Merge pull request #1797 from polarathene/feat/prefer-rfc-7919-dhparams

feat: Use RFC 7919 DH groups + Remove DH generation

Dockerfile

@@ -51,7 +51,8 @@ RUN apt-get update \
 # Configure Nginx and apply fix for very long server names
 RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
    && sed -i 's/worker_processes  1/worker_processes  auto/' /etc/nginx/nginx.conf \
-   && sed -i 's/worker_connections  1024/worker_connections  10240/' /etc/nginx/nginx.conf
+   && sed -i 's/worker_connections  1024/worker_connections  10240/' /etc/nginx/nginx.conf \
+   && mkdir -p '/etc/nginx/dhparam'
 
 # Install Forego + docker-gen
 COPY --from=forego /usr/local/bin/forego /usr/local/bin/forego
@@ -69,7 +70,5 @@ WORKDIR /app/
 
 ENV DOCKER_HOST unix:///tmp/docker.sock
 
-VOLUME ["/etc/nginx/certs", "/etc/nginx/dhparam"]
-
 ENTRYPOINT ["/app/docker-entrypoint.sh"]
 CMD ["forego", "start", "-r"]

Dockerfile.alpine

@@ -48,7 +48,8 @@ RUN apk add --no-cache --virtual .run-deps \
 # Configure Nginx and apply fix for very long server names
 RUN echo "daemon off;" >> /etc/nginx/nginx.conf \
    && sed -i 's/worker_processes  1/worker_processes  auto/' /etc/nginx/nginx.conf \
-   && sed -i 's/worker_connections  1024/worker_connections  10240/' /etc/nginx/nginx.conf
+   && sed -i 's/worker_connections  1024/worker_connections  10240/' /etc/nginx/nginx.conf \
+   && mkdir -p '/etc/nginx/dhparam'
 
 # Install Forego + docker-gen
 COPY --from=forego /usr/local/bin/forego /usr/local/bin/forego
@@ -66,7 +67,5 @@ WORKDIR /app/
 
 ENV DOCKER_HOST unix:///tmp/docker.sock
 
-VOLUME ["/etc/nginx/certs", "/etc/nginx/dhparam"]
-
 ENTRYPOINT ["/app/docker-entrypoint.sh"]
 CMD ["forego", "start", "-r"]

README.md

@@ -237,12 +237,6 @@ docker run -e VIRTUAL_HOST=foo.bar.com  ...
 
 [acme-companion](https://github.com/nginx-proxy/acme-companion) is a lightweight companion container for the nginx-proxy. It allows the automated creation/renewal of SSL certificates using the ACME protocol.
 
-Set `DHPARAM_GENERATION` environment variable to `false` to disable Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`. The default value is `true`
-
-```console
-docker run -e DHPARAM_GENERATION=false ....
-```
-
 ### SSL Support
 
 SSL is supported using single host, wildcard and SNI certificates using naming conventions for certificates or optionally specifying a cert name (for SNI) as an environment variable.
@@ -259,13 +253,19 @@ If you are running the container in a virtualized environment (Hyper-V, VirtualB
 
 #### Diffie-Hellman Groups
 
-Diffie-Hellman groups are enabled by default, with a pregenerated key in `/etc/nginx/dhparam/dhparam.pem`. You can mount a different `dhparam.pem` file at that location to override the default cert. To use custom `dhparam.pem` files per-virtual-host, the files should be named after the virtual host with a `dhparam` suffix and `.pem` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a `foo.bar.com.dhparam.pem` file in the `/etc/nginx/certs` directory.
+[RFC7919 groups](https://datatracker.ietf.org/doc/html/rfc7919#appendix-A) with key lengths of 2048, 3072, and 4096 bits are [provided by `nginx-proxy`](https://github.com/nginx-proxy/nginx-proxy/dhparam). The ENV `DHPARAM_BITS` can be set to `2048` or `3072` to change from the default 4096-bit key. The DH key file will be located in the container at `/etc/nginx/dhparam/dhparam.pem`. Mounting a different `dhparam.pem` file at that location will override the RFC7919 key.
 
-> NOTE: If you don't mount a `dhparam.pem` file at `/etc/nginx/dhparam/dhparam.pem`, one will be generated at startup.  Since it can take minutes to generate a new `dhparam.pem`, it is done at low priority in the background. Once generation is complete, the `dhparam.pem` is saved on a persistent volume and nginx is reloaded. This generation process only occurs the first time you start `nginx-proxy`.
+To use custom `dhparam.pem` files per-virtual-host, the files should be named after the virtual host with a `dhparam` suffix and `.pem` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a `foo.bar.com.dhparam.pem` file in the `/etc/nginx/certs` directory.
 
-> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 4096 bits for A+ security. Some older clients (like Java 6 and 7) do not support DH keys with over 1024 bits. In order to support these clients, you must either provide your own `dhparam.pem`, or tell `nginx-proxy` to generate a 1024-bit key on startup by passing `-e DHPARAM_BITS=1024`.
+> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 4096 bits for A+ security. Some older clients (like Java 6 and 7) do not support DH keys with over 1024 bits. In order to support these clients, you must either provide your own `dhparam.pem`.
 
-In the separate container setup, no pregenerated key will be available and neither the [jwilder/docker-gen](https://hub.docker.com/r/jwilder/docker-gen) image nor the offical [nginx](https://registry.hub.docker.com/_/nginx/) image will generate one. If you still want A+ security in a separate container setup, you'll have to generate a 2048 or 4096 bits DH key file manually and mount it on the nginx container, at `/etc/nginx/dhparam/dhparam.pem`.
+In the separate container setup, no pre-generated key will be available and neither the [jwilder/docker-gen](https://hub.docker.com/r/jwilder/docker-gen) image, nor the offical [nginx](https://registry.hub.docker.com/_/nginx/) image will provide one. If you still want A+ security in a separate container setup, you should mount an RFC7919 DH key file to the nginx container at `/etc/nginx/dhparam/dhparam.pem`.
+
+Set `DHPARAM_SKIP` environment variable to `true` to disable using default Diffie-Hellman parameters. The default value is `false`.
+
+```console
+docker run -e DHPARAM_SKIP=true ....
+```
 
 #### Wildcard Certificates
 
@@ -287,7 +287,7 @@ If you don't require backward compatibility, you can use the [Mozilla modern pro
 
 Other policies available through the `SSL_POLICY` environment variable are [`Mozilla-Old`](https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility) and the [AWS ELB Security Policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html) `AWS-TLS-1-2-2017-01`, `AWS-TLS-1-1-2017-01`, `AWS-2016-08`, `AWS-2015-05`, `AWS-2015-03` and `AWS-2015-02`.
 
-Note that the `Mozilla-Old` policy should use a 1024 bits DH key for compatibility but this container generates a 4096 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing this, either globally or per virtual-host.
+Note that the `Mozilla-Old` policy should use a 1024 bits DH key for compatibility but this container provides a 4096 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing this, either globally or per virtual-host.
 
 The default behavior for the proxy when port 80 and 443 are exposed is as follows:
 

dhparam.pem.default

@@ -1,8 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEAzB2nIGzpVq7afJnKBm1X0d64avwOlP2oneiKwxRHdDI/5+6TpH1P
-F8ipodGuZBUMmupoB3D34pu2Qq5boNW983sm18ww9LMz2i/pxhSdB+mYAew+A6h6
-ltQ5pNtyn4NaKw1SDFkqvde3GNPhaWoPDbZDJhpHGblR3w1b/ag+lTLZUvVwcD8L
-jYS9f9YWAC6T7WxAxh4zvu1Z0I1EKde8KYBxrreZNheXpXHqMNyJYZCaY2Hb/4oI
-EL65qZq1GCWezpWMjhk6pOnV5gbvqfhoazCv/4OdRv6RoWOIYBNs9BmGho4AtXqV
-FYLdYDhOvN4aVs9Ir+G8ouwiRnix24+UewIBAg==
------END DH PARAMETERS-----

dhparam/ffdhe2048.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

dhparam/ffdhe3072.pem

@@ -0,0 +1,11 @@
+-----BEGIN DH PARAMETERS-----
+MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
+N///////////AgEC
+-----END DH PARAMETERS-----

dhparam/ffdhe4096.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----

docker-entrypoint.sh

@@ -1,39 +1,106 @@
 #!/bin/bash
 set -e
 
-# Warn if the DOCKER_HOST socket does not exist
-if [[ $DOCKER_HOST = unix://* ]]; then
-	socket_file=${DOCKER_HOST#unix://}
-	if ! [ -S "$socket_file" ]; then
-		cat >&2 <<-EOT
-			ERROR: you need to share your Docker host socket with a volume at $socket_file
-			Typically you should run your nginxproxy/nginx-proxy with: \`-v /var/run/docker.sock:$socket_file:ro\`
-			See the documentation at http://git.io/vZaGJ
-		EOT
-		socketMissing=1
+function _parse_true() {
+	case "$1" in
+		
+		true | True | TRUE | 1)
+		return 0
+		;;
+		
+		*)
+		return 1
+		;;
+
+	esac
+}
+
+function _parse_false() {
+	case "$1" in
+		
+		false | False | FALSE | 0)
+		return 0
+		;;
+		
+		*)
+		return 1
+		;;
+
+	esac
+}
+
+function _check_unix_socket() {
+	# Warn if the DOCKER_HOST socket does not exist
+	if [[ ${DOCKER_HOST} == unix://* ]]; then
+		local SOCKET_FILE="${DOCKER_HOST#unix://}"
+
+		if [[ ! -S ${SOCKET_FILE} ]]; then
+			cat >&2 <<-EOT
+				ERROR: you need to share your Docker host socket with a volume at ${SOCKET_FILE}
+				Typically you should run your nginxproxy/nginx-proxy with: \`-v /var/run/docker.sock:${SOCKET_FILE}:ro\`
+				See the documentation at: https://github.com/nginx-proxy/nginx-proxy/#usage
+			EOT
+
+			exit 1
+		fi
 	fi
-fi
+}
 
-# Generate dhparam file if required
-/app/generate-dhparam.sh
+function _resolvers() {
+	# Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in []
+	RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g'); export RESOLVERS
 
-# Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in []
-RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g'); export RESOLVERS
+	SCOPED_IPV6_REGEX='\[fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\]'
 
-SCOPED_IPV6_REGEX="\[fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\]"
+	if [[ -z ${RESOLVERS} ]]; then
+		echo 'Warning: unable to determine DNS resolvers for nginx' >&2
+		unset RESOLVERS
+	elif [[ ${RESOLVERS} =~ ${SCOPED_IPV6_REGEX} ]]; then
+		echo -n 'Warning: Scoped IPv6 addresses removed from resolvers: ' >&2
+		echo "${RESOLVERS}" | grep -Eo "$SCOPED_IPV6_REGEX" | paste -s -d ' ' >&2
+		RESOLVERS=$(echo "${RESOLVERS}" | sed -r "s/${SCOPED_IPV6_REGEX}//g" | xargs echo -n); export RESOLVERS
+	fi
+}
 
-if [ "$RESOLVERS" = "" ]; then
-	echo "Warning: unable to determine DNS resolvers for nginx" >&2
-	unset RESOLVERS
-elif [[ $RESOLVERS =~ $SCOPED_IPV6_REGEX ]]; then
-	echo -n "Warning: Scoped IPv6 addresses removed from resolvers: " >&2
-	echo "$RESOLVERS" | grep -Eo "$SCOPED_IPV6_REGEX" | paste -s -d ' ' >&2
-	RESOLVERS=$(echo "$RESOLVERS" | sed -r "s/$SCOPED_IPV6_REGEX//g" | xargs echo -n); export RESOLVERS
-fi
+function _setup_dhparam() {
+	# DH params will be supplied for nginx here:
+	local DHPARAM_FILE='/etc/nginx/dhparam/dhparam.pem'
+
+	# Should be 2048, 3072, or 4096 (default):
+	local FFDHE_GROUP="${DHPARAM_BITS:=4096}"
+
+	# DH params may be provided by the user (rarely necessary)
+	if [[ -f ${DHPARAM_FILE} ]]; then
+		echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2
+		return 0
+	elif _parse_true "${DHPARAM_SKIP:=false}"; then
+		echo 'Skipping Diffie-Hellman parameters setup.'
+		return 0
+	elif _parse_false "${DHPARAM_GENERATION:=true}"; then
+		echo 'Warning: The DHPARAM_GENERATION environment variable is deprecated, please consider using DHPARAM_SKIP set to true instead.' >&2
+		echo 'Skipping Diffie-Hellman parameters setup.'
+		return 0
+	elif [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]]; then
+		echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default)." >&2
+		exit 1
+	fi
+
+	echo 'Setting up DH Parameters..'
+
+	# Use an existing pre-generated DH group from RFC7919 (https://datatracker.ietf.org/doc/html/rfc7919#appendix-A):
+	local RFC7919_DHPARAM_FILE="/app/dhparam/ffdhe${FFDHE_GROUP}.pem"
+
+	# Provide the DH params file to nginx:
+	cp "${RFC7919_DHPARAM_FILE}" "${DHPARAM_FILE}"
+}
+
+# Run the init logic if the default CMD was provided
+if [[ $* == 'forego start -r' ]]; then
+	_check_unix_socket
+
+	_resolvers
 
-# If the user has run the default command and the socket doesn't exist, fail
-if [ "$socketMissing" = 1 ] && [ "$1" = forego ] && [ "$2" = start ] && [ "$3" = '-r' ]; then
-	exit 1
+	_setup_dhparam
 fi
 
 exec "$@"

generate-dhparam.sh

@@ -1,53 +0,0 @@
-#!/bin/bash -e
-
-# DHPARAM_BITS is the bit depth of the dhparam, or 4096 if unspecified
-DHPARAM_BITS=${DHPARAM_BITS:-4096}
-# DHPARAM_GENERATION=false skips dhparam generation
-DHPARAM_GENERATION=${DHPARAM_GENERATION:-true}
-
-# If a dhparam file is not available, use the pre-generated one and generate a new one in the background.
-# Note that /etc/nginx/dhparam is a volume, so this dhparam will persist restarts.
-PREGEN_DHPARAM_FILE="/app/dhparam.pem.default"
-DHPARAM_FILE="/etc/nginx/dhparam/dhparam.pem"
-GEN_LOCKFILE="/tmp/dhparam_generating.lock"
-
-# The hash of the pregenerated dhparam file is used to check if the pregen dhparam is already in use
-PREGEN_HASH=$(md5sum $PREGEN_DHPARAM_FILE | cut -d" " -f1)
-if [[ -f $DHPARAM_FILE ]]; then
-    CURRENT_HASH=$(md5sum $DHPARAM_FILE | cut -d" " -f1)
-    if [[ $PREGEN_HASH != "$CURRENT_HASH" ]]; then
-        # There is already a dhparam, and it's not the default
-        echo "Custom dhparam.pem file found, generation skipped"
-        exit 0
-    fi
-
-    if [[ -f $GEN_LOCKFILE ]]; then
-        # Generation is already in progress
-        exit 0
-    fi
-fi
-
-if [[ $DHPARAM_GENERATION =~ ^[Ff][Aa][Ll][Ss][Ee]$ ]]; then
-    echo "Skipping Diffie-Hellman parameters generation and Ignoring pre-generated dhparam.pem"
-    exit 0
-fi
-
-cat >&2 <<-EOT
-WARNING: $DHPARAM_FILE was not found. A pre-generated dhparam.pem will be used for now while a new one
-is being generated in the background.  Once the new dhparam.pem is in place, nginx will be reloaded.
-EOT
-
-# Put the default dhparam file in place so we can start immediately
-cp $PREGEN_DHPARAM_FILE $DHPARAM_FILE
-touch $GEN_LOCKFILE
-
-# Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator).
-(
-    (
-        nice -n +5 openssl dhparam -dsaparam -out $DHPARAM_FILE.tmp "$DHPARAM_BITS" 2>&1 \
-        && mv $DHPARAM_FILE.tmp $DHPARAM_FILE \
-        && echo "dhparam generation complete, reloading nginx" \
-        && nginx -s reload
-    ) | grep -vE '^[\.+]+'
-    rm $GEN_LOCKFILE
-) & disown

test/lib/ssl/dhparam.pem

@@ -1,8 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEA1cae6HqPSgicEuAuSCf6Ii3d6qMX9Ta8lnwoX0JQ0CWK7mzaiiIi
-dY7oHmc4cq0S3SH+g0tdLP9yqygFS9hdUGINwS2VV6poj2/vdL/dUshegyxpEH58
-nofCPnFDeKkcPDMYAlGS8zjp60TsBkRJKcrxxwnjod1Q5mWuMN5KH3sxs842udKH
-0nHFE9kKW/NfXb+EGsjpocGpf786cGuCO2d00THsoItOEcM9/aI8DX1QcyxAHR6D
-HaYTFJnyyx8Q44u27M15idI4pbNoKORlotiuOwCTGYCfbN14aOV+Ict7aSF8FWpP
-48j9SMNuIu2DlF9pNLo6fsrOjYY3c9X12wIBAg==
------END DH PARAMETERS-----

test/pytest.sh

@@ -8,17 +8,18 @@
 #                                                                             #
 ###############################################################################
 
+# Returns the absolute directory path to this script
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-ARGS="$@"
+ARGS=("$@")
 
 # check requirements
 echo "> Building nginx-proxy-tester image..."
-docker build -t nginx-proxy-tester -f $DIR/requirements/Dockerfile-nginx-proxy-tester $DIR/requirements
+docker build -t nginx-proxy-tester -f "${DIR}/requirements/Dockerfile-nginx-proxy-tester" "${DIR}/requirements"
 
 # run the nginx-proxy-tester container setting the correct value for the working dir in order for 
 # docker-compose to work properly when run from within that container.
 exec docker run --rm -it \
-	-v ${DIR}:/${DIR} \
-	-w ${DIR} \
-	-v /var/run/docker.sock:/var/run/docker.sock \
-	nginx-proxy-tester ${ARGS}
+--volume /var/run/docker.sock:/var/run/docker.sock \
+--volume "${DIR}:${DIR}" \
+--workdir "${DIR}" \
+nginx-proxy-tester "${ARGS[@]}"

test/test_DOCKER_HOST_unix_socket.yml

@@ -19,6 +19,5 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/f00.sock:ro
-    - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
   environment:
     DOCKER_HOST: unix:///f00.sock

test/test_composev2.yml

@@ -4,7 +4,6 @@ services:
     image: nginxproxy/nginx-proxy:test
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
 
   web:
     image: web

test/test_custom/test_defaults-location.yml

@@ -2,7 +2,6 @@ nginx-proxy:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
     - ./my_custom_proxy_settings.conf:/etc/nginx/vhost.d/default_location:ro
     - ./my_custom_proxy_settings_bar.conf:/etc/nginx/vhost.d/web3.nginx-proxy.local_location:ro
 

test/test_custom/test_defaults.yml

@@ -4,7 +4,6 @@ services:
     image: nginxproxy/nginx-proxy:test
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
       - ./my_custom_proxy_settings.conf:/etc/nginx/proxy.conf:ro
 
   web1:

test/test_custom/test_location-per-vhost.yml

@@ -4,7 +4,6 @@ services:
     image: nginxproxy/nginx-proxy:test
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
       - ./my_custom_proxy_settings.conf:/etc/nginx/vhost.d/web1.nginx-proxy.local_location:ro
 
   web1:

test/test_custom/test_per-vhost.yml

@@ -4,7 +4,6 @@ services:
     image: nginxproxy/nginx-proxy:test
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
       - ./my_custom_proxy_settings.conf:/etc/nginx/vhost.d/web1.nginx-proxy.local:ro
 
   web1:

test/test_custom/test_proxy-wide.yml

@@ -4,7 +4,6 @@ services:
     image: nginxproxy/nginx-proxy:test
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
       - ./my_custom_proxy_settings.conf:/etc/nginx/conf.d/my_custom_proxy_settings.conf:ro
 
   web1:

test/test_debug/test_proxy-debug-flag.yml

@@ -22,6 +22,5 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
   environment:
     DEBUG: "true"

test/test_debug/test_server-debug-flag.yml

@@ -23,4 +23,3 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

test/test_default-host.yml

@@ -13,6 +13,5 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
   environment:
     DEFAULT_HOST: web1.tld

test/test_dockergen/test_dockergen_v2.yml

@@ -6,7 +6,6 @@ services:
     container_name: nginx
     volumes:
       - /etc/nginx/conf.d
-      - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
 
   dockergen:
     image: jwilder/docker-gen

test/test_dockergen/test_dockergen_v3.yml

@@ -5,7 +5,6 @@ services:
     container_name: nginx
     volumes:
       - nginx_conf:/etc/nginx/conf.d
-      - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
 
   dockergen:
     image: jwilder/docker-gen

test/test_events.yml

@@ -2,4 +2,3 @@ nginxproxy:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

test/test_headers/test_http.yml

@@ -20,4 +20,3 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

test/test_headers/test_https.yml

@@ -26,4 +26,3 @@ sut:
     - ./certs/web.nginx-proxy.tld.key:/etc/nginx/certs/web.nginx-proxy.tld.key:ro
     - ./certs/web-server-tokens-off.nginx-proxy.tld.crt:/etc/nginx/certs/web-server-tokens-off.nginx-proxy.tld.crt:ro
     - ./certs/web-server-tokens-off.nginx-proxy.tld.key:/etc/nginx/certs/web-server-tokens-off.nginx-proxy.tld.key:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

test/test_http_port.yml

@@ -10,6 +10,5 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
   environment:
     HTTP_PORT: 8080

test/test_ipv6.yml

@@ -33,7 +33,6 @@ services:
     image: nginxproxy/nginx-proxy:test
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
     environment:
       ENABLE_IPV6: "true"
     networks:

test/test_multiple-hosts.yml

@@ -11,4 +11,3 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

test/test_multiple-networks.yml

@@ -9,7 +9,6 @@ services:
     image: nginxproxy/nginx-proxy:test
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
     networks:
       - net1
       - net2

test/test_multiple-ports/test_VIRTUAL_PORT-single-different-from-single-port.yml

@@ -12,4 +12,3 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

test/test_multiple-ports/test_VIRTUAL_PORT.yml

@@ -12,4 +12,3 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

test/test_multiple-ports/test_default-80.yml

@@ -11,4 +11,3 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

test/test_multiple-ports/test_single-port-not-80.yml

@@ -11,4 +11,3 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

test/test_nominal.yml

@@ -33,6 +33,5 @@ services:
     image: nginxproxy/nginx-proxy:test
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
     networks:
       - net1

test/test_raw-ip-vhost.yml

@@ -41,7 +41,6 @@ services:
       ENABLE_IPV6: "true"
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
     networks:
       net1:
         ipv4_address: 172.20.0.4

test/test_server-down/test_load-balancing.yml

@@ -27,4 +27,3 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

test/test_server-down/test_no-server-down.yml

@@ -10,4 +10,3 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

test/test_server-down/test_server-down.yml

@@ -11,4 +11,3 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

test/test_ssl/test_dhparam.py

@@ -15,7 +15,7 @@ docker_client = docker.from_env()
 ###############################################################################
 
 @backoff.on_exception(backoff.constant, AssertionError, interval=2, max_tries=15, jitter=None)
-def assert_log_contains(expected_log_line):
+def assert_log_contains(expected_log_line, container_name="nginxproxy"):
     """
     Check that the nginx-proxy container log contains a given string.
     The backoff decorator will retry the check 15 times with a 2 seconds delay.
@@ -24,7 +24,7 @@ def assert_log_contains(expected_log_line):
     :return: None
     :raises: AssertError if the expected string is not found in the log
     """
-    sut_container = docker_client.containers.get("nginxproxy")
+    sut_container = docker_client.containers.get(container_name)
     docker_logs = sut_container.logs(stdout=True, stderr=True, stream=False, follow=False)
     assert bytes(expected_log_line, encoding="utf8") in docker_logs
 
@@ -58,36 +58,149 @@ def require_openssl(required_version):
             reason=f"openssl v{openssl_version} is less than required version {required_version}")
 
 
+@require_openssl("1.0.2")
+def negotiate_cipher(sut_container, additional_params='', grep='Cipher is'):
+    host = f"{sut_container.attrs['NetworkSettings']['IPAddress']}:443"
+
+    try:
+        # Enforce TLS 1.2 as newer versions don't support custom dhparam or ciphersuite preference.
+        # The empty `echo` is to provide `openssl` user input, so that the process exits: https://stackoverflow.com/a/28567565
+        # `shell=True` enables using a single string to execute as a shell command.
+        # `text=True` prevents the need to compare against byte strings.
+        # `stderr=subprocess.PIPE` removes the output to stderr being interleaved with test case status (output during exceptions).
+        return subprocess.check_output(
+            f"echo '' | openssl s_client -connect {host} -tls1_2 {additional_params} | grep '{grep}'",
+            shell=True,
+            text=True,
+            stderr=subprocess.PIPE,
+        )
+    except subprocess.CalledProcessError as e:
+        # Output a more helpful error, the original exception in this case isn't that helpful.
+        # `from None` to ignore undesired output from exception chaining.
+        raise Exception("Failed to process CLI request:\n" + e.stderr) from None
+
+
+def can_negotiate_dhe_ciphersuite(sut_container):
+    r = negotiate_cipher(sut_container, "-cipher 'EDH'")
+    assert "New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384\n" == r
+
+    r2 = negotiate_cipher(sut_container, "-cipher 'EDH'", "Server Temp Key")
+    assert "DH" in r2
+
+
+def cannot_negotiate_dhe_ciphersuite(sut_container):
+    # Fail to negotiate a DHE cipher suite:
+    r = negotiate_cipher(sut_container, "-cipher 'EDH'")
+    assert "New, (NONE), Cipher is (NONE)\n" == r
+
+    # Correctly establish a connection (TLS 1.2):
+    r2 = negotiate_cipher(sut_container)
+    assert "New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384\n" == r2
+
+    r3 = negotiate_cipher(sut_container, grep="Server Temp Key")
+    assert "X25519" in r3
+
+
+# Parse array of container ENV, splitting at the `=` and returning the value, otherwise `None`
+def get_env(sut_container, var):
+  env = sut_container.attrs['Config']['Env']
+
+  for e in env:
+    if e.startswith(var):
+      return e.split('=')[1]
+  
+  return None
+
+
 ###############################################################################
 #
 # Tests
 #
 ###############################################################################
 
-def test_dhparam_is_not_generated_if_present(docker_compose):
-    sut_container = docker_client.containers.get("nginxproxy")
+def test_default_dhparam_is_ffdhe4096(docker_compose):
+    container_name="dh-default"
+    sut_container = docker_client.containers.get(container_name)
+    assert sut_container.status == "running"
+
+    assert_log_contains("Setting up DH Parameters..", container_name)
+
+    # Make sure the dhparam file used is the default ffdhe4096.pem:
+    default_checksum = sut_container.exec_run("md5sum /app/dhparam/ffdhe4096.pem").output.split()
+    current_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").output.split()
+    assert default_checksum[0] == current_checksum[0]
+
+    can_negotiate_dhe_ciphersuite(sut_container)
+
+
+def test_can_change_dhparam_group(docker_compose):
+    container_name="dh-env"
+    sut_container = docker_client.containers.get(container_name)
     assert sut_container.status == "running"
 
-    assert_log_contains("Custom dhparam.pem file found, generation skipped")
+    assert_log_contains("Setting up DH Parameters..", container_name)
 
-    # Make sure the dhparam in use is not the default, pre-generated one
-    default_checksum = sut_container.exec_run("md5sum /app/dhparam.pem.default").output.split()
+    # Make sure the dhparam file used is ffdhe2048.pem, not the default (ffdhe4096.pem):
+    default_checksum = sut_container.exec_run("md5sum /app/dhparam/ffdhe2048.pem").output.split()
+    current_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").output.split()
+    assert default_checksum[0] == current_checksum[0]
+
+    can_negotiate_dhe_ciphersuite(sut_container)
+
+
+def test_fail_if_dhparam_group_not_supported(docker_compose):
+    container_name="invalid-group-1024"
+    sut_container = docker_client.containers.get(container_name)
+    assert sut_container.status == "exited"
+
+    DHPARAM_BITS = get_env(sut_container, "DHPARAM_BITS")
+    assert DHPARAM_BITS == "1024"
+
+    assert_log_contains(
+        f"ERROR: Unsupported DHPARAM_BITS size: {DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default).",
+        container_name
+    )
+
+
+def test_custom_dhparam_is_supported(docker_compose):
+    container_name="dh-file"
+    sut_container = docker_client.containers.get(container_name)
+    assert sut_container.status == "running"
+
+    assert_log_contains(
+        "Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.",
+        container_name
+    )
+
+    # Make sure the dhparam file used is not the default (ffdhe4096.pem):
+    default_checksum = sut_container.exec_run("md5sum /app/dhparam/ffdhe4096.pem").output.split()
     current_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").output.split()
     assert default_checksum[0] != current_checksum[0]
 
+    can_negotiate_dhe_ciphersuite(sut_container)
 
-def test_web5_https_works(docker_compose, nginxproxy):
-    r = nginxproxy.get("https://web5.nginx-proxy.tld/port", allow_redirects=False)
-    assert r.status_code == 200
-    assert "answer from port 85\n" in r.text
 
+def test_can_skip_dhparam(docker_compose):
+    container_name="dh-skip"
+    sut_container = docker_client.containers.get(container_name)
+    assert sut_container.status == "running"
 
-@require_openssl("1.0.2")
-def test_web5_dhparam_is_used(docker_compose):
-    sut_container = docker_client.containers.get("nginxproxy")
+    assert_log_contains("Skipping Diffie-Hellman parameters setup.", container_name)
+
+    cannot_negotiate_dhe_ciphersuite(sut_container)
+
+def test_can_skip_dhparam_backward_compatibility(docker_compose):
+    container_name="dh-skip-backward"
+    sut_container = docker_client.containers.get(container_name)
     assert sut_container.status == "running"
+    
+    assert_log_contains("Warning: The DHPARAM_GENERATION environment variable is deprecated, please consider using DHPARAM_SKIP set to true instead.", container_name)
+    assert_log_contains("Skipping Diffie-Hellman parameters setup.", container_name)
 
-    host = f"{sut_container.attrs['NetworkSettings']['IPAddress']}:443"
-    r = subprocess.check_output(
-        f"echo '' | openssl s_client -connect {host} -cipher 'EDH' | grep 'Server Temp Key'", shell=True)
-    assert b"Server Temp Key: X25519, 253 bits\n" == r
+    cannot_negotiate_dhe_ciphersuite(sut_container)
+
+
+def test_web5_https_works(docker_compose, nginxproxy):
+    r = nginxproxy.get("https://web5.nginx-proxy.tld/port", allow_redirects=False)
+    assert r.status_code == 200
+    assert "answer from port 85\n" in r.text

test/test_ssl/test_dhparam.yml

@@ -6,11 +6,48 @@ web5:
     WEB_PORTS: "85"
     VIRTUAL_HOST: "web5.nginx-proxy.tld"
 
+# sut - System Under Test
+# `docker.sock` required for functionality
+# `certs` required to enable HTTPS via template
+with_default_group:
+  container_name: dh-default
+  image: &img-nginxproxy nginxproxy/nginx-proxy:test
+  volumes: &vols-common
+    - &docker-sock /var/run/docker.sock:/tmp/docker.sock:ro
+    - &nginx-certs ./certs:/etc/nginx/certs:ro
 
-sut:
-  image: nginxproxy/nginx-proxy:test
-  container_name: nginxproxy
-  volumes:
-    - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
-    - ./certs:/etc/nginx/certs:ro
+with_alternative_group:
+  container_name: dh-env
+  environment:
+    - DHPARAM_BITS=2048
+  image: *img-nginxproxy
+  volumes: *vols-common
+
+with_invalid_group:
+  container_name: invalid-group-1024
+  environment:
+    - DHPARAM_BITS=1024
+  image: *img-nginxproxy
+  volumes: *vols-common
+
+with_custom_file:
+  container_name: dh-file
+  image: *img-nginxproxy
+  volumes: 
+    - *docker-sock
+    - *nginx-certs
+    - ../../dhparam/ffdhe3072.pem:/etc/nginx/dhparam/dhparam.pem:ro
+
+with_skip:
+  container_name: dh-skip
+  environment:
+    - DHPARAM_SKIP=true
+  image: *img-nginxproxy
+  volumes: *vols-common
+
+with_skip_backward:
+  container_name: dh-skip-backward
+  environment:
+    - DHPARAM_GENERATION=false
+  image: *img-nginxproxy
+  volumes: *vols-common

test/test_ssl/test_dhparam_generation.py

@@ -1,44 +0,0 @@
-import backoff
-import docker
-
-docker_client = docker.from_env()
-
-
-###############################################################################
-#
-# Tests helpers
-#
-###############################################################################
-
-@backoff.on_exception(backoff.constant, AssertionError, interval=2, max_tries=15, jitter=None)
-def assert_log_contains(expected_log_line):
-    """
-    Check that the nginx-proxy container log contains a given string.
-    The backoff decorator will retry the check 15 times with a 2 seconds delay.
-
-    :param expected_log_line: string to search for
-    :return: None
-    :raises: AssertError if the expected string is not found in the log
-    """
-    sut_container = docker_client.containers.get("nginxproxy")
-    docker_logs = sut_container.logs(stdout=True, stderr=True, stream=False, follow=False)
-    assert bytes(expected_log_line, encoding="utf8") in docker_logs
-
-
-###############################################################################
-#
-# Tests
-#
-###############################################################################
-
-def test_dhparam_is_generated_if_missing(docker_compose):
-    sut_container = docker_client.containers.get("nginxproxy")
-    assert sut_container.status == "running"
-
-    assert_log_contains("Generating DSA parameters")
-    assert_log_contains("dhparam generation complete, reloading nginx")
-
-    # Make sure the dhparam in use is not the default, pre-generated one
-    default_checksum = sut_container.exec_run("md5sum /app/dhparam.pem.default").output.split()
-    generated_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").output.split()
-    assert default_checksum[0] != generated_checksum[0]

test/test_ssl/test_dhparam_generation.yml

@@ -1,8 +0,0 @@
-sut:
-  image: nginxproxy/nginx-proxy:test
-  container_name: nginxproxy
-  volumes:
-    - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ./certs:/etc/nginx/certs:ro
-  environment:
-    - DHPARAM_BITS=256

test/test_ssl/test_hsts.yml

@@ -38,5 +38,4 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
     - ./certs:/etc/nginx/certs:ro

test/test_ssl/test_https_port.yml

@@ -10,7 +10,6 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
     - ./certs:/etc/nginx/certs:ro
   environment:
     HTTP_PORT: 8080

test/test_ssl/test_nohttp.yml

@@ -12,5 +12,4 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
     - ./certs:/etc/nginx/certs:ro

test/test_ssl/test_nohttps.yml

@@ -12,4 +12,3 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

test/test_ssl/test_noredirect.yml

@@ -12,5 +12,4 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
     - ./certs:/etc/nginx/certs:ro

test/test_ssl/test_wildcard.yml

@@ -10,5 +10,4 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
     - ./certs:/etc/nginx/certs:ro

test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml

@@ -7,7 +7,6 @@ services:
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
       - ./certs:/etc/nginx/certs:ro
-      - ../../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
 
   web1:
     image: web

test/test_upstream-name/test_predictable-name.yml

@@ -13,4 +13,3 @@ services:
     image: nginxproxy/nginx-proxy:test
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

test/test_upstream-name/test_sha1-name.yml

@@ -13,6 +13,5 @@ services:
     image: nginxproxy/nginx-proxy:test
     volumes:
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
     environment:
       SHA1_UPSTREAM_NAME: "true"

test/test_wildcard_host.yml

@@ -35,4 +35,3 @@ sut:
   image: nginxproxy/nginx-proxy:test
   volumes:
     - /var/run/docker.sock:/tmp/docker.sock:ro
-    - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro