diff --git a/entrypoint/20-envsubst-on-templates.sh b/entrypoint/20-envsubst-on-templates.sh
index 60a5094..72e733d 100755
--- a/entrypoint/20-envsubst-on-templates.sh
+++ b/entrypoint/20-envsubst-on-templates.sh
@@ -10,10 +10,30 @@ entrypoint_log() {
   fi
 }
 
+add_stream_block() {
+  local conffile="/etc/nginx/nginx.conf"
+
+  if grep -q -E "\s*stream\s*\{" "$conffile"; then
+    entrypoint_log "$ME: $conffile contains a stream block; include $stream_output_dir/*.conf to enable stream templates"
+  else
+    # check if the file can be modified, e.g. not on a r/o filesystem
+    touch "$conffile" 2>/dev/null || { entrypoint_log "$ME: info: can not modify $conffile (read-only file system?)"; exit 0; }
+    entrypoint_log "$ME: Appending stream block to $conffile to include $stream_output_dir/*.conf"
+    cat << END >> "$conffile"
+# added by "$ME" on "$(date)"
+stream {
+  include $stream_output_dir/*.conf;
+}
+END
+  fi
+}
+
 auto_envsubst() {
   local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}"
   local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}"
   local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}"
+  local stream_suffix="${NGINX_ENVSUBST_STREAM_TEMPLATE_SUFFIX:-.stream-template}"
+  local stream_output_dir="${NGINX_ENVSUBST_STREAM_OUTPUT_DIR:-/etc/nginx/stream-conf.d}"
   local filter="${NGINX_ENVSUBST_FILTER:-}"
 
   local template defined_envs relative_path output_path subdir
@@ -32,6 +52,25 @@ auto_envsubst() {
     entrypoint_log "$ME: Running envsubst on $template to $output_path"
     envsubst "$defined_envs" < "$template" > "$output_path"
   done
+
+  # Print the first file with the stream suffix, this will be false if there are none
+  if test -n "$(find "$template_dir" -name "*$stream_suffix" -print -quit)"; then
+    mkdir -p "$stream_output_dir"
+    if [ ! -w "$stream_output_dir" ]; then
+      entrypoint_log "$ME: ERROR: $template_dir exists, but $stream_output_dir is not writable"
+      return 0
+    fi
+    add_stream_block
+    find "$template_dir" -follow -type f -name "*$stream_suffix" -print | while read -r template; do
+      relative_path="${template#$template_dir/}"
+      output_path="$stream_output_dir/${relative_path%$stream_suffix}"
+      subdir=$(dirname "$relative_path")
+      # create a subdirectory where the template file exists
+      mkdir -p "$stream_output_dir/$subdir"
+      entrypoint_log "$ME: Running envsubst on $template to $output_path"
+      envsubst "$defined_envs" < "$template" > "$output_path"
+    done
+  fi
 }
 
 auto_envsubst
diff --git a/mainline/alpine-perl/Dockerfile b/mainline/alpine-perl/Dockerfile
index 750aee9..0790a44 100644
--- a/mainline/alpine-perl/Dockerfile
+++ b/mainline/alpine-perl/Dockerfile
@@ -3,7 +3,7 @@
 #
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
-ARG IMAGE=nginxinc/nginx-unprivileged:1.23.4-alpine
+ARG IMAGE=nginxinc/nginx-unprivileged:1.25.0-alpine
 FROM $IMAGE
 
 ARG UID=101
@@ -61,7 +61,7 @@ RUN set -x \
                 export HOME=${tempDir} \
                 && cd ${tempDir} \
                 && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
-                && PKGOSSCHECKSUM=\"8f3f6c1ddd984c0c7320d3bea25eee42749db6d69c251223cf91d69b8d80b703ab39eb94fcf731399a7693ebd8dd37d1b3232ea1184ca98e5ca0ba6165e1a05c *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
+                && PKGOSSCHECKSUM=\"18bee4bd498e0b8da765e8cd2d824e1027d40fd95d55fd59339cdb5d5e0e633795f4196c76045e86027cdfc6ab05a3cc0d39b25bd0a967f1edd47910d813262a *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
                 && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
                     echo \"pkg-oss tarball checksum verification succeeded!\"; \
                 else \
diff --git a/mainline/alpine-slim/20-envsubst-on-templates.sh b/mainline/alpine-slim/20-envsubst-on-templates.sh
index 60a5094..72e733d 100755
--- a/mainline/alpine-slim/20-envsubst-on-templates.sh
+++ b/mainline/alpine-slim/20-envsubst-on-templates.sh
@@ -10,10 +10,30 @@ entrypoint_log() {
   fi
 }
 
+add_stream_block() {
+  local conffile="/etc/nginx/nginx.conf"
+
+  if grep -q -E "\s*stream\s*\{" "$conffile"; then
+    entrypoint_log "$ME: $conffile contains a stream block; include $stream_output_dir/*.conf to enable stream templates"
+  else
+    # check if the file can be modified, e.g. not on a r/o filesystem
+    touch "$conffile" 2>/dev/null || { entrypoint_log "$ME: info: can not modify $conffile (read-only file system?)"; exit 0; }
+    entrypoint_log "$ME: Appending stream block to $conffile to include $stream_output_dir/*.conf"
+    cat << END >> "$conffile"
+# added by "$ME" on "$(date)"
+stream {
+  include $stream_output_dir/*.conf;
+}
+END
+  fi
+}
+
 auto_envsubst() {
   local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}"
   local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}"
   local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}"
+  local stream_suffix="${NGINX_ENVSUBST_STREAM_TEMPLATE_SUFFIX:-.stream-template}"
+  local stream_output_dir="${NGINX_ENVSUBST_STREAM_OUTPUT_DIR:-/etc/nginx/stream-conf.d}"
   local filter="${NGINX_ENVSUBST_FILTER:-}"
 
   local template defined_envs relative_path output_path subdir
@@ -32,6 +52,25 @@ auto_envsubst() {
     entrypoint_log "$ME: Running envsubst on $template to $output_path"
     envsubst "$defined_envs" < "$template" > "$output_path"
   done
+
+  # Print the first file with the stream suffix, this will be false if there are none
+  if test -n "$(find "$template_dir" -name "*$stream_suffix" -print -quit)"; then
+    mkdir -p "$stream_output_dir"
+    if [ ! -w "$stream_output_dir" ]; then
+      entrypoint_log "$ME: ERROR: $template_dir exists, but $stream_output_dir is not writable"
+      return 0
+    fi
+    add_stream_block
+    find "$template_dir" -follow -type f -name "*$stream_suffix" -print | while read -r template; do
+      relative_path="${template#$template_dir/}"
+      output_path="$stream_output_dir/${relative_path%$stream_suffix}"
+      subdir=$(dirname "$relative_path")
+      # create a subdirectory where the template file exists
+      mkdir -p "$stream_output_dir/$subdir"
+      entrypoint_log "$ME: Running envsubst on $template to $output_path"
+      envsubst "$defined_envs" < "$template" > "$output_path"
+    done
+  fi
 }
 
 auto_envsubst
diff --git a/mainline/alpine-slim/Dockerfile b/mainline/alpine-slim/Dockerfile
index 61cc6f0..b828c3f 100644
--- a/mainline/alpine-slim/Dockerfile
+++ b/mainline/alpine-slim/Dockerfile
@@ -8,7 +8,7 @@ FROM $IMAGE
 
 LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"
 
-ENV NGINX_VERSION 1.23.4
+ENV NGINX_VERSION 1.25.0
 ENV PKG_RELEASE   1
 
 ARG UID=101
@@ -61,7 +61,7 @@ RUN set -x \
                 export HOME=${tempDir} \
                 && cd ${tempDir} \
                 && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
-                && PKGOSSCHECKSUM=\"8f3f6c1ddd984c0c7320d3bea25eee42749db6d69c251223cf91d69b8d80b703ab39eb94fcf731399a7693ebd8dd37d1b3232ea1184ca98e5ca0ba6165e1a05c *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
+                && PKGOSSCHECKSUM=\"18bee4bd498e0b8da765e8cd2d824e1027d40fd95d55fd59339cdb5d5e0e633795f4196c76045e86027cdfc6ab05a3cc0d39b25bd0a967f1edd47910d813262a *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
                 && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
                     echo \"pkg-oss tarball checksum verification succeeded!\"; \
                 else \
diff --git a/mainline/alpine/Dockerfile b/mainline/alpine/Dockerfile
index 21b42de..be5570a 100644
--- a/mainline/alpine/Dockerfile
+++ b/mainline/alpine/Dockerfile
@@ -3,10 +3,10 @@
 #
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
-ARG IMAGE=nginxinc/nginx-unprivileged:1.23.4-alpine-slim
+ARG IMAGE=nginxinc/nginx-unprivileged:1.25.0-alpine-slim
 FROM $IMAGE
 
-ENV NJS_VERSION   0.7.11
+ENV NJS_VERSION   0.7.12
 
 ARG UID=101
 ARG GID=101
@@ -65,7 +65,7 @@ RUN set -x \
                 export HOME=${tempDir} \
                 && cd ${tempDir} \
                 && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz \
-                && PKGOSSCHECKSUM=\"8f3f6c1ddd984c0c7320d3bea25eee42749db6d69c251223cf91d69b8d80b703ab39eb94fcf731399a7693ebd8dd37d1b3232ea1184ca98e5ca0ba6165e1a05c *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
+                && PKGOSSCHECKSUM=\"18bee4bd498e0b8da765e8cd2d824e1027d40fd95d55fd59339cdb5d5e0e633795f4196c76045e86027cdfc6ab05a3cc0d39b25bd0a967f1edd47910d813262a *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\" \
                 && if [ \"\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\" = \"\$PKGOSSCHECKSUM\" ]; then \
                     echo \"pkg-oss tarball checksum verification succeeded!\"; \
                 else \
diff --git a/mainline/debian-perl/Dockerfile b/mainline/debian-perl/Dockerfile
index 2394e19..ed01320 100644
--- a/mainline/debian-perl/Dockerfile
+++ b/mainline/debian-perl/Dockerfile
@@ -3,7 +3,7 @@
 #
 # PLEASE DO NOT EDIT IT DIRECTLY.
 #
-ARG IMAGE=nginxinc/nginx-unprivileged:1.23.4
+ARG IMAGE=nginxinc/nginx-unprivileged:1.25.0
 FROM $IMAGE
 
 ARG UID=101
diff --git a/mainline/debian/20-envsubst-on-templates.sh b/mainline/debian/20-envsubst-on-templates.sh
index 60a5094..72e733d 100755
--- a/mainline/debian/20-envsubst-on-templates.sh
+++ b/mainline/debian/20-envsubst-on-templates.sh
@@ -10,10 +10,30 @@ entrypoint_log() {
   fi
 }
 
+add_stream_block() {
+  local conffile="/etc/nginx/nginx.conf"
+
+  if grep -q -E "\s*stream\s*\{" "$conffile"; then
+    entrypoint_log "$ME: $conffile contains a stream block; include $stream_output_dir/*.conf to enable stream templates"
+  else
+    # check if the file can be modified, e.g. not on a r/o filesystem
+    touch "$conffile" 2>/dev/null || { entrypoint_log "$ME: info: can not modify $conffile (read-only file system?)"; exit 0; }
+    entrypoint_log "$ME: Appending stream block to $conffile to include $stream_output_dir/*.conf"
+    cat << END >> "$conffile"
+# added by "$ME" on "$(date)"
+stream {
+  include $stream_output_dir/*.conf;
+}
+END
+  fi
+}
+
 auto_envsubst() {
   local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}"
   local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}"
   local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}"
+  local stream_suffix="${NGINX_ENVSUBST_STREAM_TEMPLATE_SUFFIX:-.stream-template}"
+  local stream_output_dir="${NGINX_ENVSUBST_STREAM_OUTPUT_DIR:-/etc/nginx/stream-conf.d}"
   local filter="${NGINX_ENVSUBST_FILTER:-}"
 
   local template defined_envs relative_path output_path subdir
@@ -32,6 +52,25 @@ auto_envsubst() {
     entrypoint_log "$ME: Running envsubst on $template to $output_path"
     envsubst "$defined_envs" < "$template" > "$output_path"
   done
+
+  # Print the first file with the stream suffix, this will be false if there are none
+  if test -n "$(find "$template_dir" -name "*$stream_suffix" -print -quit)"; then
+    mkdir -p "$stream_output_dir"
+    if [ ! -w "$stream_output_dir" ]; then
+      entrypoint_log "$ME: ERROR: $template_dir exists, but $stream_output_dir is not writable"
+      return 0
+    fi
+    add_stream_block
+    find "$template_dir" -follow -type f -name "*$stream_suffix" -print | while read -r template; do
+      relative_path="${template#$template_dir/}"
+      output_path="$stream_output_dir/${relative_path%$stream_suffix}"
+      subdir=$(dirname "$relative_path")
+      # create a subdirectory where the template file exists
+      mkdir -p "$stream_output_dir/$subdir"
+      entrypoint_log "$ME: Running envsubst on $template to $output_path"
+      envsubst "$defined_envs" < "$template" > "$output_path"
+    done
+  fi
 }
 
 auto_envsubst
diff --git a/mainline/debian/Dockerfile b/mainline/debian/Dockerfile
index 55c1b00..cc7efe8 100644
--- a/mainline/debian/Dockerfile
+++ b/mainline/debian/Dockerfile
@@ -8,8 +8,8 @@ FROM $IMAGE
 
 LABEL maintainer="NGINX Docker Maintainers <docker-maint@nginx.com>"
 
-ENV NGINX_VERSION   1.23.4
-ENV NJS_VERSION     0.7.11
+ENV NGINX_VERSION   1.25.0
+ENV NJS_VERSION     0.7.12
 ENV PKG_RELEASE     1~bullseye
 
 ARG UID=101
diff --git a/stable/alpine-slim/20-envsubst-on-templates.sh b/stable/alpine-slim/20-envsubst-on-templates.sh
index 60a5094..72e733d 100755
--- a/stable/alpine-slim/20-envsubst-on-templates.sh
+++ b/stable/alpine-slim/20-envsubst-on-templates.sh
@@ -10,10 +10,30 @@ entrypoint_log() {
   fi
 }
 
+add_stream_block() {
+  local conffile="/etc/nginx/nginx.conf"
+
+  if grep -q -E "\s*stream\s*\{" "$conffile"; then
+    entrypoint_log "$ME: $conffile contains a stream block; include $stream_output_dir/*.conf to enable stream templates"
+  else
+    # check if the file can be modified, e.g. not on a r/o filesystem
+    touch "$conffile" 2>/dev/null || { entrypoint_log "$ME: info: can not modify $conffile (read-only file system?)"; exit 0; }
+    entrypoint_log "$ME: Appending stream block to $conffile to include $stream_output_dir/*.conf"
+    cat << END >> "$conffile"
+# added by "$ME" on "$(date)"
+stream {
+  include $stream_output_dir/*.conf;
+}
+END
+  fi
+}
+
 auto_envsubst() {
   local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}"
   local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}"
   local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}"
+  local stream_suffix="${NGINX_ENVSUBST_STREAM_TEMPLATE_SUFFIX:-.stream-template}"
+  local stream_output_dir="${NGINX_ENVSUBST_STREAM_OUTPUT_DIR:-/etc/nginx/stream-conf.d}"
   local filter="${NGINX_ENVSUBST_FILTER:-}"
 
   local template defined_envs relative_path output_path subdir
@@ -32,6 +52,25 @@ auto_envsubst() {
     entrypoint_log "$ME: Running envsubst on $template to $output_path"
     envsubst "$defined_envs" < "$template" > "$output_path"
   done
+
+  # Print the first file with the stream suffix, this will be false if there are none
+  if test -n "$(find "$template_dir" -name "*$stream_suffix" -print -quit)"; then
+    mkdir -p "$stream_output_dir"
+    if [ ! -w "$stream_output_dir" ]; then
+      entrypoint_log "$ME: ERROR: $template_dir exists, but $stream_output_dir is not writable"
+      return 0
+    fi
+    add_stream_block
+    find "$template_dir" -follow -type f -name "*$stream_suffix" -print | while read -r template; do
+      relative_path="${template#$template_dir/}"
+      output_path="$stream_output_dir/${relative_path%$stream_suffix}"
+      subdir=$(dirname "$relative_path")
+      # create a subdirectory where the template file exists
+      mkdir -p "$stream_output_dir/$subdir"
+      entrypoint_log "$ME: Running envsubst on $template to $output_path"
+      envsubst "$defined_envs" < "$template" > "$output_path"
+    done
+  fi
 }
 
 auto_envsubst
diff --git a/stable/debian/20-envsubst-on-templates.sh b/stable/debian/20-envsubst-on-templates.sh
index 60a5094..72e733d 100755
--- a/stable/debian/20-envsubst-on-templates.sh
+++ b/stable/debian/20-envsubst-on-templates.sh
@@ -10,10 +10,30 @@ entrypoint_log() {
   fi
 }
 
+add_stream_block() {
+  local conffile="/etc/nginx/nginx.conf"
+
+  if grep -q -E "\s*stream\s*\{" "$conffile"; then
+    entrypoint_log "$ME: $conffile contains a stream block; include $stream_output_dir/*.conf to enable stream templates"
+  else
+    # check if the file can be modified, e.g. not on a r/o filesystem
+    touch "$conffile" 2>/dev/null || { entrypoint_log "$ME: info: can not modify $conffile (read-only file system?)"; exit 0; }
+    entrypoint_log "$ME: Appending stream block to $conffile to include $stream_output_dir/*.conf"
+    cat << END >> "$conffile"
+# added by "$ME" on "$(date)"
+stream {
+  include $stream_output_dir/*.conf;
+}
+END
+  fi
+}
+
 auto_envsubst() {
   local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}"
   local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}"
   local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}"
+  local stream_suffix="${NGINX_ENVSUBST_STREAM_TEMPLATE_SUFFIX:-.stream-template}"
+  local stream_output_dir="${NGINX_ENVSUBST_STREAM_OUTPUT_DIR:-/etc/nginx/stream-conf.d}"
   local filter="${NGINX_ENVSUBST_FILTER:-}"
 
   local template defined_envs relative_path output_path subdir
@@ -32,6 +52,25 @@ auto_envsubst() {
     entrypoint_log "$ME: Running envsubst on $template to $output_path"
     envsubst "$defined_envs" < "$template" > "$output_path"
   done
+
+  # Print the first file with the stream suffix, this will be false if there are none
+  if test -n "$(find "$template_dir" -name "*$stream_suffix" -print -quit)"; then
+    mkdir -p "$stream_output_dir"
+    if [ ! -w "$stream_output_dir" ]; then
+      entrypoint_log "$ME: ERROR: $template_dir exists, but $stream_output_dir is not writable"
+      return 0
+    fi
+    add_stream_block
+    find "$template_dir" -follow -type f -name "*$stream_suffix" -print | while read -r template; do
+      relative_path="${template#$template_dir/}"
+      output_path="$stream_output_dir/${relative_path%$stream_suffix}"
+      subdir=$(dirname "$relative_path")
+      # create a subdirectory where the template file exists
+      mkdir -p "$stream_output_dir/$subdir"
+      entrypoint_log "$ME: Running envsubst on $template to $output_path"
+      envsubst "$defined_envs" < "$template" > "$output_path"
+    done
+  fi
 }
 
 auto_envsubst
diff --git a/update.sh b/update.sh
index 960b121..ae828f7 100755
--- a/update.sh
+++ b/update.sh
@@ -12,13 +12,13 @@ declare branches=(
 # Current nginx versions
 # Remember to update pkgosschecksum when changing this.
 declare -A nginx=(
-    [mainline]='1.23.4'
+    [mainline]='1.25.0'
     [stable]='1.24.0'
 )
 
 # Current njs versions
 declare -A njs=(
-    [mainline]='0.7.11'
+    [mainline]='0.7.12'
     [stable]='0.7.12'
 )
 
@@ -52,7 +52,7 @@ declare -A rev=(
 # revision/tag in the previous block
 # Used in alpine builds for architectures not packaged by nginx.org
 declare -A pkgosschecksum=(
-    [mainline]='8f3f6c1ddd984c0c7320d3bea25eee42749db6d69c251223cf91d69b8d80b703ab39eb94fcf731399a7693ebd8dd37d1b3232ea1184ca98e5ca0ba6165e1a05c'
+    [mainline]='18bee4bd498e0b8da765e8cd2d824e1027d40fd95d55fd59339cdb5d5e0e633795f4196c76045e86027cdfc6ab05a3cc0d39b25bd0a967f1edd47910d813262a'
     [stable]='dc47dbaeb1c0874b264d34ddfec40e7d2b814e7db48d144e12d5991c743ef5fcf780ecbab72324e562dd84bb9c0e4dd71d14850b20ceaf470c46f8fe7510275b'
 )