save -f $file
+    let e = {
+        BF_PROXY_SSL_CONF: $file
+    }
+
+    let result = with-env $e { get_domains }
+
+    assert equal $conf.domains $result
+}
diff --git a/overlay/etc/nu/scripts/tests/getssl.nu b/overlay/etc/nu/scripts/tests/getssl.nu
new file mode 100644
index 0000000..fcb5121
--- /dev/null
+++ b/overlay/etc/nu/scripts/tests/getssl.nu
@@ -0,0 +1,303 @@
+use std assert
+use bf
+use bf/nginx/proxy getssl *
+use vars.nu *
+
+
+#======================================================================================================================
+# generate_global_conf
+#======================================================================================================================
+
+def generate_conf_e [
+    --use-live-server
+    --email: string
+    --account-key: string
+    --renew-window: duration
+    --skip-check
+    file: string
+] {
+    {
+        BF_ETC_TEMPLATES: $ETC_TEMPLATES
+        BF_PROXY_GETSSL_GLOBAL_CFG: $file
+        BF_PROXY_GETSSL_USE_LIVE_SERVER: (match ($use_live_server) { true => "1" false => "0" })
+        BF_PROXY_GETSSL_EMAIL: ($email | default (random chars))
+        BF_PROXY_GETSSL_ACCOUNT_KEY: ($account_key | default (random chars))
+        BF_PROXY_GETSSL_RENEW_WINDOW: ($renew_window | default (random int 14..28 | into duration --unit day))
+        BF_PROXY_GETSSL_SKIP_HTTP_TOKEN_CHECK: (match $skip_check { true => "1" false => "0" })
+    }
+}
+
+def get_tmp_file []: nothing -> string { $"/(mktemp -d -t)/getssl.cfg" }
+
+export def generate_conf__does_nothing_if_file_exists [] {
+    let file = get_tmp_file
+    let content = random chars
+    $content | save $file
+    let e = generate_conf_e $file
+
+    let result = with-env $e { generate_global_conf } | open --raw $file
+
+    assert equal $content $result
+}
+
+export def generate_conf__generates_conf_if_file_does_not_exist [] {
+    let file = get_tmp_file
+    let e = generate_conf_e $file
+
+    let result = with-env $e { generate_global_conf } | open --raw $file
+
+    assert not equal "" $result
+}
+
+export def generate_conf__use_live_server_true_outputs_live_server [] {
+    let file = get_tmp_file
+    let e = generate_conf_e --use-live-server=true $file
+
+    let result = with-env $e { generate_global_conf } | open --raw $file
+
+    assert str contains $result $"(char newline)CA=\"https://acme-v02.api.letsencrypt.org\"(char newline)"
+}
+
+export def generate_conf__use_live_server_false_outputs_staging_server [] {
+    let file = get_tmp_file
+    let e = generate_conf_e --use-live-server=false $file
+
+    let result = with-env $e { generate_global_conf } | open --raw $file
+
+    assert str contains $result $"(char newline)CA=\"https://acme-staging-v02.api.letsencrypt.org\"(char newline)"
+}
+
+export def generate_conf__outputs_email [] {
+    let file = get_tmp_file
+    let email = random chars
+    let e = generate_conf_e --email $email $file
+
+    let result = with-env $e { generate_global_conf } | open --raw $file
+
+    assert str contains $result $"(char newline)ACCOUNT_EMAIL=\"($email)\"(char newline)"
+}
+
+export def generate_conf__outputs_account_key [] {
+    let file = get_tmp_file
+    let key = random chars
+    let e = generate_conf_e --account-key $key $file
+
+    let result = with-env $e { generate_global_conf } | open --raw $file
+
+    assert str contains $result $"(char newline)ACCOUNT_KEY=\"($key)\"(char newline)"
+}
+
+export def generate_conf__outputs_renew_allow [] {
+    let file = get_tmp_file
+    let renew = random int 14..28 | into duration --unit day
+    let e = generate_conf_e --renew-window $renew $file
+
+    let result = with-env $e { generate_global_conf } | open --raw $file
+
+    assert str contains $result $"(char newline)RENEW_ALLOW=\"($renew / 1day | into string)\"(char newline)"
+}
+
+export def generate_conf__outputs_skip_http_check_false [] {
+    let file = get_tmp_file
+    let e = generate_conf_e --skip-check=false $file
+
+    let result = with-env $e { generate_global_conf } | open --raw $file
+
+    assert str contains $result $"(char newline)SKIP_HTTP_TOKEN_CHECK=\"false\"(char newline)"
+}
+
+export def generate_conf__outputs_skip_http_check_true [] {
+    let file = get_tmp_file
+    let e = generate_conf_e --skip-check=true $file
+
+    let result = with-env $e { generate_global_conf } | open --raw $file
+
+    assert str contains $result $"(char newline)SKIP_HTTP_TOKEN_CHECK=\"true\"(char newline)"
+}
+
+
+#======================================================================================================================
+# replace
+#======================================================================================================================
+
+export def replace__does_nothing_if_key_is_empty [] {
+    let file = mktemp -t
+    let content = random chars
+    $content | save --force $file
+
+    let result = replace "" (random chars) $file | open --raw $file
+
+    assert equal $content $result
+}
+
+export def replace__replaces_line_with_empty_value [] {
+    let key = random chars
+    let file = mktemp -t
+    echo $"#($key)=(random chars)" | save --force $file
+    let expected = $"($key)="
+
+    let result = replace $key "" $file | open --raw $file
+
+    assert equal $expected $result
+}
+
+export def replace__replaces_line_with_hash [] {
+    let key = random chars
+    let value = random chars
+    let file = mktemp -t
+    echo $"#($key)=(random chars)" | save --force $file
+    let expected = $"($key)=($value)"
+
+    let result = replace $key $value $file | open --raw $file
+
+    assert equal $expected $result
+}
+
+export def replace__replaces_line_without_hash [] {
+    let key = random chars
+    let value = random chars
+    let file = mktemp -t
+    echo $"($key)=(random chars)" | save --force $file
+    let expected = $"($key)=($value)"
+
+    let result = replace $key $value $file | open --raw $file
+
+    assert equal $expected $result
+}
+
+export def replace__adds_double_quotes [] {
+    let key = random chars
+    let value = random chars
+    let file = mktemp -t
+    echo $"#($key)=(random chars)" | save --force $file
+    let expected = $"($key)=\"($value)\""
+
+    let result = replace --add-quotes $key $value $file | open --raw $file
+
+    assert equal $expected $result
+}
+
+
+#======================================================================================================================
+# generate_site_conf
+#======================================================================================================================
+
+def generate_site_conf_e [
+    --cfg: string
+    certs: string
+] {
+    {
+        BF_PROXY_SSL_CERTS: $certs
+        BF_PROXY_GETSSL_CFG: ($cfg | default $GETSSL_CONF_BASENAME)
+    }
+}
+
+export def generate_site_conf__does_nothing_when_config_exists [] {
+    let primary = random chars
+    let certs = mktemp -d -t
+    let cfg = random chars
+    let content = random chars
+    let cfg = $"($certs)/($primary)/(random chars)"
+    $cfg | path dirname | mkdir $in
+    $content | save --force $cfg
+    let e = generate_site_conf_e --cfg ($cfg | path basename) $certs
+
+    let result = with-env $e { generate_site_conf $primary } | open --raw
+
+    assert equal $content $result
+}
+
+export def generate_site_conf__creates_default_config [] {
+    let primary = "do not use random value or hash will break"
+    let certs = mktemp -d -t
+    let e = generate_site_conf_e $certs
+    let expected = "7146e789a83077202ab129d461959016"
+
+    let result = with-env $e { generate_site_conf $primary } | open --raw | hash md5
+
+    assert equal $expected $result
+}
+
+
+#======================================================================================================================
+# update_site_conf
+#======================================================================================================================
+
+def update_site_conf_e [
+    --acme: string
+    certs: string
+] {
+    {
+        BF_PROXY_SSL_CERTS: $certs
+        BF_PROXY_GETSSL_CFG: $GETSSL_CONF_BASENAME
+        BF_PROXY_WWW_ACME_CHALLENGE: ($acme | default (random chars))
+    }
+}
+
+def update_site_conf_create_blank_file [
+    certs: string
+    primary: string
+] {
+    let cfg = $"($certs)/($primary)/($GETSSL_CONF_BASENAME)"
+    $cfg | path dirname | mkdir $in
+    echo $"#(random chars)=(random chars)" | save --force $cfg
+}
+
+export def update_site_conf__outputs_aliases_as_sans [] {
+    let aliases = [(random chars) (random chars)]
+    let domain = generate_domain --aliases $aliases
+    let certs = mktemp -d -t
+    update_site_conf_create_blank_file $certs $domain.primary
+    let e = update_site_conf_e $certs
+
+    let result = with-env $e { update_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"SANS=\"($aliases.0),($aliases.1)\""
+}
+
+export def update_site_conf__outputs_empty_sans_when_no_aliases [] {
+    let domain = generate_domain | reject aliases
+    let certs = mktemp -d -t
+    update_site_conf_create_blank_file $certs $domain.primary
+    let e = update_site_conf_e $certs
+
+    let result = with-env $e { update_site_conf $domain } | open --raw $in
+
+    assert str contains $result "SANS=\"\""
+}
+
+export def update_site_conf__outputs_certification_locations [] {
+    let domain = generate_domain
+    let certs = mktemp -d -t
+    update_site_conf_create_blank_file $certs $domain.primary
+    let e = update_site_conf_e $certs
+
+    let result = with-env $e { update_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"DOMAIN_CERT_LOCATION=\"($certs)/($domain.primary).crt\""
+    assert str contains $result $"DOMAIN_KEY_LOCATION=\"($certs)/($domain.primary).key\""
+}
+
+export def update_site_conf__outputs_acme_challenge [] {
+    let domain = generate_domain
+    let certs = mktemp -d -t
+    update_site_conf_create_blank_file $certs $domain.primary
+    let acme = random chars
+    let e = update_site_conf_e --acme $acme $certs
+
+    let result = with-env $e { update_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"ACL=\(\"($acme)\"\)"
+}
+
+export def update_site_conf__outputs_use_single_acl [] {
+    let domain = generate_domain
+    let certs = mktemp -d -t
+    update_site_conf_create_blank_file $certs $domain.primary
+    let e = update_site_conf_e $certs
+
+    let result = with-env $e { update_site_conf $domain } | open --raw $in
+
+    assert str contains $result "USE_SINGLE_ACL=\"true\""
+}
+
diff --git a/overlay/etc/nu/scripts/tests/init.nu b/overlay/etc/nu/scripts/tests/init.nu
new file mode 100644
index 0000000..887b8ed
--- /dev/null
+++ b/overlay/etc/nu/scripts/tests/init.nu
@@ -0,0 +1,103 @@
+use std assert
+use bf
+use bf/nginx/proxy init *
+use vars.nu *
+
+
+#======================================================================================================================
+# setup_clean_install
+#======================================================================================================================
+
+export def setup_clean_install__removes_files [] {
+    let getssl_global_cfg = mktemp -t
+    let sites = mktemp -d -t
+    let ssl_certs = mktemp -d -t
+    let ssl_dhparam = mktemp -t
+    cd $sites ; mktemp ; mktemp
+    cd $ssl_certs ; mktemp ; mktemp
+    let e = {
+        BF_PROXY_GETSSL_GLOBAL_CFG: $getssl_global_cfg
+        BF_PROXY_SITES: $sites
+        BF_PROXY_SSL_CERTS: $ssl_certs
+        BF_PROXY_SSL_DHPARAM: $ssl_dhparam
+    }
+
+    let result = with-env $e { setup_clean_install } | {
+        GETSSL_GLOBAL_CFG: ($getssl_global_cfg | path exists)
+        SITES: ($sites | path exists)
+        SITES_FILES: (ls $sites | length)
+        SSL_CERTS: ($ssl_certs | path exists)
+        SSL_CERTS_FILES: (ls $ssl_certs | length)
+        SSL_DHPARAM: ($ssl_dhparam | path exists)
+    }
+
+    assert equal false $result.GETSSL_GLOBAL_CFG
+    assert equal true $result.SITES
+    assert equal 0 $result.SITES_FILES
+    assert equal true $result.SSL_CERTS
+    assert equal 0 $result.SSL_CERTS_FILES
+    assert equal false $result.SSL_DHPARAM
+}
+
+
+#======================================================================================================================
+# get_all
+#======================================================================================================================
+
+export def get_all__returns_all_domains [] {
+    let conf = {
+        "domains": [ (generate_domain), (generate_domain), (generate_domain) ]
+    }
+    let file = mktemp -t
+    $conf | to json | save -f $file
+    let e = {
+        BF_PROXY_SSL_CONF: $file
+    }
+
+    let result = with-env $e { get_all }
+
+    assert equal $conf.domains $result
+}
+
+
+#======================================================================================================================
+# get_root
+#======================================================================================================================
+
+export def get_root__returns_root_domain [] {
+    let conf = {
+        "domains": [ (generate_domain), (generate_domain), (generate_domain) ]
+    }
+    let root = $conf.domains.1
+    let file = mktemp -t
+    $conf | to json | save -f $file
+    let e = {
+        BF_PROXY_DOMAIN: $root.primary
+        BF_PROXY_SSL_CONF: $file
+    }
+
+    let result = with-env $e { get_root }
+
+    assert equal $root $result
+}
+
+
+#======================================================================================================================
+# get_single
+#======================================================================================================================
+
+export def get_single__returns_single_domain [] {
+    let conf = {
+        "domains": [ (generate_domain), (generate_domain), (generate_domain) ]
+    }
+    let single = $conf.domains.1
+    let file = mktemp -t
+    $conf | to json | save -f $file
+    let e = {
+        BF_PROXY_SSL_CONF: $file
+    }
+
+    let result = with-env $e { get_single $single.primary }
+
+    assert equal $single $result
+}
diff --git a/overlay/etc/nu/scripts/tests/maintenance.nu b/overlay/etc/nu/scripts/tests/maintenance.nu
new file mode 100644
index 0000000..9e58da7
--- /dev/null
+++ b/overlay/etc/nu/scripts/tests/maintenance.nu
@@ -0,0 +1,43 @@
+use std assert
+use bf
+use bf/nginx/proxy maintenance *
+use vars.nu *
+
+
+#======================================================================================================================
+# generate_helper_conf
+#======================================================================================================================
+
+export def generate_helper_conf__outputs_conf [] {
+    let helpers = mktemp -d -t
+    let public = random chars
+    let e = {
+        BF_ETC_TEMPLATES: $ETC_TEMPLATES
+        BF_NGINX_ETC_HELPERS: $helpers
+        BF_NGINX_PUBLIC: $public
+    }
+
+    let result = with-env $e { generate_helper_conf } | open --raw $"($helpers)/proxy-maintenance.conf"
+
+    assert str contains $result $"root                                ($public);"
+}
+
+
+#======================================================================================================================
+# generate_html
+#======================================================================================================================
+
+export def generate_html__outputs_html [] {
+    let public = mktemp -d -t
+    let refresh = random int 5..50
+    let e = {
+        BF_ETC_TEMPLATES: $ETC_TEMPLATES
+        BF_NGINX_PUBLIC: $public
+        BF_PROXY_MAINTENANCE_REFRESH: ($refresh | into duration --unit sec)
+    }
+
+    let result = with-env $e { generate_html } | open --raw $"($public)/maintenance.html"
+
+    assert str contains $result $"This page will auto-refresh in <span id=\"remaining\">($refresh)</span>s."
+    assert str contains $result $"let remaining = ($refresh);"
+}
diff --git a/overlay/etc/nu/scripts/tests/mod.nu b/overlay/etc/nu/scripts/tests/mod.nu
new file mode 100644
index 0000000..6f6f063
--- /dev/null
+++ b/overlay/etc/nu/scripts/tests/mod.nu
@@ -0,0 +1,7 @@
+export module conf.nu
+export module getssl.nu
+export module init.nu
+export module maintenance.nu
+export module nginx.nu
+export module ssl.nu
+export module vars.nu
diff --git a/overlay/etc/nu/scripts/tests/nginx.nu b/overlay/etc/nu/scripts/tests/nginx.nu
new file mode 100644
index 0000000..65bf012
--- /dev/null
+++ b/overlay/etc/nu/scripts/tests/nginx.nu
@@ -0,0 +1,413 @@
+use std assert
+use bf
+use bf/nginx/proxy nginx *
+use vars.nu *
+
+
+#======================================================================================================================
+# generate_server_conf
+#======================================================================================================================
+
+def generate_nginx_ssl_conf_e [
+    --harden            # Optional harden switch
+] {
+    {
+        BF_ETC_TEMPLATES: $ETC_TEMPLATES
+        BF_PROXY_HARDEN: (match $harden { true => "1", false => "" })
+    }
+}
+
+export def generate_nginx_ssl_conf__outputs_intermediate_conf [] {
+    let e = generate_nginx_ssl_conf_e
+    let expected = "c6f62672330e60f47657a720c2ffd693"
+
+    let result = with-env $e { generate_server_conf } | open --raw $NGINX_SSL_CONF | hash md5
+
+    assert equal $expected $result
+}
+
+export def generate_nginx_ssl_conf__outputs_modern_conf [] {
+    let e = generate_nginx_ssl_conf_e --harden
+    let expected = "641b08342873b272be06190413aacf8c"
+
+    let result = with-env $e { generate_server_conf } | open --raw $NGINX_SSL_CONF | hash md5
+
+    assert equal $expected $result
+}
+
+
+#======================================================================================================================
+# generate_site_conf
+#======================================================================================================================
+
+def generate_site_conf_e [
+    --acme-challenge: string
+    --certs: string
+    --dhparam: string
+    --nginx-public: string
+    --nginx-www: string
+    --redirect-to-canonical
+    --resolver: string
+    --root-domain: string
+    sites_dir
+] {
+    {
+        BF_ETC_TEMPLATES: $ETC_TEMPLATES
+        BF_NGINX_PUBLIC: ($nginx_public | default (random chars))
+        BF_NGINX_WWW: ($nginx_www | default (random chars))
+        BF_PROXY_ACME_CHALLENGE: ($acme_challenge | default (random chars))
+        BF_PROXY_DOMAIN: ($root_domain | default (random chars))
+        BF_PROXY_SSL_CERTS: ($certs | default (random chars))
+        BF_PROXY_SSL_DHPARAM: ($dhparam | default (random chars))
+        BF_PROXY_SSL_REDIRECT_TO_CANONICAL: (match $redirect_to_canonical { true => "1" false => "0" })
+        BF_PROXY_SITES: $sites_dir
+        BF_PROXY_UPSTREAM_DNS_RESOLVER: ($resolver | default (random chars))
+    }
+}
+
+export def generate_site_conf__creates_site_directory_when_does_not_exist [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary
+    let sites_dir = $"/tmp/(random chars)"
+    let e = generate_site_conf_e $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | echo $sites_dir | path exists
+
+    assert equal true $result
+}
+
+export def generate_site_conf__keeps_config_when_exists [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary true
+    let sites_dir = mktemp -d -t
+    let content = random chars
+    $content | save --force $"($sites_dir)/($primary).conf"
+    let e = generate_site_conf_e $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert equal $content $result
+}
+
+export def generate_site_conf__outputs_acme_challenge [] {
+    let domain = generate_domain
+    let sites_dir = mktemp -d -t
+    let acme_challenge = random chars
+    let e = generate_site_conf_e --acme-challenge $acme_challenge $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"location ^~ /($acme_challenge) {"
+}
+
+export def generate_site_conf__outputs_acme_challenge_when_root [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary
+    let sites_dir = mktemp -d -t
+    let acme_challenge = random chars
+    let e = generate_site_conf_e --acme-challenge $acme_challenge --root-domain $primary $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"location ^~ /($acme_challenge) {"
+}
+
+export def generate_site_conf__outputs_ssl_certs [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary
+    let sites_dir = mktemp -d -t
+    let certs = random chars
+    let e = generate_site_conf_e --certs $certs $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"ssl_trusted_certificate         ($certs)/($primary)/chain.crt;"
+    assert str contains $result $"ssl_certificate                 ($certs)/($primary)/fullchain.crt;"
+    assert str contains $result $"ssl_certificate_key             ($certs)/($primary).key;"
+}
+
+export def generate_site_conf__outputs_ssl_certs_when_root [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary
+    let sites_dir = mktemp -d -t
+    let certs = random chars
+    let e = generate_site_conf_e --certs $certs --root-domain $primary $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"ssl_trusted_certificate         ($certs)/($primary)/chain.crt;"
+    assert str contains $result $"ssl_certificate                 ($certs)/($primary)/fullchain.crt;"
+    assert str contains $result $"ssl_certificate_key             ($certs)/($primary).key;"
+}
+
+export def generate_site_conf__includes_custom_conf [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary true
+    let sites_dir = mktemp -d -t
+    let e = generate_site_conf_e $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"include                     ($sites_dir)/($primary).d/*.conf;"
+}
+
+export def generate_site_conf__includes_custom_conf_when_root [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary true
+    let sites_dir = mktemp -d -t
+    let e = generate_site_conf_e --root-domain $primary $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"include                         ($sites_dir)/($primary).d/*.conf;"
+}
+
+export def generate_site_conf__outputs_dhparam [] {
+    let domain = generate_domain
+    let sites_dir = mktemp -d -t
+    let dhparam = random chars
+    let e = generate_site_conf_e --dhparam $dhparam $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"ssl_dhparam                     ($dhparam);"
+}
+
+export def generate_site_conf__outputs_dhparam_when_root [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary
+    let sites_dir = mktemp -d -t
+    let dhparam = random chars
+    let e = generate_site_conf_e --dhparam $dhparam --root-domain $primary $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"ssl_dhparam                     ($dhparam);"
+}
+
+export def generate_site_conf__outputs_dns_resolver [] {
+    let domain = generate_domain
+    let sites_dir = mktemp -d -t
+    let resolver = random chars
+    let e = generate_site_conf_e --resolver $resolver $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"resolver                    ($resolver) valid=30s;"
+}
+
+export def generate_site_conf__outputs_server_names [] {
+    let primary = random chars
+    let aliases = [(random chars) (random chars) (random chars)]
+    let server_names = $primary | append $aliases | str join " "
+    let domain = generate_domain --primary $primary --aliases $aliases
+    let sites_dir = mktemp -d -t
+    let e = generate_site_conf_e $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"# serve HTTP site for these domain names
+    server_name                     ($server_names);"
+    assert str contains $result $"# serve HTTPS site for these domain names
+    server_name                     ($server_names);"
+}
+
+export def generate_site_conf__without_aliases_outputs_only_primary_to_server_names [] {
+    let domain = generate_domain | reject aliases
+    let sites_dir = mktemp -d -t
+    let e = generate_site_conf_e $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"# serve HTTP site for these domain names
+    server_name                     ($domain.primary);"
+    assert str contains $result $"# serve HTTPS site for these domain names
+    server_name                     ($domain.primary);"
+}
+
+export def generate_site_conf__allows_changes_when_custom_is_true [] {
+    let domain = generate_domain true
+    let sites_dir = mktemp -d -t
+    let e = generate_site_conf_e $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result "# You can make changes to this file."
+}
+
+export def generate_site_conf__disallows_changes_when_custom_is_false [] {
+    let domain = generate_domain false
+    let sites_dir = mktemp -d -t
+    let e = generate_site_conf_e $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result "# WARNING: This file is generated. Do not make changes to this file."
+}
+
+export def generate_site_conf__disallows_changes_when_custom_is_not_set [] {
+    let domain = generate_domain | reject custom
+    let sites_dir = mktemp -d -t
+    let e = generate_site_conf_e $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result "# WARNING: This file is generated. Do not make changes to this file."
+}
+
+export def generate_site_conf__outputs_nginx_public_when_root [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary
+    let sites_dir = mktemp -d -t
+    let nginx_public = random chars
+    let e = generate_site_conf_e --nginx-public $nginx_public --root-domain $primary $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"root                            ($nginx_public);"
+}
+
+export def generate_site_conf__outputs_nginx_www [] {
+    let domain = generate_domain
+    let sites_dir = mktemp -d -t
+    let nginx_www = random chars
+    let e = generate_site_conf_e --nginx-www $nginx_www $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"root                        ($nginx_www);"
+}
+
+export def generate_site_conf__outputs_nginx_www_when_root [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary
+    let sites_dir = mktemp -d -t
+    let nginx_www = random chars
+    let e = generate_site_conf_e --nginx-www $nginx_www --root-domain $primary $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"root                        ($nginx_www);"
+}
+
+export def generate_site_conf__redirects_to_canonical [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary
+    let sites_dir = mktemp -d -t
+    let e = generate_site_conf_e --redirect-to-canonical $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"return                      301 https://($primary)$request_uri;"
+    assert str contains $result $"if \($host != ($primary)\) {
+        return                      301 https://($primary)$request_uri;
+    }"
+}
+
+export def generate_site_conf__redirects_to_canonical_when_root [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary
+    let sites_dir = mktemp -d -t
+    let e = generate_site_conf_e --root-domain $primary $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"return                      301 https://($primary)$request_uri;"
+    assert str contains $result $"if \($host != ($primary)\) {
+        return                      301 https://($primary)$request_uri;
+    }"
+}
+
+export def generate_site_conf__redirects_to_current_host [] {
+    let domain = generate_domain
+    let sites_dir = mktemp -d -t
+    let e = generate_site_conf_e $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result "return                      301 https://$host$request_uri;"
+}
+
+export def generate_site_conf__outputs_upstream [] {
+    let upstream = random chars
+    let domain = generate_domain --upstream $upstream
+    let sites_dir = mktemp -d -t
+    let nginx_www = random chars
+    let e = generate_site_conf_e --nginx-www $nginx_www $sites_dir
+
+    let result = with-env $e { generate_site_conf $domain } | open --raw $in
+
+    assert str contains $result $"set $upstream               ($upstream);"
+}
+
+
+#======================================================================================================================
+# reenerate_site_conf
+#======================================================================================================================
+
+export def regenerate_site_conf__keeps_config_when_custom_is_true [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary true
+    let sites_dir = mktemp -d -t
+    let content = random chars
+    $content | save --force $"($sites_dir)/($primary).conf"
+    let e = generate_site_conf_e $sites_dir
+
+    let result = with-env $e { regenerate_site_conf $domain } | open --raw $in
+
+    assert equal $content $result
+}
+
+export def regenerate_site_conf__regenerates_config_when_custom_is_false [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary false
+    let sites_dir = mktemp -d -t
+    let content = random chars
+    $content | save --force $"($sites_dir)/($primary).conf"
+    let e = generate_site_conf_e $sites_dir
+
+    let result = with-env $e { regenerate_site_conf $domain } | open --raw $in
+
+    assert not equal $content $result
+}
+
+export def regenerate_site_conf__regenerates_config_when_custom_is_true_and_force_is_enabled [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary true
+    let sites_dir = mktemp -d -t
+    let content = random chars
+    $content | save --force $"($sites_dir)/($primary).conf"
+    let e = generate_site_conf_e $sites_dir
+
+    let result = with-env $e { regenerate_site_conf --force $domain } | open --raw $in
+
+    assert not equal $content $result
+}
+
+export def regenerate_site_conf__keeps_config_dir_when_clean_is_false [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary true
+    let sites_dir = mktemp -d -t
+    let site_dir = $"($sites_dir)/($primary).d"
+    mkdir $site_dir
+    mktemp --tmpdir-path $site_dir
+    let e = generate_site_conf_e $sites_dir
+
+    let result = with-env $e { regenerate_site_conf $domain } | ls $site_dir | length
+
+    assert equal 1 $result
+}
+
+export def regenerate_site_conf__regenerates_config_dir_when_clean_is_true [] {
+    let primary = random chars
+    let domain = generate_domain --primary $primary true
+    let sites_dir = mktemp -d -t
+    let site_dir = $"($sites_dir)/($primary).d"
+    mkdir $site_dir
+    mktemp --tmpdir-path $site_dir
+    let e = generate_site_conf_e $sites_dir
+
+    let result = with-env $e { regenerate_site_conf --clean $domain } | ls $site_dir | length
+
+    assert equal 0 $result
+}
diff --git a/overlay/etc/nu/scripts/tests/ssl.nu b/overlay/etc/nu/scripts/tests/ssl.nu
new file mode 100644
index 0000000..3133734
--- /dev/null
+++ b/overlay/etc/nu/scripts/tests/ssl.nu
@@ -0,0 +1,152 @@
+use std assert
+use bf
+use bf/nginx/proxy ssl *
+
+
+#======================================================================================================================
+# generate_dhparam
+#======================================================================================================================
+
+def generate_dhparam_e [
+    file: string
+] {
+    {
+        BF_PROXY_SSL_DHPARAM: $file
+        BF_PROXY_SSL_DHPARAM_BITS: 1024
+    }
+}
+
+export def generate_dhparam__does_nothing_if_file_exists [] {
+    let file = mktemp -t
+    let content = random chars
+    $content | save --force $file
+    let e = generate_dhparam_e $file
+
+    let result = with-env $e { generate_dhparam } | open --raw $file
+
+    assert equal $content $result
+}
+
+export def generate_dhparam__generates_dhparam_if_file_does_not_exist [] {
+    let file = $"/tmp/(random chars)"
+    let e = generate_dhparam_e $file
+
+    let result = with-env $e { generate_dhparam } | open $file
+
+    assert not equal "" $result
+}
+
+
+#======================================================================================================================
+# generate_temp_certs
+#======================================================================================================================
+
+def generate_temp_certs_e [
+    --bits: int = 1024
+    --expiry: duration = 3650day
+    certs: string
+] {
+    {
+        BF_PROXY_SSL_CERTS: $certs
+        BF_PROXY_SSL_EXPIRY: $expiry
+        BF_PROXY_SSL_KEY_BITS: $bits
+    }
+}
+
+export def generate_temp_certs__does_nothing_if_crt_exists [] {
+    let certs = mktemp -d -t
+    let domain = random chars
+    mkdir $"($certs)/($domain)"
+    let content = random chars
+    let crt = $"($certs)/($domain)/($CRT_SUFFIX)"
+    echo $content | save --force $crt
+    let e = generate_temp_certs_e $certs
+
+    let result = with-env $e { generate_temp_certs $domain } | open --raw $crt
+
+    assert equal $content $result
+}
+
+export def generate_temp_certs__generates_all_files [] {
+    let certs = mktemp -d -t
+    let domain = random chars
+    mkdir $"($certs)/($domain)"
+    let e = generate_temp_certs_e $certs
+
+    let result = with-env $e { generate_temp_certs $domain }
+
+    assert equal true ($"($certs)/($domain)($KEY_SUFFIX)" | path exists)
+    assert equal true ($"($certs)/($domain)($CRT_SUFFIX)" | path exists)
+    assert equal true ($"($certs)/($domain)($CHAIN_KEY_SUFFIX)" | path exists)
+    assert equal true ($"($certs)/($domain)($CHAIN_CRT_SUFFIX)" | path exists)
+}
+
+
+#======================================================================================================================
+# create_pem
+#======================================================================================================================
+
+export def create_pem__does_nothing_if_crt_does_not_exist [] {
+    let certs = mktemp -d -t
+    let domain = random chars
+    mkdir $"($certs)/($domain)"
+    random chars | save --force $"($certs)/($domain)($KEY_SUFFIX)"
+    let e = generate_temp_certs_e $certs
+
+    let result = with-env $e { create_pem $domain } | echo $in | path exists
+
+    assert equal false $result
+}
+
+export def create_pem__does_nothing_if_key_does_not_exist [] {
+    let certs = mktemp -d -t
+    let domain = random chars
+    mkdir $"($certs)/($domain)"
+    random chars | save --force $"($certs)/($domain)($CRT_SUFFIX)"
+    let e = generate_temp_certs_e $certs
+
+    let result = with-env $e { create_pem $domain } | echo $in | path exists
+
+    assert equal false $result
+}
+
+export def create_pem__merges_key_and_crt_files [] {
+    let certs = mktemp -d -t
+    let domain = random chars
+    let cert = $"($certs)/($domain)"
+    let key = random chars
+    let key_file = $"($cert)($KEY_SUFFIX)"
+    let crt = random chars
+    let crt_file = $"($cert)($CRT_SUFFIX)"
+    let pem = $"($key)(char newline)($crt)"
+    let pem_file = $"($cert)/($domain)($PEM_SUFFIX)"
+    let e = generate_temp_certs_e $certs
+    mkdir $cert
+    echo $key | save --force $key_file
+    echo $crt | save --force $crt_file
+
+    let result = with-env $e { create_pem $domain } | open --raw $pem_file
+
+    assert equal $pem $result
+}
+
+export def create_pem__overwrites_existing_pem_file [] {
+    let certs = mktemp -d -t
+    let domain = random chars
+    let cert = $"($certs)/($domain)"
+    let key = random chars
+    let key_file = $"($cert)($KEY_SUFFIX)"
+    let crt = random chars
+    let crt_file = $"($cert)($CRT_SUFFIX)"
+    let pem = $"($key)(char newline)($crt)"
+    let pem_file = $"($cert)/($domain)($PEM_SUFFIX)"
+    let e = generate_temp_certs_e $certs
+    mkdir $cert
+    echo $key | save --force $key_file
+    echo $crt | save --force $crt_file
+    random chars | save --force $pem_file
+
+    let result = with-env $e { create_pem $domain } | open --raw $pem_file
+
+    assert equal $pem $result
+}
diff --git a/overlay/etc/nu/scripts/tests/vars.nu b/overlay/etc/nu/scripts/tests/vars.nu
new file mode 100644
index 0000000..e38d97c
--- /dev/null
+++ b/overlay/etc/nu/scripts/tests/vars.nu
@@ -0,0 +1,18 @@
+export const ETC_TEMPLATES = "/etc/bf/templates"
+export const GETSSL_CONF_BASENAME = "getssl.cfg"
+export const NGINX_SSL_CONF = "/etc/nginx/http.d/ssl.conf"
+
+# Generate a random domain record
+export def generate_domain [
+    --aliases: list<string>     # set aliases instead of random list
+    --primary: string           # set primary instead of random characters
+    --upstream: string          # set upstream instead of random characters
+    custom?: bool               # set custom instead of random boolean
+]: nothing -> record<primary: string, upstream: string, aliases: list, custom: bool> {
+    {
+        "primary": ($primary | default (random chars))
+        "upstream": ($upstream | default (random chars))
+        "aliases": ($aliases | default [(random chars) (random chars)] )
+        "custom": ($custom | default (random bool))
+    }
+}
diff --git a/overlay/etc/s6-overlay/s6-rc.d/ssl-auto-request/finish b/overlay/etc/s6-overlay/s6-rc.d/ssl-auto-request/finish
index 3187e2b..899239f 100644
--- a/overlay/etc/s6-overlay/s6-rc.d/ssl-auto-request/finish
+++ b/overlay/etc/s6-overlay/s6-rc.d/ssl-auto-request/finish
@@ -1,11 +1,8 @@
-#!/command/with-contenv bash
+#!/usr/bin/nu
 
-set -euo pipefail
-export BF_E="${PWD##*/}/$(basename ${0})"
+use bf
+use bf-s6
+bf env load -x ssl-auto-request
 
-
-#======================================================================================================================
-# Show helpful log message.
-#======================================================================================================================
-
-bf-svc-finish
+# Bring service down without terminating container
+def main [...args] { bf-s6 svc finish }
diff --git a/overlay/etc/s6-overlay/s6-rc.d/ssl-auto-request/run b/overlay/etc/s6-overlay/s6-rc.d/ssl-auto-request/run
index 2b03e5f..4cf91eb 100644
--- a/overlay/etc/s6-overlay/s6-rc.d/ssl-auto-request/run
+++ b/overlay/etc/s6-overlay/s6-rc.d/ssl-auto-request/run
@@ -1,38 +1,28 @@
-#!/command/with-contenv bash
-
-set -euo pipefail
-export BF_E="${PWD##*/}/$(basename ${0})"
-
-
-#======================================================================================================================
-# Run request executable and then disable the service.
-# First, wait until the Nginx service is running.
-#======================================================================================================================
-
-if [ "${PROXY_AUTO-}" = "1" ] ; then
-
-    if [ -n "$(pidof nginx)" ]; then
-
-        # run upgrade executable
-        bf-echo "Requesting SSL certificates using auto-generated conf.json."
-        ssl-request -a
-
+#!/usr/bin/nu
+
+use bf
+use bf/nginx/proxy auto
+bf env load -x ssl-auto-request
+
+# Request SSL certificates and then disable the service
+def main [...args] {
+    if (auto is_enabled) {
+        # get the pid of the nginx process - if the pid is empty, nginx is not running
+        let pid = { ^pidof nginx } | bf handle
+        if $pid == "" {
+            # wait 2s before exiting the service - S6 will keep restarting it until Nginx comes online
+            # on first run, it will disable this upgrade service itself
+            let sleep_for = 2sec
+            bf write debug $"Waiting ($sleep_for) for Nginx to come online."
+            sleep $sleep_for
+        } else {
+            # request SSL certificates for all configured domains
+
+            # disable the auto request service
+            auto disable_svc
+        }
+    } else {
         # disable the auto request service
-        ssl-auto-request-disable
-
-    else
-
-        # wait 2s before exiting the service - S6 will keep restarting it until Nginx comes online
-        # on first run, it will disable this upgrade service itself
-        SLEEP=2
-        bf-debug "Waiting ${SLEEP}s for Nginx to come online..."
-        sleep ${SLEEP}
-
-    fi
-
-else
-
-    # disable the auto request service
-    ssl-auto-request-disable
-
-fi
+        auto disable_svc
+    }
+}
diff --git a/overlay/tmp/NGINX_BUILD b/overlay/tmp/NGINX_BUILD
index 193e3db..0cfa7c2 100644
--- a/overlay/tmp/NGINX_BUILD
+++ b/overlay/tmp/NGINX_BUILD
@@ -1 +1 @@
-1.24.0-r7
\ No newline at end of file
+1.28.0-r3
\ No newline at end of file
diff --git a/overlay/tmp/install b/overlay/tmp/install
index 8090f3f..b545b02 100644
--- a/overlay/tmp/install
+++ b/overlay/tmp/install
@@ -1,72 +1,31 @@
-#!/bin/sh
-
-set -euo pipefail
-export BF_E=`basename ${0}`
-
-
-#======================================================================================================================
-# Get Nginx Version.
-#======================================================================================================================
-
-cd /tmp
-
-VERSION=$(cat NGINX_BUILD)
-bf-echo "Nginx version ${VERSION}."
-
-
-#======================================================================================================================
-# Install Nginx extensions.
-#======================================================================================================================
-
-bf-echo "Installing Nginx v${VERSION} extensions..."
-apk add --no-cache \
-    nginx-mod-http-naxsi=${VERSION} \
-    nginx-mod-http-set-misc=${VERSION}
-bf-done
-
-
-#======================================================================================================================
-# Install additional packages.
-#======================================================================================================================
-
-bf-echo "Installing additional packages..."
-apk add --no-cache \
-    bash \
-    curl \
-    jq \
-    openssl
-bf-done
-
-
-#======================================================================================================================
-# Download getssl script.
-#======================================================================================================================
-
-VERSION=`cat /tmp/GETSSL_VERSION`
-bf-echo "Downloading getssl ${VERSION}."
-
-GETSSL=/usr/lib/bf/proxy/getssl
-wget -O ${GETSSL} "https://raw.githubusercontent.com/srvrco/getssl/v${VERSION}/getssl"
-chmod +x ${GETSSL}
-bf-done
-
-
-#======================================================================================================================
-# Cleanup.
-#======================================================================================================================
-
-bf-echo "Cleaning up Nginx sites definitions."
-rm -rf /etc/nginx/sites
-bf-done
-
-
-#======================================================================================================================
-# Create and link Nginx directories.
-#======================================================================================================================
-
-bf-echo "Creating and linking Nginx directories."
-
-mkdir /sites
-ln -s /sites /etc/nginx/sites
-
-mkdir -p /ssl/certs
+#!/usr/bin/nu
+
+use bf
+
+# Setup and install getssl and depdencies
+def main [] {
+    # get nginx version and install dependencies
+    cd /tmp
+    let nginx_version = bf fs read NGINX_BUILD
+    bf write $"Installing dependencies for getssl."
+    bf pkg install [
+        "bash"
+        "curl"
+        $"nginx-mod-http-set-misc=($nginx_version)"
+        "openssl"
+    ]
+
+    # download getssl script and make executable
+    let getssl_version = bf fs read GETSSL_VERSION
+    let getssl_url = $"https://raw.githubusercontent.com/srvrco/getssl/v($getssl_version)/getssl"
+    let getssl_exe = "/usr/bin/getssl"
+    http get $getssl_url | save --raw $getssl_exe
+    ^chmod +x $getssl_exe
+
+    # create and link directories
+    ^ln -s /sites /etc/nginx/sites
+    ^mkdir -p /ssl/certs
+
+    # add bf-nginx-proxy module to config
+    bf config use bf/nginx/proxy
+}
diff --git a/overlay/usr/bin/bf/ssl-auto-request-disable b/overlay/usr/bin/bf/ssl-auto-request-disable
deleted file mode 100644
index 4c8a3e2..0000000
--- a/overlay/usr/bin/bf/ssl-auto-request-disable
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/command/with-contenv bash
-
-set -euo pipefail
-export BF_E=`basename ${0}`
-
-
-#======================================================================================================================
-# Use base executable to disable auto request service.
-#======================================================================================================================
-
-bf-svc-down ssl-auto-request
diff --git a/overlay/usr/lib/bf/inc/proxy-check.sh b/overlay/usr/lib/bf/inc/proxy-check.sh
deleted file mode 100644
index 44340b3..0000000
--- a/overlay/usr/lib/bf/inc/proxy-check.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/bash
-
-
-#======================================================================================================================
-# Ensure PROXY_DOMAIN is set.
-#======================================================================================================================
-
-if [ -z "${PROXY_DOMAIN}" ] ; then
-    bf-error "PROXY_DOMAIN must be set before requesting SSL certificates." "inc/proxy-check.sh"
-    exit 1
-fi
-
-
-#======================================================================================================================
-# Ensure email is set.
-#======================================================================================================================
-
-if [ -z "${PROXY_LETS_ENCRYPT_EMAIL}" ] ; then
-    bf-error "PROXY_LETS_ENCRYPT_EMAIL must be set before requesting SSL certificates." "inc/proxy-check.sh"
-    exit 1
-fi
-
-
-#======================================================================================================================
-# Load configuration (creates DOMAINS array).
-#======================================================================================================================
-
-source ${BF_INC}/proxy-load-conf.sh
-
-
-#======================================================================================================================
-# Check whether or not domains have been registered.
-#======================================================================================================================
-
-if [ "${#DOMAINS[*]}" = "0" ] ; then
-    bf-error "No domains have been registered for SSL - please add them to /ssl/conf.json." "inc/proxy-check.sh"
-    exit 1
-fi
-
-
-#======================================================================================================================
-# Ensure certs directory exists.
-#======================================================================================================================
-
-[[ ! -d ${PROXY_SSL_CERTS} ]] && mkdir ${PROXY_SSL_CERTS}
diff --git a/overlay/usr/lib/bf/inc/proxy-init-domain.sh b/overlay/usr/lib/bf/inc/proxy-init-domain.sh
deleted file mode 100644
index f44bd6a..0000000
--- a/overlay/usr/lib/bf/inc/proxy-init-domain.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/bash
-
-
-#======================================================================================================================
-# Initialise Nginx and SSL configuration for proxy domain.
-#======================================================================================================================
-
-init-proxy () {
-
-    bf-echo "  . Nginx..." "inc/proxy-init-domain.sh"
-    setup-nginx 1 ${PROXY_DOMAIN} "http://localhost" ""
-
-    bf-echo "  . SSL..." "inc/proxy-init-domain.sh"
-    setup-ssl ${PROXY_DOMAIN} ""
-
-}
-
-
-#======================================================================================================================
-# Initialise Nginx and SSL configuration for a domain.
-#
-# Arguments
-#   1   Domain name
-#======================================================================================================================
-
-init-domain () {
-
-    # get domain configuration values
-    PRIMARY_DOMAIN=${1}
-    UPSTREAM_SERVER=`get-upstream ${PRIMARY_DOMAIN}`
-    DOMAIN_ALIASES=`get-aliases ${PRIMARY_DOMAIN}`
-    CUSTOM_NGINX_CONFIG=`get-custom ${PRIMARY_DOMAIN}`
-
-    # add default Nginx configuration
-    bf-echo "  . Nginx..." "inc/proxy-init-domain.sh"
-    setup-nginx 0 ${PRIMARY_DOMAIN} ${UPSTREAM_SERVER} "${DOMAIN_ALIASES}" ${CUSTOM_NGINX_CONFIG}
-
-    # add default SSL files
-    bf-echo "  . SSL..." "inc/proxy-init-domain.sh"
-    setup-ssl ${PRIMARY_DOMAIN} "${DOMAIN_ALIASES}"
-
-}
diff --git a/overlay/usr/lib/bf/inc/proxy-load-conf.sh b/overlay/usr/lib/bf/inc/proxy-load-conf.sh
deleted file mode 100644
index 47156eb..0000000
--- a/overlay/usr/lib/bf/inc/proxy-load-conf.sh
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/bash
-
-
-#======================================================================================================================
-# Check JSON configuration file exists.
-#======================================================================================================================
-
-if [ ! -f "${PROXY_SSL_CONF}" ] ; then
-    bf-error "You must create ${PROXY_SSL_CONF} - see ssl-conf-sample.json." "inc/proxy-load-conf.sh"
-    exit 1
-fi
-
-
-#======================================================================================================================
-# Load JSON and create DOMAINS array by selecting primary keys.
-#======================================================================================================================
-
-JSON=`cat "${PROXY_SSL_CONF}" | jq '.'`
-
-declare -a DOMAINS=(`jq -r '.domains[].primary' <<< "${JSON}"`)
-
-
-#======================================================================================================================
-# Gets a domain object from the JSON configuration.
-#
-# Arguments
-#   1   Primary domain name to select
-#======================================================================================================================
-
-function get-domain() { jq --arg PRIMARY "${1}" '.domains[] | select(.primary == $PRIMARY)' <<< "${JSON}" ; }
-
-function get-upstream() { get-domain "${1}" | jq -r '.upstream' ; }
-function get-aliases() { get-domain "${1}" | jq -r '.aliases[]?' ; }
-function get-custom() { get-domain "${1}" | jq -r '.custom == true' ; }
diff --git a/overlay/usr/lib/bf/inc/proxy-replace.sh b/overlay/usr/lib/bf/inc/proxy-replace.sh
deleted file mode 100644
index adf1c76..0000000
--- a/overlay/usr/lib/bf/inc/proxy-replace.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/bash
-
-
-#======================================================================================================================
-# Replace a key/value pair in a file.
-#
-# Arguments
-#   1   Key
-#   2   Value
-#   3   File path
-#======================================================================================================================
-
-replace () { replace-d "${1}" "\"${2}\"" ${3}; }
-
-replace-d () {
-
-    K=${1}
-    V=${2}
-    FILE=${3}
-
-    [[ ! -z "${V}" ]] && sed -i "s|^#\?${K}.*$|${K}=${V}|i" ${FILE}
-
-}
diff --git a/overlay/usr/lib/bf/inc/proxy-setup-global.sh b/overlay/usr/lib/bf/inc/proxy-setup-global.sh
deleted file mode 100644
index 92027c5..0000000
--- a/overlay/usr/lib/bf/inc/proxy-setup-global.sh
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-
-#======================================================================================================================
-# Set up global configuration.
-#======================================================================================================================
-
-setup-global () {
-
-    if [ ! -f ${PROXY_GETSSL_GLOBAL_CFG} ] ; then
-        bf-debug " .. creating global configuration file..." "inc/proxy-setup-global.sh"
-        bf-esh ${BF_TEMPLATES}/getssl-global.conf.esh ${PROXY_GETSSL_GLOBAL_CFG}
-    fi
-
-    if [ ! -f ${PROXY_SSL_DHPARAM} ] ; then
-        bf-debug " .. generating dhparam..." "inc/proxy-setup-global.sh"
-        openssl dhparam -out ${PROXY_SSL_DHPARAM} ${PROXY_SSL_DHPARAM_BITS}
-    fi
-
-}
diff --git a/overlay/usr/lib/bf/inc/proxy-setup-nginx.sh b/overlay/usr/lib/bf/inc/proxy-setup-nginx.sh
deleted file mode 100644
index f435c46..0000000
--- a/overlay/usr/lib/bf/inc/proxy-setup-nginx.sh
+++ /dev/null
@@ -1,66 +0,0 @@
-#!/bin/bash
-
-
-#======================================================================================================================
-# Set up Nginx.
-#
-# Arguments
-#   1   0 for proxied domain, 1 for domain of the proxy server itself
-#   2   Domain name
-#   3   Upstream URL
-#   4   Name of Domain Aliases array
-#   5   Blank (regenerate) or 'custom' (keep) Nginx configuration file
-#======================================================================================================================
-
-setup-nginx () {
-
-    # give arguments friendly names
-    export IS_PROXY=${1}
-    export DOMAIN_NAME=${2}
-    export UPSTREAM=${3}
-    local DOMAIN_ALIASES=${4}
-    export DOMAIN_NGXCONF=${5}
-
-    # paths to site configuration and custom config directory
-    local SITE="${PROXY_SITES}/${DOMAIN_NAME}"
-    local CONF="${SITE}.conf"
-    export CUSTOM_CONF="${SITE}.d"
-
-    # check for custom site configuration directory
-    [[ ! -d ${CUSTOM_CONF} ]] && mkdir ${CUSTOM_CONF}
-
-    # check for existing configuration file
-    if [ -f ${CONF} ] ; then
-
-        # if true, leave file (allows custom config)
-        if [ "${DOMAIN_NGXCONF}" = "true" ] ; then
-            bf-debug "    keeping existing configuration." "inc/proxy-setup-nginx.sh"
-            return 0
-
-        # otherwise, remove config so it can be regenerated
-        else
-            bf-debug "    removing and regnerating Nginx configuration" "inc/proxy-setup-nginx.sh"
-            rm ${CONF}
-        fi
-
-    else
-
-        # no need to remove anything, be a good log citizen
-        bf-debug "    generating default Nginx configuration" "inc/proxy-setup-nginx.sh"
-
-    fi
-
-    # build domain list and remove trailing / multiple spaces between domains
-    export SERVER_NAMES=$(echo "${DOMAIN_NAME} ${DOMAIN_ALIASES}" | xargs)
-
-    # generate site configuration
-    if [ "${IS_PROXY}" = "1" ] ; then
-        NGINX_CONF="proxy"
-    else
-        NGINX_CONF="site"
-    fi
-
-    # generate config
-    bf-esh ${BF_TEMPLATES}/nginx-${NGINX_CONF}.conf.esh ${CONF} > /dev/null 2>&1
-
-}
diff --git a/overlay/usr/lib/bf/inc/proxy-setup-ssl.sh b/overlay/usr/lib/bf/inc/proxy-setup-ssl.sh
deleted file mode 100644
index da41385..0000000
--- a/overlay/usr/lib/bf/inc/proxy-setup-ssl.sh
+++ /dev/null
@@ -1,111 +0,0 @@
-#!/bin/bash
-
-
-#======================================================================================================================
-# Generate a temporary SSL certificate and key.
-#
-# Arguments
-#   1   Base path
-#   2   Domain name
-#======================================================================================================================
-
-generate-temp-cert () {
-
-    openssl req \
-        -x509 \
-        -sha256 \
-        -nodes \
-        -days 3650 \
-        -newkey rsa:${PROXY_SSL_KEY_BITS} \
-        -keyout ${2} \
-        -out ${1} \
-        -subj "/C=NA/ST=NA/L=NA/O=NA/OU=NA/CN=${3}"
-
-}
-
-
-#======================================================================================================================
-# Create PEM file out of the private key, server certificate, and intermediate certificate.
-#
-# Arguments
-#   1   Domain name
-#======================================================================================================================
-
-create-pem () {
-
-    local DOMAIN_NAME=${1}
-    local CERT=${PROXY_SSL_CERTS}/${DOMAIN_NAME}
-    local PEM=${CERT}/${DOMAIN_NAME}.pem
-
-    cat ${CERT}.key > ${PEM}
-    cat ${CERT}/fullchain.crt >> ${PEM}
-
-}
-
-
-#======================================================================================================================
-# Set up SSL for a domain.
-#
-# Arguments
-#   1   Domain name
-#   2   String containing Domain Aliases (separated by spaces)
-#======================================================================================================================
-
-setup-ssl () {
-
-    local DOMAIN_NAME=${1}
-    local DOMAIN_ALIASES=(${2})
-    local FILE=${PROXY_SSL_CERTS}/${DOMAIN_NAME}/${PROXY_GETSSL_CFG}
-
-    # check for existing configuration
-    [[ -f ${FILE} ]] && bf-debug "    already set up." "inc/proxy-setup-ssl.sh" && return 0
-
-    # getssl flags
-    #   -d  enable debug output
-    #   -U  stop upgrade checks
-    #   -w  set working directory
-    #   -c  create default configuration files
-    ${PROXY_GETSSL} ${PROXY_GETSSL_FLAGS} -w ${PROXY_SSL_CERTS} -c ${DOMAIN_NAME}
-
-    # set default values
-    local SANS=$(printf ",%s" ${DOMAIN_ALIASES[@]})
-    local CERT=${PROXY_SSL_CERTS}/${DOMAIN_NAME}
-    local ACL_DIR="'${PROXY_WWW_ACME_CHALLENGE}'"
-    local ACL_RPT=$((${#DOMAIN_ALIASES[@]} + 1))
-    local ACL=$(yes ${ACL_DIR} | head -n ${ACL_RPT} | sed -n 'H;${x;s/\n/ /gp}')
-
-    # replace config values with defaults
-    bf-debug "    replacing configuration value" "inc/proxy-setup-ssl.sh"
-    replace "SANS" "${SANS:1}" ${FILE}
-    replace "DOMAIN_CERT_LOCATION" "${CERT}.crt" ${FILE}
-    replace "DOMAIN_KEY_LOCATION" "${CERT}.key" ${FILE}
-    replace-d "ACL" "(${ACL})" ${FILE}
-
-    # create self-signed certificate so nginx will start before we request proper certificates
-    bf-debug "    generating temporary SSL certificates" "inc/proxy-setup-ssl.sh"
-    generate-temp-cert ${CERT}/fullchain.crt ${CERT}.key ${DOMAIN_NAME}
-    generate-temp-cert ${CERT}/chain.crt ${CERT}/chain.key ${DOMAIN_NAME}
-    rm ${CERT}/chain.key
-
-    # create pem file
-    create-pem "${DOMAIN_NAME}"
-
-}
-
-
-#======================================================================================================================
-# Request certificate for a domain.
-#
-# getssl flags
-#   -d  enable debug output
-#   -U  stop upgrade checks
-#   -w  set working directory
-#
-# Arguments
-#   1   Domain name
-#======================================================================================================================
-
-request() {
-    ${PROXY_GETSSL} ${PROXY_GETSSL_FLAGS} -w ${PROXY_SSL_CERTS} "${1}"
-    create-pem "${1}"
-}
diff --git a/overlay/usr/lib/bf/proxy/init b/overlay/usr/lib/bf/proxy/init
deleted file mode 100644
index 05ef50b..0000000
--- a/overlay/usr/lib/bf/proxy/init
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/bash
-
-
-#======================================================================================================================
-# Run checks.
-#======================================================================================================================
-
-source ${BF_INC}/proxy-check.sh
-
-
-#======================================================================================================================
-# Require source files.
-#======================================================================================================================
-
-source ${BF_INC}/proxy-init-domain.sh
-source ${BF_INC}/proxy-replace.sh
-source ${BF_INC}/proxy-setup-global.sh
-source ${BF_INC}/proxy-setup-nginx.sh
-source ${BF_INC}/proxy-setup-ssl.sh
-
-
-#======================================================================================================================
-# Set up global SSL configuration.
-#======================================================================================================================
-
-bf-echo "Setting up getssl..." "proxy/init"
-setup-global
-bf-done "proxy/init"
-
-
-#======================================================================================================================
-# Initialise Nginx and SSL for requested domain.
-#======================================================================================================================
-
-if [ "${1}" = "proxy" ] || [ "${1}" = "${PROXY_DOMAIN}" ] ; then
-
-    bf-echo "Initialising Nginx and SSL for proxy domain ${PROXY_DOMAIN}..." "proxy/init"
-    init-proxy
-
-else
-
-    bf-echo "Initialising Nginx and SSL for ${1}..." "proxy/init"
-    init-domain "${1}"
-
-fi
-
-bf-done "proxy/init"
diff --git a/overlay/usr/lib/bf/proxy/init-all b/overlay/usr/lib/bf/proxy/init-all
deleted file mode 100644
index 67bf97f..0000000
--- a/overlay/usr/lib/bf/proxy/init-all
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/bin/bash
-
-
-#======================================================================================================================
-# Run checks.
-#======================================================================================================================
-
-source ${BF_INC}/proxy-check.sh
-
-
-#======================================================================================================================
-# Require source files.
-#======================================================================================================================
-
-source ${BF_INC}/proxy-init-domain.sh
-source ${BF_INC}/proxy-replace.sh
-source ${BF_INC}/proxy-setup-global.sh
-source ${BF_INC}/proxy-setup-nginx.sh
-source ${BF_INC}/proxy-setup-ssl.sh
-
-
-#======================================================================================================================
-# Set up global SSL configuration.
-#======================================================================================================================
-
-bf-echo "Setting up getssl..." "proxy/init-all"
-setup-global
-bf-done "proxy/init-all"
-
-
-#======================================================================================================================
-# Set up Nginx and SSL for proxy domain.
-#======================================================================================================================
-
-bf-echo "Initialising Nginx and SSL for proxy domain ${PROXY_DOMAIN}..." "proxy/init-all"
-init-proxy
-bf-done "proxy/init-all"
-
-
-#======================================================================================================================
-# Set up Nginx and SSL for each domain.
-#======================================================================================================================
-
-bf-echo "Initialising Nginx and SSL for all domains..." "proxy/init-all"
-for DN in "${DOMAINS[@]}" ; do
-
-    bf-echo " .. ${DN}" "proxy/init-all"
-    init-domain "${DN}"
-    bf-ok "  . done." "proxy/init-all"
-
-done
-bf-done "proxy/init-all"
diff --git a/overlay/usr/lib/bf/proxy/request b/overlay/usr/lib/bf/proxy/request
deleted file mode 100644
index 8560a0d..0000000
--- a/overlay/usr/lib/bf/proxy/request
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-
-
-#======================================================================================================================
-# Run checks and include ssl functions.
-#======================================================================================================================
-
-source ${BF_INC}/proxy-check.sh
-source ${BF_INC}/proxy-setup-ssl.sh
-
-
-#======================================================================================================================
-# Get certificates for requested domain.
-#======================================================================================================================
-
-bf-echo "Requesting domain certificate for ${1}..." "proxy/request"
-request "${1}"
-bf-done "proxy/request"
diff --git a/overlay/usr/lib/bf/proxy/request-all b/overlay/usr/lib/bf/proxy/request-all
deleted file mode 100644
index a09c063..0000000
--- a/overlay/usr/lib/bf/proxy/request-all
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/bash
-
-
-#======================================================================================================================
-# Run checks and include ssl functions.
-#======================================================================================================================
-
-source ${BF_INC}/proxy-check.sh
-source ${BF_INC}/proxy-setup-ssl.sh
-
-
-#======================================================================================================================
-# Get certificate for the proxy domain.
-#======================================================================================================================
-
-bf-echo "Requesting proxy domain certificate..." "proxy/request-all"
-bf-debug " .. ${PROXY_DOMAIN}"
-request "${PROXY_DOMAIN}"
-bf-done "proxy/request-all"
-
-
-#======================================================================================================================
-# Get certificates for all registered domains.
-#======================================================================================================================
-
-bf-echo "Requesting domain certificates..." "proxy/request-all"
-for DN in "${DOMAINS[@]}" ; do
-    bf-debug " .. ${DN}" "proxy/request-all"
-    request "${DN}"
-done
-bf-done "proxy/request-all"
diff --git a/overlay/usr/lib/bf/proxy/update b/overlay/usr/lib/bf/proxy/update
deleted file mode 100644
index 9b020eb..0000000
--- a/overlay/usr/lib/bf/proxy/update
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/bash
-
-
-#======================================================================================================================
-# Run checks and include ssl functions.
-#======================================================================================================================
-
-source ${BF_INC}/proxy-check.sh
-source ${BF_INC}/proxy-setup-ssl.sh
-
-
-#======================================================================================================================
-# Run update.
-#
-# getssl flags
-#   -d  enable debug output
-#   -U  stop upgrade checks
-#   -w  set working directory
-#======================================================================================================================
-
-bf-echo "Updating SSL certificate for ${1}..." "proxy/update"
-${PROXY_GETSSL} ${PROXY_GETSSL_FLAGS} -w ${PROXY_SSL_CERTS} ${1}
-bf-done "proxy/update"
-
-
-#======================================================================================================================
-# Update pem file.
-#======================================================================================================================
-
-bf-echo "Updating pem file for ${1}..." "proxy/update"
-create-pem "${1}"
-bf-done "proxy/update"
diff --git a/overlay/usr/lib/bf/proxy/update-all b/overlay/usr/lib/bf/proxy/update-all
deleted file mode 100644
index f1a3d7b..0000000
--- a/overlay/usr/lib/bf/proxy/update-all
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/bash
-
-
-#======================================================================================================================
-# Run checks and include ssl functions.
-#======================================================================================================================
-
-source ${BF_INC}/proxy-check.sh
-source ${BF_INC}/proxy-setup-ssl.sh
-
-
-#======================================================================================================================
-# Run update.
-#
-# getssl flags
-#   -d  enable debug output
-#   -U  stop upgrade checks
-#   -w  set working directory
-#   -a  check all certificates
-#======================================================================================================================
-
-bf-echo "Updating all SSL certificates..." "proxy/update-all"
-${PROXY_GETSSL} ${PROXY_GETSSL_FLAGS} -w ${PROXY_SSL_CERTS} -a
-bf-done "proxy/update-all"
-
-
-#======================================================================================================================
-# Update all pem files (easier than working out which have been changed).
-#======================================================================================================================
-
-bf-echo "Updating pem files..." "proxy/update-all"
-create-pem ${PROXY_DOMAIN}
-for DN in "${DOMAINS[@]}" ; do create-pem "${DN}" ; done
-bf-done "proxy/update-all"
diff --git a/run.sh b/run.sh
new file mode 100644
index 0000000..6686a27
--- /dev/null
+++ b/run.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+IMAGE=`cat VERSION`
+
+docker buildx build \
+    --load \
+    --build-arg BF_IMAGE=nginx-proxy \
+    --build-arg BF_VERSION=${IMAGE} \
+    -f Dockerfile \
+    -t nginx-proxy-dev \
+    . \
+    && \
+    docker run -it --env-file ./test.env nginx-proxy-dev sh
diff --git a/test.env b/test.env
new file mode 100644
index 0000000..ecda485
--- /dev/null
+++ b/test.env
@@ -0,0 +1,7 @@
+BF_DEBUG=1
+BF_PROXY_CLEAN_INSTALL=1
+BF_PROXY_DOMAIN=localhost
+BF_PROXY_GETSSL_EMAIL=ben@bcgdesign.com
+BF_PROXY_HARDEN=1
+BF_PROXY_SSL_DHPARAM_BITS=1024
+BF_PROXY_SSL_KEY_BITS=1024
\ No newline at end of file
diff --git a/test.sh b/test.sh
new file mode 100755
index 0000000..c4199ad
--- /dev/null
+++ b/test.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+IMAGE=nginx-proxy
+VERSION=`cat VERSION`
+ALPINE=${1:-3.20}
+TAG=${IMAGE}-test
+
+docker buildx build \
+    --load \
+    --build-arg BF_IMAGE=${IMAGE} \
+    --build-arg BF_VERSION=${VERSION} \
+    -f Dockerfile \
+    -t ${TAG} \
+    . \
+    && \
+    docker run --env-file ./test.env --entrypoint /test ${TAG}