From 0b1e9e56e1f01c60c78688bab37e6d05c3b80b83 Mon Sep 17 00:00:00 2001 From: Steve Kamerman Date: Thu, 29 Sep 2016 16:47:47 -0400 Subject: [PATCH] Issue #535 Added default 2048-bit dhparam.pem file --- Dockerfile | 7 ++++--- README.md | 6 ++++-- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6d5ce9b..ad9a159 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,9 +9,10 @@ RUN apt-get update \ && apt-get clean \ && rm -r /var/lib/apt/lists/* -# Configure Nginx and apply fix for very long server names -RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ - && sed -i 's/^http {/&\n server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf +# Generate dhparam.pem, configure Nginx, apply fix for very long server names +RUN openssl dhparam -out /etc/nginx/dhparam.pem 2048 \ + && echo "daemon off;" >> /etc/nginx/nginx.conf \ + && sed -i 's|^http {|&\n server_names_hash_bucket_size 128; ssl_dhparam /etc/nginx/dhparam.pem;|g' /etc/nginx/nginx.conf # Install Forego ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego diff --git a/README.md b/README.md index 52ab6e4..0a7593d 100644 --- a/README.md +++ b/README.md @@ -142,9 +142,11 @@ hosts in use. The certificate and keys should be named after the virtual host w #### Diffie-Hellman Groups -If you have Diffie-Hellman groups enabled, the files should be named after the virtual host with a +Diffie-Hellman groups are enabled by default, with a pregenerated key in `/etc/nginx/dhparam.pem`. +You can mount a different `dhparam.pem` file at that location to override the default cert. +To use custom `dhparam.pem` files per-virtual-host, the files should be named after the virtual host with a `dhparam` suffix and `.pem` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` -should have a `foo.bar.com.dhparam.pem` file in the certs directory. +should have a `foo.bar.com.dhparam.pem` file in the `/etc/nginx/certs` directory. #### Wildcard Certificates