feat: Bring back ability to skip default DH params

Adds back the ability to avoid using DH params, provided no file was explicitly supplied.

This used to be `DHPARAM_GENERATION=false`, the equivalent is now `DHPARAM_SKIP=1` (default 0). Previous name was no longer appropriate.

Ensures that if a user has explicitly provided their own dhparam file to still output a warning instead of the skip message, since `DHPARAM_SKIP=1` doesn't disable the support in nginx.

README.md

@@ -261,6 +261,12 @@ To use custom `dhparam.pem` files per-virtual-host, the files should be named af
 
 In the separate container setup, no pre-generated key will be available and neither the [jwilder/docker-gen](https://hub.docker.com/r/jwilder/docker-gen) image, nor the offical [nginx](https://registry.hub.docker.com/_/nginx/) image will provide one. If you still want A+ security in a separate container setup, you should mount an RFC7919 DH key file to the nginx container at `/etc/nginx/dhparam/dhparam.pem`.
 
+Set `DHPARAM_SKIP` environment variable to `1` to disable using default Diffie-Hellman parameters. The default value is `0`.
+
+```console
+docker run -e DHPARAM_SKIP=1 ....
+```
+
 #### Wildcard Certificates
 
 Wildcard certificates and keys should be named after the domain name with a `.crt` and `.key` extension. For example `VIRTUAL_HOST=foo.bar.com` would use cert name `bar.com.crt` and `bar.com.key`.

docker-entrypoint.sh

@@ -47,6 +47,9 @@ function _setup_dhparam() {
 	if [[ -f ${DHPARAM_FILE} ]]; then
 		echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2
 		return 0
+	elif [[ ${DHPARAM_SKIP:=0} -eq 1 ]]; then
+		echo 'Skipping Diffie-Hellman parameters setup.'
+		return 0
 	elif [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]]; then
 		echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default)." >&2
 		exit 1

test/test_ssl/test_dhparam.py

@@ -168,6 +168,16 @@ def test_custom_dhparam_is_supported(docker_compose):
     can_negotiate_dhe_ciphersuite(sut_container)
 
 
+def test_can_skip_dhparam(docker_compose):
+    container_name="dh-skip"
+    sut_container = docker_client.containers.get(container_name)
+    assert sut_container.status == "running"
+
+    assert_log_contains("Skipping Diffie-Hellman parameters setup.", container_name)
+
+    cannot_negotiate_dhe_ciphersuite(sut_container)
+
+
 def test_web5_https_works(docker_compose, nginxproxy):
     r = nginxproxy.get("https://web5.nginx-proxy.tld/port", allow_redirects=False)
     assert r.status_code == 200

test/test_ssl/test_dhparam.yml

@@ -38,4 +38,13 @@ with_custom_file:
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
     - ./certs:/etc/nginx/certs:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+
+with_skip:
+  image: nginxproxy/nginx-proxy:test
+  container_name: dh-skip
+  environment:
+    - DHPARAM_SKIP=1
+  volumes:
+    - /var/run/docker.sock:/tmp/docker.sock:ro
+    - ./certs:/etc/nginx/certs:ro