From 2528a35656c69145a0cfff19768b44b1e0a473b1 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Wed, 25 Oct 2017 12:32:09 +0200 Subject: [PATCH 1/2] Don't presume the existence of default dhparam The default dhparam at /etc/nginx/dhparam/dhparam.pem won't be auto generated with the separate containers setup. --- nginx.tmpl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nginx.tmpl b/nginx.tmpl index 65faa0b..28f745a 100644 --- a/nginx.tmpl +++ b/nginx.tmpl @@ -42,7 +42,9 @@ map $http_upgrade $proxy_connection { server_names_hash_bucket_size 128; # Default dhparam +{{ if (exists "/etc/nginx/dhparam/dhparam.pem") }} ssl_dhparam /etc/nginx/dhparam/dhparam.pem; +{{ end }} # Set appropriate X-Forwarded-Ssl header map $scheme $proxy_x_forwarded_ssl { @@ -319,4 +321,4 @@ server { {{ end }} {{ end }} -{{ end }} \ No newline at end of file +{{ end }} From 3ac478f2848b938f645a35e0cba536b383fd76d8 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Wed, 25 Oct 2017 12:34:22 +0200 Subject: [PATCH 2/2] Update Diffie-Hellman Groups doc + corrected a typo --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f8c0c9f..91052d4 100644 --- a/README.md +++ b/README.md @@ -210,7 +210,7 @@ should have a `foo.bar.com.dhparam.pem` file in the `/etc/nginx/certs` directory > NOTE: If you don't mount a `dhparam.pem` file at `/etc/nginx/dhparam/dhparam.pem`, one will be generated at startup. Since it can take minutes to generate a new `dhparam.pem`, it is done at low priority in the -background. Once generation is complete, the `dhparams.pem` is saved on a persistent volume and nginx +background. Once generation is complete, the `dhparam.pem` is saved on a persistent volume and nginx is reloaded. This generation process only occurs the first time you start `nginx-proxy`. > COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security. Some @@ -218,6 +218,12 @@ is reloaded. This generation process only occurs the first time you start `ngin > clients, you must either provide your own `dhparam.pem`, or tell `nginx-proxy` to generate a 1024-bit > key on startup by passing `-e DHPARAM_BITS=1024`. +In the separate container setup, no pregenerated key will be available and neither the +[jwilder/docker-gen](https://index.docker.io/u/jwilder/docker-gen/) image nor the offical +[nginx](https://registry.hub.docker.com/_/nginx/) image will generate one. If you still want A+ security +in a separate container setup, you'll have to generate a 2048 bits DH key file manually and mount it on the +nginx container, at `/etc/nginx/dhparam/dhparam.pem`. + #### Wildcard Certificates Wildcard certificates and keys should be named after the domain name with a `.crt` and `.key` extension.