diff --git a/create_certs.sh b/create_certs.sh
index 739b1e7..fa61541 100755
--- a/create_certs.sh
+++ b/create_certs.sh
@@ -35,4 +35,6 @@ create_cert "${ca1}" "ansible.http.tests"
 create_cert "${ca1}" "sni1.ansible.http.tests"
 create_cert "${ca1}" "sni2.ansible.http.tests"
 create_cert "${ca1}" "client.ansible.http.tests"
+create_cert "${ca1}" "no-tls13.ansible.http.tests"
+create_cert "${ca1}" "no-tls13-weak.ansible.http.tests"
 create_cert "${ca2}" "self-signed.ansible.http.tests"
diff --git a/nginx.sites.conf b/nginx.sites.conf
index 1543764..d091be6 100644
--- a/nginx.sites.conf
+++ b/nginx.sites.conf
@@ -74,6 +74,48 @@ server {
     }
 }
 
+server {
+    listen 80;
+    listen 445 ssl;
+
+    server_name no-tls13.ansible.http.tests;
+
+    ssl_certificate /root/ca/no-tls13.ansible.http.tests-cert.pem;
+    ssl_certificate_key /root/ca/private/no-tls13.ansible.http.tests-key.pem;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers @SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM;
+
+    location / {
+        return 200 "no-tls13.ansible.http.tests";
+    }
+
+    location /redir {
+        rewrite .* https://no-tls13.ansible.http.tests:445/ permanent;
+    }
+}
+
+server {
+    listen 80;
+    listen 446 ssl;
+
+    server_name no-tls13-weak.ansible.http.tests;
+
+    ssl_certificate /root/ca/no-tls13-weak.ansible.http.tests-cert.pem;
+    ssl_certificate_key /root/ca/private/no-tls13-weak.ansible.http.tests-key.pem;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers AES128-CCM8;
+
+    location / {
+        return 200 "no-tls13-weak.ansible.http.tests";
+    }
+
+    location /redir {
+        rewrite .* https://no-tls13-weak.ansible.http.tests:446/ permanent;
+    }
+}
+
 server {
     listen 80;
     listen 444 ssl;