mirror of
https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion
synced 2024-05-27 00:36:23 +02:00
Use background DH group creation (#394)
Credits to @kamermans for most of the idea
This commit is contained in:
parent
e88a5a72d4
commit
7c07356e42
|
@ -14,8 +14,6 @@ Please note that [letsencrypt-nginx-proxy-companion does not work with ACME v2 e
|
|||
* Automatically creation of a Strong Diffie-Hellman Group (for having an A+ Rate on the [Qualsys SSL Server Test](https://www.ssllabs.com/ssltest/)).
|
||||
* Work with all versions of docker.
|
||||
|
||||
***NOTE***: The first time this container is launched it generates a new Diffie-Hellman group file. This process can take several minutes to complete (be patient).
|
||||
|
||||
![schema](./schema.png)
|
||||
|
||||
#### Usage
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEAwpR+yYapElMV4DiO+BwKK2N8Ur4giZtga+dslyDMuhY+U4t/97Eq
|
||||
gdFg2RD5nqrgWCRWEYcbh1kPBOAPWXZ4+N8mZL8pJXaNi2XFA8IxQex283Sz7CX+
|
||||
qr/zb+piJLx+/6JB/NNTZtKurM3ZQgwdGqSHqeWgvRIgCQAykC1oz7muCsev1IMc
|
||||
rLig1kyvhg3L1t+uKYV0OtiXONmPglPm9pXRqMQ53Rg/D3CpUpyyTSugOFjVhLrP
|
||||
Ow+kO6qXBQSDhrL2L0UjprbcVMPHv9bFmWNoTCtC8OYA1OuiA368PWhgeH/76Yu8
|
||||
4an6/vt3HowDZHKfB3Vb1VwTI+k6hzwhkwIBAg==
|
||||
-----END DH PARAMETERS-----
|
|
@ -42,17 +42,53 @@ function check_writable_directory {
|
|||
}
|
||||
|
||||
function check_dh_group {
|
||||
# Credits to Steve Kamerman for the background Diffie-Hellman creation logic.
|
||||
# https://github.com/jwilder/nginx-proxy/pull/589
|
||||
local DHPARAM_BITS="${DHPARAM_BITS:-2048}"
|
||||
re='^[0-9]*$'
|
||||
if ! [[ "$DHPARAM_BITS" =~ $re ]] ; then
|
||||
echo "Error: invalid Diffie-Hellman size of $DHPARAM_BITS !" >&2
|
||||
exit 1
|
||||
fi
|
||||
if [[ ! -f /etc/nginx/certs/dhparam.pem ]]; then
|
||||
echo "Creating Diffie-Hellman group (can take several minutes...)"
|
||||
openssl dhparam -out /etc/nginx/certs/.dhparam.pem.tmp $DHPARAM_BITS
|
||||
mv /etc/nginx/certs/.dhparam.pem.tmp /etc/nginx/certs/dhparam.pem || exit 1
|
||||
|
||||
# If a dhparam file is not available, use the pre-generated one and generate a new one in the background.
|
||||
local PREGEN_DHPARAM_FILE="/app/dhparam.pem.default"
|
||||
local DHPARAM_FILE="/etc/nginx/certs/dhparam.pem"
|
||||
local GEN_LOCKFILE="/tmp/le_companion_dhparam_generating.lock"
|
||||
|
||||
# The hash of the pregenerated dhparam file is used to check if the pregen dhparam is already in use
|
||||
local PREGEN_HASH=$(md5sum "$PREGEN_DHPARAM_FILE" | cut -d ' ' -f1)
|
||||
if [[ -f "$DHPARAM_FILE" ]]; then
|
||||
local CURRENT_HASH=$(md5sum "$DHPARAM_FILE" | cut -d ' ' -f1)
|
||||
if [[ "$PREGEN_HASH" != "$CURRENT_HASH" ]]; then
|
||||
# There is already a dhparam, and it's not the default
|
||||
echo "Info: Custom Diffie-Hellman group found, generation skipped."
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [[ -f "$GEN_LOCKFILE" ]]; then
|
||||
# Generation is already in progress
|
||||
return 0
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "Info: Creating Diffie-Hellman group in the background."
|
||||
echo "A pre-generated Diffie-Hellman group will be used for now while the new one
|
||||
is being created."
|
||||
|
||||
# Put the default dhparam file in place so we can start immediately
|
||||
cp "$PREGEN_DHPARAM_FILE" "$DHPARAM_FILE"
|
||||
touch "$GEN_LOCKFILE"
|
||||
|
||||
# Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator).
|
||||
(
|
||||
(
|
||||
nice -n +5 openssl dhparam -out "$DHPARAM_FILE" "$DHPARAM_BITS" 2>&1 \
|
||||
&& echo "Info: Diffie-Hellman group creation complete, reloading nginx." \
|
||||
&& reload_nginx
|
||||
) | grep -vE '^[\.+]+'
|
||||
rm "$GEN_LOCKFILE"
|
||||
) &disown
|
||||
}
|
||||
|
||||
source /app/functions.sh
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEAzB2nIGzpVq7afJnKBm1X0d64avwOlP2oneiKwxRHdDI/5+6TpH1P
|
||||
F8ipodGuZBUMmupoB3D34pu2Qq5boNW983sm18ww9LMz2i/pxhSdB+mYAew+A6h6
|
||||
ltQ5pNtyn4NaKw1SDFkqvde3GNPhaWoPDbZDJhpHGblR3w1b/ag+lTLZUvVwcD8L
|
||||
jYS9f9YWAC6T7WxAxh4zvu1Z0I1EKde8KYBxrreZNheXpXHqMNyJYZCaY2Hb/4oI
|
||||
EL65qZq1GCWezpWMjhk6pOnV5gbvqfhoazCv/4OdRv6RoWOIYBNs9BmGho4AtXqV
|
||||
FYLdYDhOvN4aVs9Ir+G8ouwiRnix24+UewIBAg==
|
||||
-----END DH PARAMETERS-----
|
|
@ -7,6 +7,7 @@ case $SETUP in
|
|||
2containers)
|
||||
docker run -d -p 80:80 -p 443:443 \
|
||||
--name $NGINX_CONTAINER_NAME \
|
||||
--env "DHPARAM_BITS=256" \
|
||||
-v /etc/nginx/vhost.d \
|
||||
-v /usr/share/nginx/html \
|
||||
-v /var/run/docker.sock:/tmp/docker.sock:ro \
|
||||
|
@ -41,11 +42,3 @@ case $SETUP in
|
|||
exit 1
|
||||
|
||||
esac
|
||||
|
||||
docker run \
|
||||
--name helper \
|
||||
--volumes-from $NGINX_CONTAINER_NAME \
|
||||
--label com.github.jrcs.letsencrypt_nginx_proxy_companion.test_suite \
|
||||
busybox true
|
||||
docker cp ${TRAVIS_BUILD_DIR}/test/setup/dhparam.pem helper:/etc/nginx/certs
|
||||
docker rm -f helper
|
||||
|
|
|
@ -22,6 +22,7 @@ function run_le_container {
|
|||
--volumes-from $NGINX_CONTAINER_NAME \
|
||||
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
|
||||
$docker_gen_arg \
|
||||
--env "DHPARAM_BITS=256" \
|
||||
--env "DEBUG=true" \
|
||||
--env "ACME_CA_URI=http://${BOULDER_IP}:4000/directory" \
|
||||
--label com.github.jrcs.letsencrypt_nginx_proxy_companion.test_suite \
|
||||
|
|
Loading…
Reference in New Issue