1
0
mirror of https://github.com/thib8956/nginx-proxy synced 2024-11-22 11:56:31 +00:00

Merge pull request #955 from buchdag/dhparam-separate-container

Fix default dhparam.pem when using separate containers
This commit is contained in:
Jason Wilder 2017-10-26 10:09:18 -06:00 committed by GitHub
commit 1b868259fe
2 changed files with 10 additions and 2 deletions

View File

@ -210,7 +210,7 @@ should have a `foo.bar.com.dhparam.pem` file in the `/etc/nginx/certs` directory
> NOTE: If you don't mount a `dhparam.pem` file at `/etc/nginx/dhparam/dhparam.pem`, one will be generated > NOTE: If you don't mount a `dhparam.pem` file at `/etc/nginx/dhparam/dhparam.pem`, one will be generated
at startup. Since it can take minutes to generate a new `dhparam.pem`, it is done at low priority in the at startup. Since it can take minutes to generate a new `dhparam.pem`, it is done at low priority in the
background. Once generation is complete, the `dhparams.pem` is saved on a persistent volume and nginx background. Once generation is complete, the `dhparam.pem` is saved on a persistent volume and nginx
is reloaded. This generation process only occurs the first time you start `nginx-proxy`. is reloaded. This generation process only occurs the first time you start `nginx-proxy`.
> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security. Some > COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security. Some
@ -218,6 +218,12 @@ is reloaded. This generation process only occurs the first time you start `ngin
> clients, you must either provide your own `dhparam.pem`, or tell `nginx-proxy` to generate a 1024-bit > clients, you must either provide your own `dhparam.pem`, or tell `nginx-proxy` to generate a 1024-bit
> key on startup by passing `-e DHPARAM_BITS=1024`. > key on startup by passing `-e DHPARAM_BITS=1024`.
In the separate container setup, no pregenerated key will be available and neither the
[jwilder/docker-gen](https://index.docker.io/u/jwilder/docker-gen/) image nor the offical
[nginx](https://registry.hub.docker.com/_/nginx/) image will generate one. If you still want A+ security
in a separate container setup, you'll have to generate a 2048 bits DH key file manually and mount it on the
nginx container, at `/etc/nginx/dhparam/dhparam.pem`.
#### Wildcard Certificates #### Wildcard Certificates
Wildcard certificates and keys should be named after the domain name with a `.crt` and `.key` extension. Wildcard certificates and keys should be named after the domain name with a `.crt` and `.key` extension.

View File

@ -42,7 +42,9 @@ map $http_upgrade $proxy_connection {
server_names_hash_bucket_size 128; server_names_hash_bucket_size 128;
# Default dhparam # Default dhparam
{{ if (exists "/etc/nginx/dhparam/dhparam.pem") }}
ssl_dhparam /etc/nginx/dhparam/dhparam.pem; ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
{{ end }}
# Set appropriate X-Forwarded-Ssl header # Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl { map $scheme $proxy_x_forwarded_ssl {
@ -319,4 +321,4 @@ server {
{{ end }} {{ end }}
{{ end }} {{ end }}
{{ end }} {{ end }}