diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 8eff4292f..4eb47ee76 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -725,7 +725,7 @@ jobs:
 
       - name: Collect Docker Compose logs
         if: always()
-        run: make logs-all-dump env=test > docker-compose.log
+        run: make logs-all-dump env=batch-test > docker-compose.log
 
       - uses: test-summary/action@v2.3
         with:
diff --git a/docker/compose.development.yaml b/docker/compose.development.yaml
index 34d43da26..d997381ef 100644
--- a/docker/compose.development.yaml
+++ b/docker/compose.development.yaml
@@ -1,7 +1,7 @@
 services:
   # terminate tls so we don't need to have exceptions in the nginx config file for development
   port-expose:
-    image: nginx:1.27.3-alpine
+    image: nginx:1.29.1-alpine3.22
     networks:
       - public-internet
       - internal
diff --git a/docker/compose.integration-tests.yaml b/docker/compose.integration-tests.yaml
index 35825ac8c..b1084a3e6 100644
--- a/docker/compose.integration-tests.yaml
+++ b/docker/compose.integration-tests.yaml
@@ -4,7 +4,7 @@ services:
   # from the internal network to the outside
   # also terminate tls so we don't need to have exceptions in the nginx config file for development
   port-expose:
-    image: nginx:1.27.3-alpine
+    image: nginx:1.29.1-alpine3.22
     networks:
       - public-internet
       - port-expose
@@ -96,7 +96,7 @@ services:
       - $RABBITMQ_GUI
 
   test-target:
-    image: nginx:1.27.3-alpine
+    image: nginx:1.29.1-alpine3.22
 
     networks:
       public-internet:
@@ -137,7 +137,7 @@ services:
       MH_SMTP_BIND_ADDR: 0.0.0.0:25
 
   static:
-    image: nginx:1.27.3-alpine
+    image: nginx:1.29.1-alpine3.22
 
     restart: unless-stopped
 
diff --git a/docker/compose.yaml b/docker/compose.yaml
index ecc66f4c6..989543bf9 100644
--- a/docker/compose.yaml
+++ b/docker/compose.yaml
@@ -59,7 +59,7 @@ services:
       - nginx-logs-exporter:/var/log/nginx/prometheus-nginxlog-exporter/
 
     healthcheck:
-      test: ["CMD", "service", "nginx", "status"]
+      test: ["CMD", "curl", "-ksSo/dev/null", "https://$INTERNETNL_DOMAINNAME", "--resolve", "$INTERNETNL_DOMAINNAME:443:127.0.0.1"]
       interval: $HEALTHCHECK_INTERVAL
       start_interval: $HEALTHCHECK_START_INTERVAL
       start_period: 1m
diff --git a/docker/webserver.Dockerfile b/docker/webserver.Dockerfile
index cc4728625..63c4edeea 100644
--- a/docker/webserver.Dockerfile
+++ b/docker/webserver.Dockerfile
@@ -1,11 +1,12 @@
-FROM nginx:1.27.3
+FROM nginx:1.29.1-alpine3.22
 
-RUN apt-get update && apt-get install -y \
+RUN apk add --no-cache \
+  # for random quic host key
+  openssl \
   # for htpasswd
   apache2-utils \
-  # for gixy install
-  python3-venv \
-  && rm -rf /var/lib/apt/lists/*
+  # for gixy and certbot install
+  python3
 
 # install nginx config static analysis tool
 RUN python3 -m venv /opt/gixy
diff --git a/docker/webserver/nginx_templates/app.conf.template b/docker/webserver/nginx_templates/default.conf.template
similarity index 98%
rename from docker/webserver/nginx_templates/app.conf.template
rename to docker/webserver/nginx_templates/default.conf.template
index e091882b9..0565cffa2 100644
--- a/docker/webserver/nginx_templates/app.conf.template
+++ b/docker/webserver/nginx_templates/default.conf.template
@@ -32,12 +32,6 @@ resolver 127.0.0.11 ipv6=off valid=5s;
 
 root /var/www/internet.nl;
 
-# enable OSCP stapling
-ssl_stapling on;
-ssl_stapling_verify on;
-ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
-
 http2 on;
 http3 on;
 quic_gso on;
diff --git a/docker/webserver/nginx_templates/letsencrypt.conf.template b/docker/webserver/nginx_templates/letsencrypt.conf.template
deleted file mode 100644
index ce3f174b4..000000000
--- a/docker/webserver/nginx_templates/letsencrypt.conf.template
+++ /dev/null
@@ -1,2 +0,0 @@
-ssl_certificate /etc/letsencrypt/live/${INTERNETNL_DOMAINNAME}/fullchain.pem;
-ssl_certificate_key /etc/letsencrypt/live/${INTERNETNL_DOMAINNAME}/privkey.pem;
diff --git a/docker/webserver/nginx_templates/tls.conf.template b/docker/webserver/nginx_templates/tls.conf.template
new file mode 100644
index 000000000..8a52fea0f
--- /dev/null
+++ b/docker/webserver/nginx_templates/tls.conf.template
@@ -0,0 +1,8 @@
+# If certificate has OCSP, enable the ssl_stapling
+#ssl_stapling on;
+#ssl_stapling_verify on;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
+ssl_ecdh_curve SecP384r1MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768:secp521r1:brainpoolP512r1:x448:brainpoolP384r1:secp384r1:x25519:secp256r1:brainpoolP256r1;
+ssl_certificate /etc/letsencrypt/live/${INTERNETNL_DOMAINNAME}/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/${INTERNETNL_DOMAINNAME}/privkey.pem;
diff --git a/integration_tests/conftest.py b/integration_tests/conftest.py
index 91df39499..3fd6ff29d 100644
--- a/integration_tests/conftest.py
+++ b/integration_tests/conftest.py
@@ -187,8 +187,7 @@ def register_test_user(unique_id):
 
         # reload nginx
         command = (
-            f'docker compose --ansi=never --project-name "{COMPOSE_PROJECT_NAME}"'
-            " exec webserver service nginx reload"
+            f'docker compose --ansi=never --project-name "{COMPOSE_PROJECT_NAME}"' " exec webserver nginx -s reload"
         )
         subprocess.check_call(command, shell=True, universal_newlines=True)