Преглед изворни кода

Issue #535 Added default 2048-bit dhparam.pem file

Steve Kamerman пре 8 година
родитељ
комит
0b1e9e56e1
2 измењених фајлова са 8 додато и 5 уклоњено
  1. 4 3
      Dockerfile
  2. 4 2
      README.md

+ 4 - 3
Dockerfile

@@ -9,9 +9,10 @@ RUN apt-get update \
  && apt-get clean \
  && rm -r /var/lib/apt/lists/*
 
-# Configure Nginx and apply fix for very long server names
-RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
- && sed -i 's/^http {/&\n    server_names_hash_bucket_size 128;/g' /etc/nginx/nginx.conf
+# Generate dhparam.pem, configure Nginx, apply fix for very long server names
+RUN openssl dhparam -out /etc/nginx/dhparam.pem 2048 \
+ && echo "daemon off;" >> /etc/nginx/nginx.conf \
+ && sed -i 's|^http {|&\n    server_names_hash_bucket_size 128;    ssl_dhparam /etc/nginx/dhparam.pem;|g' /etc/nginx/nginx.conf
 
 # Install Forego
 ADD https://github.com/jwilder/forego/releases/download/v0.16.1/forego /usr/local/bin/forego

+ 4 - 2
README.md

@@ -142,9 +142,11 @@ hosts in use.  The certificate and keys should be named after the virtual host w
 
 #### Diffie-Hellman Groups
 
-If you have Diffie-Hellman groups enabled, the files should be named after the virtual host with a
+Diffie-Hellman groups are enabled by default, with a pregenerated key in `/etc/nginx/dhparam.pem`.
+You can mount a different `dhparam.pem` file at that location to override the default cert.
+To use custom `dhparam.pem` files per-virtual-host, the files should be named after the virtual host with a
 `dhparam` suffix and `.pem` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com`
-should have a `foo.bar.com.dhparam.pem` file in the certs directory.
+should have a `foo.bar.com.dhparam.pem` file in the `/etc/nginx/certs` directory.
 
 #### Wildcard Certificates