From 3ac478f2848b938f645a35e0cba536b383fd76d8 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Wed, 25 Oct 2017 12:34:22 +0200 Subject: [PATCH] Update Diffie-Hellman Groups doc + corrected a typo --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f8c0c9f..91052d4 100644 --- a/README.md +++ b/README.md @@ -210,7 +210,7 @@ should have a `foo.bar.com.dhparam.pem` file in the `/etc/nginx/certs` directory > NOTE: If you don't mount a `dhparam.pem` file at `/etc/nginx/dhparam/dhparam.pem`, one will be generated at startup. Since it can take minutes to generate a new `dhparam.pem`, it is done at low priority in the -background. Once generation is complete, the `dhparams.pem` is saved on a persistent volume and nginx +background. Once generation is complete, the `dhparam.pem` is saved on a persistent volume and nginx is reloaded. This generation process only occurs the first time you start `nginx-proxy`. > COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 2048 bits for A+ security. Some @@ -218,6 +218,12 @@ is reloaded. This generation process only occurs the first time you start `ngin > clients, you must either provide your own `dhparam.pem`, or tell `nginx-proxy` to generate a 1024-bit > key on startup by passing `-e DHPARAM_BITS=1024`. +In the separate container setup, no pregenerated key will be available and neither the +[jwilder/docker-gen](https://index.docker.io/u/jwilder/docker-gen/) image nor the offical +[nginx](https://registry.hub.docker.com/_/nginx/) image will generate one. If you still want A+ security +in a separate container setup, you'll have to generate a 2048 bits DH key file manually and mount it on the +nginx container, at `/etc/nginx/dhparam/dhparam.pem`. + #### Wildcard Certificates Wildcard certificates and keys should be named after the domain name with a `.crt` and `.key` extension.