|
@@ -0,0 +1,42 @@
|
|
|
|
+#!/bin/bash -e
|
|
|
|
+
|
|
|
|
+# If a dhparam file is not available, use the pre-generated one and generate a new one in the background.
|
|
|
|
+# Note that /etc/nginx/dhparam is a volume, so this dhparam will persist restarts.
|
|
|
|
+PREGEN_DHPARAM_FILE="/app/dhparam.pem.default"
|
|
|
|
+DHPARAM_FILE="/etc/nginx/dhparam/dhparam.pem"
|
|
|
|
+DHPARAM_BITS="2048"
|
|
|
|
+GEN_LOCKFILE="/tmp/dhparam_generating.lock"
|
|
|
|
+
|
|
|
|
+# The hash of the pregenerated dhparam file is used to check if the pregen dhparam is already in use
|
|
|
|
+PREGEN_HASH=$(md5sum $PREGEN_DHPARAM_FILE | cut -d" " -f1)
|
|
|
|
+if [[ -f $DHPARAM_FILE ]]; then
|
|
|
|
+ CURRENT_HASH=$(md5sum $DHPARAM_FILE | cut -d" " -f1)
|
|
|
|
+ if [[ $PREGEN_HASH != $CURRENT_HASH ]]; then
|
|
|
|
+ # There is already a dhparam, and it's not the default
|
|
|
|
+ exit 0
|
|
|
|
+ fi
|
|
|
|
+
|
|
|
|
+ if [[ -f $GEN_LOCKFILE ]]; then
|
|
|
|
+ # Generation is already in progress
|
|
|
|
+ exit 0
|
|
|
|
+ fi
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+cat >&2 <<-EOT
|
|
|
|
+WARNING: $DHPARAM_FILE was not found. A pregenerated dhparam.pem will be used for now while a new one
|
|
|
|
+is being generated in the background. Once the new dhparam.pem is in place, nginx will be reloaded.
|
|
|
|
+EOT
|
|
|
|
+
|
|
|
|
+# Put the default dhparam file in place so we can start immediately
|
|
|
|
+cp $PREGEN_DHPARAM_FILE $DHPARAM_FILE
|
|
|
|
+touch $GEN_LOCKFILE
|
|
|
|
+
|
|
|
|
+# Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator).
|
|
|
|
+(
|
|
|
|
+ (
|
|
|
|
+ nice -n +5 openssl dhparam -out $DHPARAM_FILE $DHPARAM_BITS 2>&1 \
|
|
|
|
+ && echo "dhparam generation complete, reloading nginx" \
|
|
|
|
+ && nginx -s reload
|
|
|
|
+ ) | grep -vE '^[\.+]+'
|
|
|
|
+ rm $GEN_LOCKFILE
|
|
|
|
+) &
|