diff --git a/Dockerfile b/Dockerfile
index 0838645..13b9dbf 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,12 +7,14 @@ COPY src /app/src/src/
 RUN mkdir -p /app/build && cd /app/build && cmake /app/src && make && mv tcpproxy ..
 
 FROM debian:bookworm-slim
-RUN apt-get update && apt-get install -y --no-install-recommends openconnect libevent-core-2.1-7 netcat-traditional && rm -rf /var/cache/apt/archives /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y --no-install-recommends openconnect libevent-core-2.1-7 ncat && rm -rf /var/cache/apt/archives /var/lib/apt/lists/*
 COPY --from=builder /app/tcpproxy /app/
 COPY --from=builder /app/src/NOTICE /app/
 COPY --from=builder /app/src/lwip/COPYING /app/
 COPY docker-entrypoint.sh /app/
+COPY healthz.sh /app/
 EXPOSE 1234
 EXPOSE 1235
+EXPOSE 1236
 USER nobody
 ENTRYPOINT ["/app/docker-entrypoint.sh"]
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 9e82745..633891e 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -3,8 +3,9 @@ action="$1"
 shift
 case "$action" in
 "connect")
+    ncat -l 1236 -k -e /app/healthz.sh &
     echo "Waiting for cookie on tcp:1235..."
-    cookie="$(netcat -l -p 1235)"
+    cookie="$(ncat -l 1235)"
     echo "Got cookie! Connecting..."
     exec openconnect --script-tun --script "/app/tcpproxy -g -L 1234:$HOST" --non-inter --cookie="$cookie" --disable-ipv6 "$@"
     ;;
diff --git a/healthz.sh b/healthz.sh
new file mode 100755
index 0000000..ee3f647
--- /dev/null
+++ b/healthz.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+read -r -a start_line
+start_line[2]="${start_line[2]%$'\r'}"
+case "${start_line[2]}" in
+"HTTP/1.0" | "HTTP/1.1")
+    case "${start_line[0]}" in
+    "GET")
+        case "${start_line[1]}" in
+        "/healthz/startupProbe")
+            if pidof -q openconnect && pidof -q tcpproxy; then
+                printf "%s 200 OK\r\n" "${start_line[2]}"
+            else
+                printf "%s 503 Service Unavailable\r\n" "${start_line[2]}"
+            fi
+            ;;
+        "/healthz/livenessProbe" | "/healthz/readinessProbe")
+            if pidof -q openconnect && pidof -q tcpproxy && cmp <(ncat localhost 1234 -c "/usr/bin/printf '\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00'; timeout --preserve-status 1 cat >&2" 2>&1) <(printf "\x30\x0c\x02\x01\x01\x61\x07\x0a\x01\x00\x04\x00\x04\x00"); then
+                printf "%s 200 OK\r\n" "${start_line[2]}"
+            else
+                printf "%s 503 Service Unavailable\r\n" "${start_line[2]}"
+            fi
+            ;;
+        *)
+            printf "%s 404 Not Found\r\n" "${start_line[2]}"
+            ;;
+        esac
+        ;;
+    *)
+        printf "%s 405 Method Not Allowed\r\n" "${start_line[2]}"
+        ;;
+    esac
+    ;;
+*)
+    echo "Unsupported protocol ${start_line[2]}"
+    ;;
+esac