Use background DH group creation (#394)

Credits to @kamermans for most of the idea

README.md

@@ -14,8 +14,6 @@ Please note that [letsencrypt-nginx-proxy-companion does not work with ACME v2 e
 * Automatically creation of a Strong Diffie-Hellman Group (for having an A+ Rate on the [Qualsys SSL Server Test](https://www.ssllabs.com/ssltest/)).
 * Work with all versions of docker.
 
-***NOTE***: The first time this container is launched it generates a new Diffie-Hellman group file. This process can take several minutes to complete (be patient).
-
 ![schema](./schema.png)
 
 #### Usage

app/dhparam.pem.default

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAwpR+yYapElMV4DiO+BwKK2N8Ur4giZtga+dslyDMuhY+U4t/97Eq
+gdFg2RD5nqrgWCRWEYcbh1kPBOAPWXZ4+N8mZL8pJXaNi2XFA8IxQex283Sz7CX+
+qr/zb+piJLx+/6JB/NNTZtKurM3ZQgwdGqSHqeWgvRIgCQAykC1oz7muCsev1IMc
+rLig1kyvhg3L1t+uKYV0OtiXONmPglPm9pXRqMQ53Rg/D3CpUpyyTSugOFjVhLrP
+Ow+kO6qXBQSDhrL2L0UjprbcVMPHv9bFmWNoTCtC8OYA1OuiA368PWhgeH/76Yu8
+4an6/vt3HowDZHKfB3Vb1VwTI+k6hzwhkwIBAg==
+-----END DH PARAMETERS-----

app/entrypoint.sh

@@ -42,17 +42,53 @@ function check_writable_directory {
 }
 
 function check_dh_group {
+    # Credits to Steve Kamerman for the background Diffie-Hellman creation logic.
+    # https://github.com/jwilder/nginx-proxy/pull/589
     local DHPARAM_BITS="${DHPARAM_BITS:-2048}"
     re='^[0-9]*$'
     if ! [[ "$DHPARAM_BITS" =~ $re ]] ; then
        echo "Error: invalid Diffie-Hellman size of $DHPARAM_BITS !" >&2
        exit 1
     fi
-    if [[ ! -f /etc/nginx/certs/dhparam.pem ]]; then
-        echo "Creating Diffie-Hellman group (can take several minutes...)"
-        openssl dhparam -out /etc/nginx/certs/.dhparam.pem.tmp $DHPARAM_BITS
-        mv /etc/nginx/certs/.dhparam.pem.tmp /etc/nginx/certs/dhparam.pem || exit 1
+
+    # If a dhparam file is not available, use the pre-generated one and generate a new one in the background.
+    local PREGEN_DHPARAM_FILE="/app/dhparam.pem.default"
+    local DHPARAM_FILE="/etc/nginx/certs/dhparam.pem"
+    local GEN_LOCKFILE="/tmp/le_companion_dhparam_generating.lock"
+
+    # The hash of the pregenerated dhparam file is used to check if the pregen dhparam is already in use
+    local PREGEN_HASH=$(md5sum "$PREGEN_DHPARAM_FILE" | cut -d ' ' -f1)
+    if [[ -f "$DHPARAM_FILE" ]]; then
+        local CURRENT_HASH=$(md5sum "$DHPARAM_FILE" | cut -d ' ' -f1)
+        if [[ "$PREGEN_HASH" != "$CURRENT_HASH" ]]; then
+            # There is already a dhparam, and it's not the default
+            echo "Info: Custom Diffie-Hellman group found, generation skipped."
+            return 0
+          fi
+
+        if [[ -f "$GEN_LOCKFILE" ]]; then
+            # Generation is already in progress
+            return 0
+        fi
     fi
+
+    echo "Info: Creating Diffie-Hellman group in the background."
+    echo "A pre-generated Diffie-Hellman group will be used for now while the new one
+is being created."
+
+    # Put the default dhparam file in place so we can start immediately
+    cp "$PREGEN_DHPARAM_FILE" "$DHPARAM_FILE"
+    touch "$GEN_LOCKFILE"
+
+    # Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator).
+    (
+        (
+            nice -n +5 openssl dhparam -out "$DHPARAM_FILE" "$DHPARAM_BITS" 2>&1 \
+            && echo "Info: Diffie-Hellman group creation complete, reloading nginx." \
+            && reload_nginx
+        ) | grep -vE '^[\.+]+'
+        rm "$GEN_LOCKFILE"
+    ) &disown
 }
 
 source /app/functions.sh

test/setup/dhparam.pem

@@ -1,8 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEAzB2nIGzpVq7afJnKBm1X0d64avwOlP2oneiKwxRHdDI/5+6TpH1P
-F8ipodGuZBUMmupoB3D34pu2Qq5boNW983sm18ww9LMz2i/pxhSdB+mYAew+A6h6
-ltQ5pNtyn4NaKw1SDFkqvde3GNPhaWoPDbZDJhpHGblR3w1b/ag+lTLZUvVwcD8L
-jYS9f9YWAC6T7WxAxh4zvu1Z0I1EKde8KYBxrreZNheXpXHqMNyJYZCaY2Hb/4oI
-EL65qZq1GCWezpWMjhk6pOnV5gbvqfhoazCv/4OdRv6RoWOIYBNs9BmGho4AtXqV
-FYLdYDhOvN4aVs9Ir+G8ouwiRnix24+UewIBAg==
------END DH PARAMETERS-----

test/setup/setup-nginx-proxy.sh

@@ -7,6 +7,7 @@ case $SETUP in
   2containers)
     docker run -d -p 80:80 -p 443:443 \
       --name $NGINX_CONTAINER_NAME \
+      --env "DHPARAM_BITS=256" \
       -v /etc/nginx/vhost.d \
       -v /usr/share/nginx/html \
       -v /var/run/docker.sock:/tmp/docker.sock:ro \
@@ -41,11 +42,3 @@ case $SETUP in
     exit 1
 
 esac
-
-docker run \
-  --name helper \
-  --volumes-from $NGINX_CONTAINER_NAME \
-  --label com.github.jrcs.letsencrypt_nginx_proxy_companion.test_suite \
-  busybox true
-docker cp ${TRAVIS_BUILD_DIR}/test/setup/dhparam.pem helper:/etc/nginx/certs
-docker rm -f helper

test/tests/test-functions.sh

@@ -22,6 +22,7 @@ function run_le_container {
     --volumes-from $NGINX_CONTAINER_NAME \
     --volume /var/run/docker.sock:/var/run/docker.sock:ro \
     $docker_gen_arg \
+    --env "DHPARAM_BITS=256" \
     --env "DEBUG=true" \
     --env "ACME_CA_URI=http://${BOULDER_IP}:4000/directory" \
     --label com.github.jrcs.letsencrypt_nginx_proxy_companion.test_suite \