feat: Bring back ability to skip default DH params

Adds back the ability to avoid using DH params, provided no file was explicitly supplied. This used to be `DHPARAM_GENERATION=false`, the equivalent is now `DHPARAM_SKIP=1` (default 0). Previous name was no longer appropriate. Ensures that if a user has explicitly provided their own dhparam file to still output a warning instead of the skip message, since `DHPARAM_SKIP=1` doesn't disable the support in nginx.
2025-08-24 00:11:55 +00:00 · 2021-09-28 21:49:06 +13:00
parent fd35a09240
commit 1d2f308cdf
4 changed files with 29 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -261,6 +261,12 @@ To use custom `dhparam.pem` files per-virtual-host, the files should be named af

 In the separate container setup, no pre-generated key will be available and neither the [jwilder/docker-gen](https://hub.docker.com/r/jwilder/docker-gen) image, nor the offical [nginx](https://registry.hub.docker.com/_/nginx/) image will provide one. If you still want A+ security in a separate container setup, you should mount an RFC7919 DH key file to the nginx container at `/etc/nginx/dhparam/dhparam.pem`.

+Set `DHPARAM_SKIP` environment variable to `1` to disable using default Diffie-Hellman parameters. The default value is `0`.
+
+```console
+docker run -e DHPARAM_SKIP=1 ....
+```
+
 #### Wildcard Certificates

 Wildcard certificates and keys should be named after the domain name with a `.crt` and `.key` extension. For example `VIRTUAL_HOST=foo.bar.com` would use cert name `bar.com.crt` and `bar.com.key`.