thib8956/nginx-proxy
1
0
Fork 0
mirror of https://github.com/thib8956/nginx-proxy synced 2025-02-24 09:48:14 +00:00
Code Issues Releases Wiki Activity

chore: Refactor _setup_dh()

Browse Source 
- `DHPARAM_FILE` is a local var not intended for overriding via ENV. Clarified that with `local` declaration.

- `FFDHE_GROUP` var uses default assignment (_`:=4096` instead of only substitute `:-4096`_), so that `DHPARAM_BITS` retains the default 4096 value in subsequent references if no custom size was provided.

- Refactored the conditional statements to only handle early failure conditions. Shifting out the RFC7919 support that can run after all checks have passed.

- Revised comments.
This commit is contained in:
polarathene 2021-09-26 16:51:37 +13:00
parent a7a2d6e44b
commit 004e4a5cda
1 changed files with 15 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
docker-entrypoint.sh
View File

@ -38,29 +38,25 @@ function _setup_dhparam() {
echo 'Setting up DH Parameters..' echo 'Setting up DH Parameters..'
# DH params will be supplied for nginx here: # DH params will be supplied for nginx here:
DHPARAM_FILE='/etc/nginx/dhparam/dhparam.pem' local DHPARAM_FILE='/etc/nginx/dhparam/dhparam.pem'
# DH params may be provided by the user (rarely necessary), # Should be 2048, 3072, or 4096 (default):
# or use an existing pre-generated group from RFC7919, defaulting to 4096-bit: local FFDHE_GROUP="${DHPARAM_BITS:=4096}"
# DH params may be provided by the user (rarely necessary)
if [[ -f ${DHPARAM_FILE} ]]; then if [[ -f ${DHPARAM_FILE} ]]; then
echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2 echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2
else return 0
# ENV DHPARAM_BITS - Defines which RFC7919 DHE group to use (default: 4096-bit): elif [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]]; then
local FFDHE_GROUP="${DHPARAM_BITS:-4096}" echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default)." >&2
# RFC7919 groups are defined here: exit 1
# https://datatracker.ietf.org/doc/html/rfc7919#appendix-A
local RFC7919_DHPARAM_FILE="/app/dhparam/ffdhe${FFDHE_GROUP}.pem"
# Only the following pre-generated sizes are supported,
# emit an error and kill the container if provided an invalid value:
if [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]]; then
echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default)." >&2
exit 1
fi
# Provide the DH params file to nginx:
cp "${RFC7919_DHPARAM_FILE}" "${DHPARAM_FILE}"
fi fi
# Use an existing pre-generated DH group from RFC7919 (https://datatracker.ietf.org/doc/html/rfc7919#appendix-A):
local RFC7919_DHPARAM_FILE="/app/dhparam/ffdhe${FFDHE_GROUP}.pem"
# Provide the DH params file to nginx:
cp "${RFC7919_DHPARAM_FILE}" "${DHPARAM_FILE}"
} }
# Run the init logic if the default CMD was provided # Run the init logic if the default CMD was provided