diff --git a/Dockerfile b/Dockerfile
index b0bf9558a..854a27d12 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,12 +13,19 @@ WORKDIR $QUAYDIR
 
 # This is so we don't break http golang/go#17066
 # When Ubuntu has nginx >= 1.11.0 we can switch back.
-RUN  add-apt-repository ppa:nginx/development
+ENV NGINX_GPGKEY 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
+RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 \
+    --keyserver-options timeout=10 --recv-keys "${NGINX_GPGKEY}"
+
+RUN add-apt-repository --enable-source \
+    "deb http://nginx.org/packages/ubuntu/ xenial nginx"
 
 # Add Yarn repository until it is officially added to Ubuntu
 RUN curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - \
-    && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
+    && add-apt-repository "deb https://dl.yarnpkg.com/debian/ stable main"
+
 RUN curl -fsSL https://deb.nodesource.com/setup_8.x | bash -
+
 # Install system packages
 RUN apt-get update && apt-get upgrade -y \
     && apt-get install -y \
@@ -55,7 +62,11 @@ RUN apt-get update && apt-get upgrade -y \
      python-pip        \
      python-virtualenv \
      yarn=0.22.0-1     \
-     w3m # 27MAR2018
+     w3m # 13JUL2018
+
+# Install nginx-module-vts
+COPY scripts/build-nginx-vts.sh /tmp/build-nginx-vts.sh
+RUN /tmp/build-nginx-vts.sh v0.1.18
 
 # Install cfssl
 RUN curl -fsSL -o /bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 \
diff --git a/conf/nginx/nginx.conf.jnj b/conf/nginx/nginx.conf.jnj
index a9e3cd77e..2b2275d1f 100644
--- a/conf/nginx/nginx.conf.jnj
+++ b/conf/nginx/nginx.conf.jnj
@@ -11,6 +11,8 @@ http {
 
     resolver 127.0.0.1 valid=10s;
 
+    vhost_traffic_status_zone;
+
     ssl_certificate ../stack/ssl.cert;
     ssl_certificate_key ../stack/ssl.key;
     ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
@@ -52,6 +54,14 @@ http {
 
         access_log /dev/stdout lb_logs;
     }
+
+    server {
+        include vhost-traffic-status.conf;
+
+        listen 9080 default;
+
+        access_log /dev/stdout lb_logs;
+    }
 }
 
 {% else %}
@@ -62,6 +72,8 @@ http {
 
     resolver 127.0.0.1 valid=10s;
 
+    vhost_traffic_status_zone;
+
     server {
         include server-base.conf;
 
@@ -69,6 +81,14 @@ http {
 
         access_log /dev/stdout lb_logs;
     }
+
+    server {
+        include vhost-traffic-status.conf;
+
+        listen 9080 default;
+
+        access_log /dev/stdout lb_logs;
+    }
 }
 
 {% endif %}
diff --git a/conf/nginx/root-base.conf b/conf/nginx/root-base.conf
index 31afc6f82..86a42d3a4 100644
--- a/conf/nginx/root-base.conf
+++ b/conf/nginx/root-base.conf
@@ -1,5 +1,7 @@
 # vim: ft=nginx
 
+load_module modules/ngx_http_vhost_traffic_status_module.so;
+
 pid /tmp/nginx.pid;
 error_log /dev/stdout;
 
diff --git a/conf/nginx/vhost-traffic-status.conf b/conf/nginx/vhost-traffic-status.conf
new file mode 100644
index 000000000..a041cd96b
--- /dev/null
+++ b/conf/nginx/vhost-traffic-status.conf
@@ -0,0 +1,7 @@
+# vim: ft=nginx
+
+server_name _;
+
+root /dev/null;
+
+vhost_traffic_status_display;
diff --git a/scripts/build-nginx-vts.sh b/scripts/build-nginx-vts.sh
new file mode 100755
index 000000000..f652b9c34
--- /dev/null
+++ b/scripts/build-nginx-vts.sh
@@ -0,0 +1,96 @@
+#!/bin/bash
+
+if [ -z "${1}" ]; then
+    echo "Please specify a vts version to install."
+    exit 1
+fi
+
+set -euo pipefail
+
+VTS_VERSION="${1}"
+NGINX_VERSION="$(nginx -v 2>&1 | cut -d '/' -f 2)"
+MODULES_DIR="/usr/lib/nginx/modules"
+
+BUILD_PATH="/tmp/build"
+VTS_PATH="${BUILD_PATH}/nginx-module-vts-${VTS_VERSION}"
+
+mkdir -p "${BUILD_PATH}"
+mkdir -p "${VTS_PATH}"
+cd "${BUILD_PATH}"
+
+echo "==> Downloading nginx-module-vts..."
+curl -fsSL -o "nginx-module-vts-${VTS_VERSION}.tar.gz" \
+     "https://github.com/vozlt/nginx-module-vts/archive/${VTS_VERSION}.tar.gz"
+
+# The directory in the tarball (infuriatingly) doesn't include the
+# leading "v" in the version number, so this normalizes it.
+tar xzf "nginx-module-vts-${VTS_VERSION}.tar.gz" -C "${VTS_PATH}" \
+    --strip-components 1
+
+echo "==> Downloading nginx source..."
+apt-get source -y nginx
+apt-get install -y libpcre16-3 libpcre3-dev libpcre32-3 libpcrecpp0v5
+
+echo "==> Building nginx-module-vts..."
+cd "nginx-${NGINX_VERSION}"
+
+CCFLAGS='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC'
+LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
+
+(
+
+    # The options here need to match the output of `nginx -v`.
+    ./configure --prefix=/etc/nginx \
+                --sbin-path=/usr/sbin/nginx \
+                --modules-path=/usr/lib/nginx/modules \
+                --conf-path=/etc/nginx/nginx.conf \
+                --error-log-path=/var/log/nginx/error.log \
+                --http-log-path=/var/log/nginx/access.log \
+                --pid-path=/var/run/nginx.pid \
+                --lock-path=/var/run/nginx.lock \
+                --http-client-body-temp-path=/var/cache/nginx/client_temp \
+                --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
+                --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
+                --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
+                --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
+                --user=nginx \
+                --group=nginx \
+                --with-compat \
+                --with-file-aio \
+                --with-threads \
+                --with-http_addition_module \
+                --with-http_auth_request_module \
+                --with-http_dav_module \
+                --with-http_flv_module \
+                --with-http_gunzip_module \
+                --with-http_gzip_static_module \
+                --with-http_mp4_module \
+                --with-http_random_index_module \
+                --with-http_realip_module \
+                --with-http_secure_link_module \
+                --with-http_slice_module \
+                --with-http_ssl_module \
+                --with-http_stub_status_module \
+                --with-http_sub_module \
+                --with-http_v2_module \
+                --with-mail \
+                --with-mail_ssl_module \
+                --with-stream \
+                --with-stream_realip_module \
+                --with-stream_ssl_module \
+                --with-stream_ssl_preread_module \
+                --with-cc-opt="${CCFLAGS}" \
+                --with-ld-opt="${LDFLAGS}" \
+                --add-dynamic-module="${VTS_PATH}"
+
+    make modules
+
+) 1>/dev/null
+
+echo "==> Installing nginx-module-vts..."
+cp -a objs/ngx_http_vhost_traffic_status_module.so \
+   "${MODULES_DIR}/ngx_http_vhost_traffic_status_module.so"
+
+echo "==> Cleaning up..."
+cd / && rm -fr "${BUILD_PATH}"
+apt-get purge -y libpcre16-3 libpcre3-dev libpcre32-3 libpcrecpp0v5
diff --git a/test/data/test.db b/test/data/test.db
index 4b5cbd65f..c42ea5b8d 100644
Binary files a/test/data/test.db and b/test/data/test.db differ