diff --git a/Dockerfile b/Dockerfile
index 6d5ce9b..ad9a159 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,9 +9,10 @@ RUN apt-get update \
  && apt-get clean \
  && rm -r /var/lib/apt/lists/*
 
-# Configure Nginx and apply fix for very long server names
-RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
- && sed -i 's/^http {/&\n    server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf
+# Generate dhparam.pem, configure Nginx, apply fix for very long server names
+RUN openssl dhparam -out /etc/nginx/dhparam.pem 2048 \
+ && echo "daemon off;" >> /etc/nginx/nginx.conf \
+ && sed -i 's|^http {|&\n    server_names_hash_bucket_size 128;    ssl_dhparam /etc/nginx/dhparam.pem;|g' /etc/nginx/nginx.conf
 
 # Install Forego
 ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego
diff --git a/README.md b/README.md
index 52ab6e4..0a7593d 100644
--- a/README.md
+++ b/README.md
@@ -142,9 +142,11 @@ hosts in use.  The certificate and keys should be named after the virtual host w
 
 #### Diffie-Hellman Groups
 
-If you have Diffie-Hellman groups enabled, the files should be named after the virtual host with a
+Diffie-Hellman groups are enabled by default, with a pregenerated key in `/etc/nginx/dhparam.pem`.
+You can mount a different `dhparam.pem` file at that location to override the default cert.
+To use custom `dhparam.pem` files per-virtual-host, the files should be named after the virtual host with a
 `dhparam` suffix and `.pem` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com`
-should have a `foo.bar.com.dhparam.pem` file in the certs directory.
+should have a `foo.bar.com.dhparam.pem` file in the `/etc/nginx/certs` directory.
 
 #### Wildcard Certificates