diff --git a/nginx/conntest.conf b/nginx/conntest.conf
new file mode 100644
index 0000000000000000000000000000000000000000..415ca825da123e8fb5993d81b0e4839323fefab4
--- /dev/null
+++ b/nginx/conntest.conf
@@ -0,0 +1,84 @@
+server {
+    listen [::]:443 ssl http2;
+    listen 443 ssl http2;
+    server_name conntest.stustanet.de conntest.stusta.net conntest.stusta.mhn.de conntest.stusta.de;
+
+    ssl_certificate /etc/letsencrypt/live/conntest.stusta.mhn.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/conntest.stusta.mhn.de/privkey.pem;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+
+    # OCSP Stapling
+    # fetch OCSP records from URL in ssl_certificate and cache them
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/conntest.stusta.mhn.de/chain.pem;
+    resolver 8.8.4.4 8.8.8.8;
+
+    access_log  off;
+    error_log   off;
+
+    location = /blocked {
+        return 301 http://$host$request_uri;
+    }
+
+    location = / {
+        return 302 http://selftest.stustanet.de/;
+    }
+
+    location /generate_204 {
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, HEAD' always;
+        add_header 'Content-Type' 'text/plain; charset=utf-8';
+        add_header 'Content-Length' 0;
+        return 204;
+    }
+
+    location / {
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, HEAD' always;
+        default_type text/plain;
+        return 418 "Connectivity Check\n";
+    }
+}
+
+server {
+    listen [::]:80;
+    listen 80;
+    server_name conntest.stustanet.de conntest.stusta.net conntest.stusta.mhn.de conntest.stusta.de;
+
+    access_log  off;
+    error_log   off;
+
+    location ^~ /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        root /var/www/conntest;
+        break;
+    }
+
+    location = /blocked {
+        default_type text/html;
+        alias /var/www/conntest/blocked.html;
+    }
+
+    location = / {
+        return 302 http://selftest.stustanet.de/;
+    }
+
+    location /generate_204 {
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, HEAD' always;
+        add_header 'Content-Type' 'text/plain; charset=utf-8';
+        add_header 'Content-Length' 0;
+        return 204;
+    }
+
+    location / {
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, HEAD' always;
+        default_type text/plain;
+        return 418 "Connectivity Check\n";
+    }
+}
diff --git a/nginx/selftest.conf b/nginx/selftest.conf
new file mode 100644
index 0000000000000000000000000000000000000000..43f2464264859d689efacf4e52890bf214722efb
--- /dev/null
+++ b/nginx/selftest.conf
@@ -0,0 +1,60 @@
+server {
+    listen 80;
+    listen [::]:80;
+    # NO HTTPS! - Otherwise the HTTP test would be "mixed content", which gets blocked!
+
+    server_name selftest.stustanet.de;
+
+    access_log off;
+
+    location /blocked {
+        return 302 http://conntest.stustanet.de/blocked;
+    }
+
+    location /ip {
+        default_type text/plain;
+        return 200 "$remote_addr\n";
+    }
+
+    location /status {
+        default_type application/json;
+        set $ssn "true";
+        if ( $remote_addr !~ "^((10\.150\.[01]?\d?\d\..*)|(141\.84\.69\..*)|(10\.149\.0?([0-9]|1[0-5])\..*)|(129\.187\.166\.15[6-9])|(2001:4ca0:0?20[01]:.*)|(10\.0\..*))") {
+            set $ssn "false";
+        }
+        return 200 "{\"ip\": \"$remote_addr\", \"ssn\": $ssn}\n";
+    }
+
+    root /var/www/connectivity-selftest/public;
+    index index.html;
+}
+
+server {
+        listen 80;
+        listen [::]:80;
+
+        server_name selftest.stusta.net selftest.stusta.de selftest.stusta.mhn.de connectivity.stusta.net connectivity.stustanet.de connectivity.stusta.de connectivity.stusta.mhn.de diagnose.stusta.net diagnose.stustanet.de diagnose.stusta.de diagnose.stusta.mhn.de diagnosis.stusta.net diagnosis.stustanet.de diagnosis.stusta.de diagnosis.stusta.mhn.de;
+
+        access_log off;
+
+    return 302 http://selftest.stustanet.de$request_uri;
+}
+
+server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+
+        server_name selftest.stusta.net selftest.stustanet.de selftest.stusta.de selftest.stusta.mhn.de connectivity.stusta.net connectivity.stustanet.de connectivity.stusta.de connectivity.stusta.mhn.de diagnose.stusta.net diagnose.stustanet.de diagnose.stusta.de diagnose.stusta.mhn.de diagnosis.stusta.net diagnosis.stustanet.de diagnosis.stusta.de diagnosis.stusta.mhn.de;
+
+    ssl_certificate /etc/ssl/acme_selftest.stustanet.de/active/fullchainfile;
+    ssl_certificate_key /etc/ssl/private/selftest.stustanet.de.key;
+    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+
+        access_log off;
+
+    return 302 http://selftest.stustanet.de$request_uri;
+}