Просмотр исходного кода

fix: backward compatibility w/ DHPARAM_GENERATION

Also use true rather than 1 to stay consistent
with other boolean environment variables
Nicolas Duchon 3 лет назад
Родитель
Сommit
ab7ac0aadb
4 измененных файлов с 55 добавлено и 6 удалено
  1. 2 2
      README.md
  2. 35 3
      docker-entrypoint.sh
  3. 10 0
      test/test_ssl/test_dhparam.py
  4. 8 1
      test/test_ssl/test_dhparam.yml

+ 2 - 2
README.md

@@ -261,10 +261,10 @@ To use custom `dhparam.pem` files per-virtual-host, the files should be named af
 
 In the separate container setup, no pre-generated key will be available and neither the [jwilder/docker-gen](https://hub.docker.com/r/jwilder/docker-gen) image, nor the offical [nginx](https://registry.hub.docker.com/_/nginx/) image will provide one. If you still want A+ security in a separate container setup, you should mount an RFC7919 DH key file to the nginx container at `/etc/nginx/dhparam/dhparam.pem`.
 
-Set `DHPARAM_SKIP` environment variable to `1` to disable using default Diffie-Hellman parameters. The default value is `0`.
+Set `DHPARAM_SKIP` environment variable to `true` to disable using default Diffie-Hellman parameters. The default value is `false`.
 
 ```console
-docker run -e DHPARAM_SKIP=1 ....
+docker run -e DHPARAM_SKIP=true ....
 ```
 
 #### Wildcard Certificates

+ 35 - 3
docker-entrypoint.sh

@@ -1,6 +1,34 @@
 #!/bin/bash
 set -e
 
+function _parse_true() {
+	case "$1" in
+		
+		true | True | TRUE | 1)
+		return 0
+		;;
+		
+		*)
+		return 1
+		;;
+
+	esac
+}
+
+function _parse_false() {
+	case "$1" in
+		
+		false | False | FALSE | 0)
+		return 0
+		;;
+		
+		*)
+		return 1
+		;;
+
+	esac
+}
+
 function _check_unix_socket() {
 	# Warn if the DOCKER_HOST socket does not exist
 	if [[ ${DOCKER_HOST} == unix://* ]]; then
@@ -35,8 +63,6 @@ function _resolvers() {
 }
 
 function _setup_dhparam() {
-	echo 'Setting up DH Parameters..'
-
 	# DH params will be supplied for nginx here:
 	local DHPARAM_FILE='/etc/nginx/dhparam/dhparam.pem'
 
@@ -47,7 +73,11 @@ function _setup_dhparam() {
 	if [[ -f ${DHPARAM_FILE} ]]; then
 		echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2
 		return 0
-	elif [[ ${DHPARAM_SKIP:=0} -eq 1 ]]; then
+	elif _parse_true "${DHPARAM_SKIP:=false}"; then
+		echo 'Skipping Diffie-Hellman parameters setup.'
+		return 0
+	elif _parse_false "${DHPARAM_GENERATION:=true}"; then
+		echo 'Warning: The DHPARAM_GENERATION environment variable is deprecated, please consider using DHPARAM_SKIP set to true instead.' >&2
 		echo 'Skipping Diffie-Hellman parameters setup.'
 		return 0
 	elif [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]]; then
@@ -55,6 +85,8 @@ function _setup_dhparam() {
 		exit 1
 	fi
 
+	echo 'Setting up DH Parameters..'
+
 	# Use an existing pre-generated DH group from RFC7919 (https://datatracker.ietf.org/doc/html/rfc7919#appendix-A):
 	local RFC7919_DHPARAM_FILE="/app/dhparam/ffdhe${FFDHE_GROUP}.pem"
 

+ 10 - 0
test/test_ssl/test_dhparam.py

@@ -189,6 +189,16 @@ def test_can_skip_dhparam(docker_compose):
 
     cannot_negotiate_dhe_ciphersuite(sut_container)
 
+def test_can_skip_dhparam_backward_compatibility(docker_compose):
+    container_name="dh-skip-backward"
+    sut_container = docker_client.containers.get(container_name)
+    assert sut_container.status == "running"
+    
+    assert_log_contains("Warning: The DHPARAM_GENERATION environment variable is deprecated, please consider using DHPARAM_SKIP set to true instead.", container_name)
+    assert_log_contains("Skipping Diffie-Hellman parameters setup.", container_name)
+
+    cannot_negotiate_dhe_ciphersuite(sut_container)
+
 
 def test_web5_https_works(docker_compose, nginxproxy):
     r = nginxproxy.get("https://web5.nginx-proxy.tld/port", allow_redirects=False)

+ 8 - 1
test/test_ssl/test_dhparam.yml

@@ -41,6 +41,13 @@ with_custom_file:
 with_skip:
   container_name: dh-skip
   environment:
-    - DHPARAM_SKIP=1
+    - DHPARAM_SKIP=true
+  image: *img-nginxproxy
+  volumes: *vols-common
+
+with_skip_backward:
+  container_name: dh-skip-backward
+  environment:
+    - DHPARAM_GENERATION=false
   image: *img-nginxproxy
   volumes: *vols-common