feat: Bring back ability to skip default DH params

Adds back the ability to avoid using DH params, provided no file was explicitly supplied. This used to be `DHPARAM_GENERATION=false`, the equivalent is now `DHPARAM_SKIP=1` (default 0). Previous name was no longer appropriate. Ensures that if a user has explicitly provided their own dhparam file to still output a warning instead of the skip message, since `DHPARAM_SKIP=1` doesn't disable the support in nginx.
2025-02-24 09:48:14 +00:00 · 2021-09-28 21:49:06 +13:00 · 2021-09-28 21:49:06 +13:00 · 1d2f308cdf
commit 1d2f308cdf
parent fd35a09240
4 changed files with 29 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -261,6 +261,12 @@ To use custom `dhparam.pem` files per-virtual-host, the files should be named af
 In the separate container setup, no pre-generated key will be available and neither the [jwilder/docker-gen](https://hub.docker.com/r/jwilder/docker-gen) image, nor the offical [nginx](https://registry.hub.docker.com/_/nginx/) image will provide one. If you still want A+ security in a separate container setup, you should mount an RFC7919 DH key file to the nginx container at `/etc/nginx/dhparam/dhparam.pem`.
 Set `DHPARAM_SKIP` environment variable to `1` to disable using default Diffie-Hellman parameters. The default value is `0`.
 ```console
 docker run -e DHPARAM_SKIP=1 ....
 ```
 #### Wildcard Certificates
 Wildcard certificates and keys should be named after the domain name with a `.crt` and `.key` extension. For example `VIRTUAL_HOST=foo.bar.com` would use cert name `bar.com.crt` and `bar.com.key`.
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@ -47,6 +47,9 @@ function _setup_dhparam() {
 	if [[ -f ${DHPARAM_FILE} ]]; then
 		echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2
 		return 0
 	elif [[ ${DHPARAM_SKIP:=0} -eq 1 ]]; then
 		echo 'Skipping Diffie-Hellman parameters setup.'
 		return 0
 	elif [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]]; then
 		echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default)." >&2
 		exit 1
--- a/test/test_ssl/test_dhparam.py
+++ b/test/test_ssl/test_dhparam.py
@ -168,6 +168,16 @@ def test_custom_dhparam_is_supported(docker_compose):
    can_negotiate_dhe_ciphersuite(sut_container)
 def test_can_skip_dhparam(docker_compose):
    container_name="dh-skip"
    sut_container = docker_client.containers.get(container_name)
    assert sut_container.status == "running"
    assert_log_contains("Skipping Diffie-Hellman parameters setup.", container_name)
    cannot_negotiate_dhe_ciphersuite(sut_container)
 def test_web5_https_works(docker_compose, nginxproxy):
    r = nginxproxy.get("https://web5.nginx-proxy.tld/port", allow_redirects=False)
    assert r.status_code == 200
--- a/test/test_ssl/test_dhparam.yml
+++ b/test/test_ssl/test_dhparam.yml
@ -39,3 +39,12 @@ with_custom_file:
    - /var/run/docker.sock:/tmp/docker.sock:ro
    - ./certs:/etc/nginx/certs:ro
    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
 with_skip:
  image: nginxproxy/nginx-proxy:test
  container_name: dh-skip
  environment:
    - DHPARAM_SKIP=1
  volumes:
    - /var/run/docker.sock:/tmp/docker.sock:ro
    - ./certs:/etc/nginx/certs:ro