diff --git a/Dockerfile b/Dockerfile
index ea7a7bc..64ef149 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -41,11 +41,11 @@ ENV DEBUG="${DEBUG}" \
     POSTGRES_DB="${POSTGRES_USER}" \
     POSTGRES_PARAMETERS= \
     \
-    POSTGRES_MAX_TOTAL_CONNECTIONS= \
-    POSTGRES_MAX_IDLE_CONNECTIONS= \
-    POSTGRES_MAX_WAIT_MILLIS= \
-    POSTGRES_ACCESS_UNDERLYING_CONNECTIONS= \
-    POSTGRES_VALIDATION_QUERY= \
+    POSTGRES_MAX_TOTAL_CONNECTIONS=50 \
+    POSTGRES_MAX_IDLE_CONNECTIONS=10 \
+    POSTGRES_MAX_WAIT_MILLIS=120000 \
+    POSTGRES_ACCESS_UNDERLYING_CONNECTIONS=true \
+    POSTGRES_VALIDATION_QUERY="SELECT 1" \
     \
     \
     LABKEY_VERSION="${LABKEY_VERSION}" \
@@ -69,13 +69,17 @@ ENV DEBUG="${DEBUG}" \
     LABKEY_CREATE_INITIAL_USER_APIKEY= \
     LABKEY_INITIAL_USER_APIKEY= \
     \
+    LOG_LEVEL_TOMCAT="OFF" \
+    LOG_LEVEL_SPRING_WEB="OFF" \
+    LOG_LEVEL_SQL="OFF" \
+    \
     TOMCAT_KEYSTORE_FILENAME="labkey.p12" \
     TOMCAT_KEYSTORE_FORMAT="PKCS12" \
     TOMCAT_KEYSTORE_ALIAS="tomcat" \
     \
-    TOMCAT_SSL_CIPHERS="HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL" \
-    TOMCAT_SSL_PROTOCOL="TLS" \
+    TOMCAT_SSL_CIPHERS="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!EDH:!DHE:!DH:!CAMELLIA:!ARIA:!AESCCM:!SHA:!CHACHA20" \
     TOMCAT_SSL_ENABLED_PROTOCOLS="TLSv1.3,TLSv1.2" \
+    TOMCAT_SSL_PROTOCOL="TLS" \
     \
     TOMCAT_ENABLE_ACCESS_LOG= 
 
diff --git a/application.properties b/application.properties
index 3ca81c4..2bdf615 100644
--- a/application.properties
+++ b/application.properties
@@ -1,9 +1,9 @@
 # debug=true
 # trace=true
 
-server.tomcat.basedir=${TOMCAT_BASE_DIR:-/}
+server.tomcat.basedir=${TOMCAT_BASE_DIR}
 
-server.port=${LABKEY_PORT:-8443}
+server.port=${LABKEY_PORT}
 
 spring.main.log-startup-info=true
 
@@ -23,13 +23,13 @@ logging.level.root=WARN
 
 # custom tomcat group
 logging.group.tomcat=org.apache.catalina, org.apache.coyote, org.apache.tomcat
-logging.level.tomcat=${LOG_LEVEL_TOMCAT:OFF}
+logging.level.tomcat=${LOG_LEVEL_TOMCAT}
 
 logging.level.org.apache.coyote.http2=OFF
 
 # default groups
-logging.level.web=${LOG_LEVEL_SPRING_WEB:OFF}
-logging.level.sql=${LOG_LEVEL_SQL:OFF}
+logging.level.web=${LOG_LEVEL_SPRING_WEB}
+logging.level.sql=${LOG_LEVEL_SQL}
 
 logging.level.net.sf.ehcache=ERROR
 
@@ -88,12 +88,11 @@ context.resources.jdbc.labkeyDataSource.url=@@jdbcUrl@@
 context.resources.jdbc.labkeyDataSource.username=@@jdbcUser@@
 context.resources.jdbc.labkeyDataSource.password=@@jdbcPassword@@
 
-# the ':-' setup doesn't appeear to work. They have to be set as env vars anyway, but at least this shows the indended defaults set elsewhere
-context.resources.jdbc.labkeyDataSource.maxTotal=${POSTGRES_MAX_TOTAL_CONNECTIONS:-50}
-context.resources.jdbc.labkeyDataSource.maxIdle=${POSTGRES_MAX_IDLE_CONNECTIONS:-10}
-context.resources.jdbc.labkeyDataSource.maxWaitMillis=${POSTGRES_MAX_WAIT_MILLIS:-120000}
-context.resources.jdbc.labkeyDataSource.accessToUnderlyingConnectionAllowed=${POSTGRES_ACCESS_UNDERLYING_CONNECTIONS:-true}
-context.resources.jdbc.labkeyDataSource.validationQuery=${POSTGRES_VALIDATION_QUERY:-SELECT 1}
+context.resources.jdbc.labkeyDataSource.maxTotal=${POSTGRES_MAX_TOTAL_CONNECTIONS}
+context.resources.jdbc.labkeyDataSource.maxIdle=${POSTGRES_MAX_IDLE_CONNECTIONS}
+context.resources.jdbc.labkeyDataSource.maxWaitMillis=${POSTGRES_MAX_WAIT_MILLIS}
+context.resources.jdbc.labkeyDataSource.accessToUnderlyingConnectionAllowed=${POSTGRES_ACCESS_UNDERLYING_CONNECTIONS}
+context.resources.jdbc.labkeyDataSource.validationQuery=${POSTGRES_VALIDATION_QUERY}
 
 # send access logs to stdout:
 server.tomcat.accesslog.enabled=true
@@ -115,16 +114,16 @@ server.http2.enabled=true
 
 server.ssl.enabled=true
 
-server.ssl.ciphers=${TOMCAT_SSL_CIPHERS:-HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL}
-server.ssl.enabled-protocols=${TOMCAT_SSL_ENABLED_PROTOCOLS:-TLSv1.3,TLSv1.2}
-server.ssl.protocol=${TOMCAT_SSL_PROTOCOL:-TLS}
+server.ssl.ciphers=${TOMCAT_SSL_CIPHERS}
+server.ssl.enabled-protocols=${TOMCAT_SSL_ENABLED_PROTOCOLS}
+server.ssl.protocol=${TOMCAT_SSL_PROTOCOL}
 
 
 # must match values in entrypoint.sh
-server.ssl.key-alias=${TOMCAT_KEYSTORE_ALIAS:-tomcat}
-server.ssl.key-store=${LABKEY_HOME}/${TOMCAT_KEYSTORE_FILENAME:-labkey.p12}
+server.ssl.key-alias=${TOMCAT_KEYSTORE_ALIAS}
+server.ssl.key-store=${LABKEY_HOME}/${TOMCAT_KEYSTORE_FILENAME}
 # server.ssl.key-store-password=${TOMCAT_KEYSTORE_PASSWORD}
-server.ssl.key-store-type=${TOMCAT_KEYSTORE_FORMAT:-PKCS12}
+server.ssl.key-store-type=${TOMCAT_KEYSTORE_FORMAT}
 
 context.encryptionKey=@@encryptionKey@@
 
diff --git a/entrypoint.sh b/entrypoint.sh
index 5bb85ab..8e71d67 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -151,7 +151,7 @@ main() {
   # echo "sleeping for $SLEEP seconds..."
   # sleep $SLEEP
 
-  for prop_file in startup/*.properties; do
+  for prop_file in startup/*.properties config/application.properties; do
     envsubst < "$prop_file" > "${prop_file}.tmp" \
       && mv "${prop_file}.tmp" "$prop_file"
   done