123456789101112131415161718192021222324252627282930313233343536373839404142434445 |
- #!/bin/bash -e
- # The first argument is the bit depth of the dhparam, or 2048 if unspecified
- DHPARAM_BITS=${1:-2048}
- # If a dhparam file is not available, use the pre-generated one and generate a new one in the background.
- # Note that /etc/nginx/dhparam is a volume, so this dhparam will persist restarts.
- PREGEN_DHPARAM_FILE="/app/dhparam.pem.default"
- DHPARAM_FILE="/etc/nginx/dhparam/dhparam.pem"
- GEN_LOCKFILE="/tmp/dhparam_generating.lock"
- # The hash of the pregenerated dhparam file is used to check if the pregen dhparam is already in use
- PREGEN_HASH=$(md5sum $PREGEN_DHPARAM_FILE | cut -d" " -f1)
- if [[ -f $DHPARAM_FILE ]]; then
- CURRENT_HASH=$(md5sum $DHPARAM_FILE | cut -d" " -f1)
- if [[ $PREGEN_HASH != $CURRENT_HASH ]]; then
- # There is already a dhparam, and it's not the default
- echo "Custom dhparam.pem file found, generation skipped"
- exit 0
- fi
- if [[ -f $GEN_LOCKFILE ]]; then
- # Generation is already in progress
- exit 0
- fi
- fi
- cat >&2 <<-EOT
- WARNING: $DHPARAM_FILE was not found. A pre-generated dhparam.pem will be used for now while a new one
- is being generated in the background. Once the new dhparam.pem is in place, nginx will be reloaded.
- EOT
- # Put the default dhparam file in place so we can start immediately
- cp $PREGEN_DHPARAM_FILE $DHPARAM_FILE
- touch $GEN_LOCKFILE
- # Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator).
- (
- (
- nice -n +5 openssl dhparam -out $DHPARAM_FILE $DHPARAM_BITS 2>&1 \
- && echo "dhparam generation complete, reloading nginx" \
- && nginx -s reload
- ) | grep -vE '^[\.+]+'
- rm $GEN_LOCKFILE
- ) &disown
|