From ac066a73e46e363f48c6628e0fa8cadc35ff6546 Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Tue, 28 Sep 2021 11:14:46 +1300 Subject: [PATCH 01/18] feat: Replace generated DH params with RFC 7919 standardized DHE groups - While the anonymous VOLUME can be dropped from Dockerfile, the path needs to be valid at run-time, might as well ensure it's available by creating the dhparam folder at build. - Generation logic no longer necessary, dropped. - Standardized RFC 7919 groups added (2048, 3072, 4096), with 4096-bit remaining the default size. The DH logic can live in the entrypoint script as well. - Third-party supplied pre-generated DH params removed as they're not considered trustworthy compared to RFC 7919 groups. --- Dockerfile | 5 ++-- Dockerfile.alpine | 5 ++-- README.md | 16 ++++--------- dhparam.pem.default | 8 ------- dhparam/ffdhe2048.pem | 8 +++++++ dhparam/ffdhe3072.pem | 11 +++++++++ dhparam/ffdhe4096.pem | 13 +++++++++++ docker-entrypoint.sh | 34 +++++++++++++++++++++++++-- generate-dhparam.sh | 53 ------------------------------------------- 9 files changed, 75 insertions(+), 78 deletions(-) delete mode 100644 dhparam.pem.default create mode 100644 dhparam/ffdhe2048.pem create mode 100644 dhparam/ffdhe3072.pem create mode 100644 dhparam/ffdhe4096.pem delete mode 100755 generate-dhparam.sh diff --git a/Dockerfile b/Dockerfile index 97c0cc9..5642e2c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -51,7 +51,8 @@ RUN apt-get update \ # Configure Nginx and apply fix for very long server names RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ && sed -i 's/worker_processes 1/worker_processes auto/' /etc/nginx/nginx.conf \ - && sed -i 's/worker_connections 1024/worker_connections 10240/' /etc/nginx/nginx.conf + && sed -i 's/worker_connections 1024/worker_connections 10240/' /etc/nginx/nginx.conf \ + && mkdir -p '/etc/nginx/dhparam' # Install Forego + docker-gen COPY --from=forego /usr/local/bin/forego /usr/local/bin/forego @@ -69,7 +70,7 @@ WORKDIR /app/ ENV DOCKER_HOST unix:///tmp/docker.sock -VOLUME ["/etc/nginx/certs", "/etc/nginx/dhparam"] +VOLUME ["/etc/nginx/certs"] ENTRYPOINT ["/app/docker-entrypoint.sh"] CMD ["forego", "start", "-r"] diff --git a/Dockerfile.alpine b/Dockerfile.alpine index c08dcc3..546de81 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -48,7 +48,8 @@ RUN apk add --no-cache --virtual .run-deps \ # Configure Nginx and apply fix for very long server names RUN echo "daemon off;" >> /etc/nginx/nginx.conf \ && sed -i 's/worker_processes 1/worker_processes auto/' /etc/nginx/nginx.conf \ - && sed -i 's/worker_connections 1024/worker_connections 10240/' /etc/nginx/nginx.conf + && sed -i 's/worker_connections 1024/worker_connections 10240/' /etc/nginx/nginx.conf \ + && mkdir -p '/etc/nginx/dhparam' # Install Forego + docker-gen COPY --from=forego /usr/local/bin/forego /usr/local/bin/forego @@ -66,7 +67,7 @@ WORKDIR /app/ ENV DOCKER_HOST unix:///tmp/docker.sock -VOLUME ["/etc/nginx/certs", "/etc/nginx/dhparam"] +VOLUME ["/etc/nginx/certs"] ENTRYPOINT ["/app/docker-entrypoint.sh"] CMD ["forego", "start", "-r"] diff --git a/README.md b/README.md index 9e411f0..2177056 100644 --- a/README.md +++ b/README.md @@ -237,12 +237,6 @@ docker run -e VIRTUAL_HOST=foo.bar.com ... [acme-companion](https://github.com/nginx-proxy/acme-companion) is a lightweight companion container for the nginx-proxy. It allows the automated creation/renewal of SSL certificates using the ACME protocol. -Set `DHPARAM_GENERATION` environment variable to `false` to disable Diffie-Hellman parameters completely. This will also ignore auto-generation made by `nginx-proxy`. The default value is `true` - -```console -docker run -e DHPARAM_GENERATION=false .... -``` - ### SSL Support SSL is supported using single host, wildcard and SNI certificates using naming conventions for certificates or optionally specifying a cert name (for SNI) as an environment variable. @@ -259,13 +253,13 @@ If you are running the container in a virtualized environment (Hyper-V, VirtualB #### Diffie-Hellman Groups -Diffie-Hellman groups are enabled by default, with a pregenerated key in `/etc/nginx/dhparam/dhparam.pem`. You can mount a different `dhparam.pem` file at that location to override the default cert. To use custom `dhparam.pem` files per-virtual-host, the files should be named after the virtual host with a `dhparam` suffix and `.pem` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a `foo.bar.com.dhparam.pem` file in the `/etc/nginx/certs` directory. +[RFC7919 groups](https://datatracker.ietf.org/doc/html/rfc7919#appendix-A) with key lengths of 2048, 3072, and 4096 bits are [provided by `nginx-proxy`](https://github.com/nginx-proxy/nginx-proxy/dhparam). The ENV `DHPARAM_BITS` can be set to `2048` or `3072` to change from the default 4096-bit key. The DH key file will be located in the container at `/etc/nginx/dhparam/dhparam.pem`. Mounting a different `dhparam.pem` file at that location will override the RFC7919 key. -> NOTE: If you don't mount a `dhparam.pem` file at `/etc/nginx/dhparam/dhparam.pem`, one will be generated at startup. Since it can take minutes to generate a new `dhparam.pem`, it is done at low priority in the background. Once generation is complete, the `dhparam.pem` is saved on a persistent volume and nginx is reloaded. This generation process only occurs the first time you start `nginx-proxy`. +To use custom `dhparam.pem` files per-virtual-host, the files should be named after the virtual host with a `dhparam` suffix and `.pem` extension. For example, a container with `VIRTUAL_HOST=foo.bar.com` should have a `foo.bar.com.dhparam.pem` file in the `/etc/nginx/certs` directory. -> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 4096 bits for A+ security. Some older clients (like Java 6 and 7) do not support DH keys with over 1024 bits. In order to support these clients, you must either provide your own `dhparam.pem`, or tell `nginx-proxy` to generate a 1024-bit key on startup by passing `-e DHPARAM_BITS=1024`. +> COMPATIBILITY WARNING: The default generated `dhparam.pem` key is 4096 bits for A+ security. Some older clients (like Java 6 and 7) do not support DH keys with over 1024 bits. In order to support these clients, you must either provide your own `dhparam.pem`. -In the separate container setup, no pregenerated key will be available and neither the [jwilder/docker-gen](https://hub.docker.com/r/jwilder/docker-gen) image nor the offical [nginx](https://registry.hub.docker.com/_/nginx/) image will generate one. If you still want A+ security in a separate container setup, you'll have to generate a 2048 or 4096 bits DH key file manually and mount it on the nginx container, at `/etc/nginx/dhparam/dhparam.pem`. +In the separate container setup, no pre-generated key will be available and neither the [jwilder/docker-gen](https://hub.docker.com/r/jwilder/docker-gen) image, nor the offical [nginx](https://registry.hub.docker.com/_/nginx/) image will provide one. If you still want A+ security in a separate container setup, you should mount an RFC7919 DH key file to the nginx container at `/etc/nginx/dhparam/dhparam.pem`. #### Wildcard Certificates @@ -287,7 +281,7 @@ If you don't require backward compatibility, you can use the [Mozilla modern pro Other policies available through the `SSL_POLICY` environment variable are [`Mozilla-Old`](https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility) and the [AWS ELB Security Policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html) `AWS-TLS-1-2-2017-01`, `AWS-TLS-1-1-2017-01`, `AWS-2016-08`, `AWS-2015-05`, `AWS-2015-03` and `AWS-2015-02`. -Note that the `Mozilla-Old` policy should use a 1024 bits DH key for compatibility but this container generates a 4096 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing this, either globally or per virtual-host. +Note that the `Mozilla-Old` policy should use a 1024 bits DH key for compatibility but this container provides a 4096 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing this, either globally or per virtual-host. The default behavior for the proxy when port 80 and 443 are exposed is as follows: diff --git a/dhparam.pem.default b/dhparam.pem.default deleted file mode 100644 index 8548c34..0000000 --- a/dhparam.pem.default +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEAzB2nIGzpVq7afJnKBm1X0d64avwOlP2oneiKwxRHdDI/5+6TpH1P -F8ipodGuZBUMmupoB3D34pu2Qq5boNW983sm18ww9LMz2i/pxhSdB+mYAew+A6h6 -ltQ5pNtyn4NaKw1SDFkqvde3GNPhaWoPDbZDJhpHGblR3w1b/ag+lTLZUvVwcD8L -jYS9f9YWAC6T7WxAxh4zvu1Z0I1EKde8KYBxrreZNheXpXHqMNyJYZCaY2Hb/4oI -EL65qZq1GCWezpWMjhk6pOnV5gbvqfhoazCv/4OdRv6RoWOIYBNs9BmGho4AtXqV -FYLdYDhOvN4aVs9Ir+G8ouwiRnix24+UewIBAg== ------END DH PARAMETERS----- diff --git a/dhparam/ffdhe2048.pem b/dhparam/ffdhe2048.pem new file mode 100644 index 0000000..088f967 --- /dev/null +++ b/dhparam/ffdhe2048.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/dhparam/ffdhe3072.pem b/dhparam/ffdhe3072.pem new file mode 100644 index 0000000..603f529 --- /dev/null +++ b/dhparam/ffdhe3072.pem @@ -0,0 +1,11 @@ +-----BEGIN DH PARAMETERS----- +MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu +N///////////AgEC +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/dhparam/ffdhe4096.pem b/dhparam/ffdhe4096.pem new file mode 100644 index 0000000..eed4c41 --- /dev/null +++ b/dhparam/ffdhe4096.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 0e42880..a56d8b8 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,6 +1,37 @@ #!/bin/bash set -e +function _setup_dhparam() { + echo 'Setting up DH Parameters..' + + # DH params will be supplied for nginx here: + DHPARAM_FILE='/etc/nginx/dhparam/dhparam.pem' + + # DH params may be provided by the user (rarely necessary), + # or use an existing pre-generated group from RFC7919, defaulting to 4096-bit: + if [[ -f ${DHPARAM_FILE} ]] + then + echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2 + else + # ENV DHPARAM_BITS - Defines which RFC7919 DHE group to use (default: 4096-bit): + local FFDHE_GROUP="${DHPARAM_BITS:-4096}" + # RFC7919 groups are defined here: + # https://datatracker.ietf.org/doc/html/rfc7919#appendix-A + local RFC7919_DHPARAM_FILE="/app/dhparam/ffdhe${FFDHE_GROUP}.pem" + + # Only the following pre-generated sizes are supported, + # emit an error and kill the container if provided an invalid value: + if [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]] + then + echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}, use 2048, 3072, or 4096 (default)." >&2 + exit 1 + fi + + # Provide the DH params file to nginx: + cp "${RFC7919_DHPARAM_FILE}" "${DHPARAM_FILE}" + fi +} + # Warn if the DOCKER_HOST socket does not exist if [[ $DOCKER_HOST = unix://* ]]; then socket_file=${DOCKER_HOST#unix://} @@ -14,8 +45,7 @@ if [[ $DOCKER_HOST = unix://* ]]; then fi fi -# Generate dhparam file if required -/app/generate-dhparam.sh +_setup_dhparam # Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in [] RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g'); export RESOLVERS diff --git a/generate-dhparam.sh b/generate-dhparam.sh deleted file mode 100755 index 397fab0..0000000 --- a/generate-dhparam.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash -e - -# DHPARAM_BITS is the bit depth of the dhparam, or 4096 if unspecified -DHPARAM_BITS=${DHPARAM_BITS:-4096} -# DHPARAM_GENERATION=false skips dhparam generation -DHPARAM_GENERATION=${DHPARAM_GENERATION:-true} - -# If a dhparam file is not available, use the pre-generated one and generate a new one in the background. -# Note that /etc/nginx/dhparam is a volume, so this dhparam will persist restarts. -PREGEN_DHPARAM_FILE="/app/dhparam.pem.default" -DHPARAM_FILE="/etc/nginx/dhparam/dhparam.pem" -GEN_LOCKFILE="/tmp/dhparam_generating.lock" - -# The hash of the pregenerated dhparam file is used to check if the pregen dhparam is already in use -PREGEN_HASH=$(md5sum $PREGEN_DHPARAM_FILE | cut -d" " -f1) -if [[ -f $DHPARAM_FILE ]]; then - CURRENT_HASH=$(md5sum $DHPARAM_FILE | cut -d" " -f1) - if [[ $PREGEN_HASH != "$CURRENT_HASH" ]]; then - # There is already a dhparam, and it's not the default - echo "Custom dhparam.pem file found, generation skipped" - exit 0 - fi - - if [[ -f $GEN_LOCKFILE ]]; then - # Generation is already in progress - exit 0 - fi -fi - -if [[ $DHPARAM_GENERATION =~ ^[Ff][Aa][Ll][Ss][Ee]$ ]]; then - echo "Skipping Diffie-Hellman parameters generation and Ignoring pre-generated dhparam.pem" - exit 0 -fi - -cat >&2 <<-EOT -WARNING: $DHPARAM_FILE was not found. A pre-generated dhparam.pem will be used for now while a new one -is being generated in the background. Once the new dhparam.pem is in place, nginx will be reloaded. -EOT - -# Put the default dhparam file in place so we can start immediately -cp $PREGEN_DHPARAM_FILE $DHPARAM_FILE -touch $GEN_LOCKFILE - -# Generate a new dhparam in the background in a low priority and reload nginx when finished (grep removes the progress indicator). -( - ( - nice -n +5 openssl dhparam -dsaparam -out $DHPARAM_FILE.tmp "$DHPARAM_BITS" 2>&1 \ - && mv $DHPARAM_FILE.tmp $DHPARAM_FILE \ - && echo "dhparam generation complete, reloading nginx" \ - && nginx -s reload - ) | grep -vE '^[\.+]+' - rm $GEN_LOCKFILE -) & disown From 8aacd13241f7bd4e4110bcbf351a0ded422a730a Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Sat, 25 Sep 2021 15:36:07 +1200 Subject: [PATCH 02/18] chore: 1/6 - Inline failure at it's cause This change has been split into 6 iterative parts/commits to ease the review process. --- docker-entrypoint.sh | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index a56d8b8..95e1fad 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -41,7 +41,11 @@ if [[ $DOCKER_HOST = unix://* ]]; then Typically you should run your nginxproxy/nginx-proxy with: \`-v /var/run/docker.sock:$socket_file:ro\` See the documentation at http://git.io/vZaGJ EOT - socketMissing=1 + + # If the user has run the default command and the socket doesn't exist, fail + if [ "$1" = forego ] && [ "$2" = start ] && [ "$3" = '-r' ]; then + exit 1 + fi fi fi @@ -61,9 +65,4 @@ elif [[ $RESOLVERS =~ $SCOPED_IPV6_REGEX ]]; then RESOLVERS=$(echo "$RESOLVERS" | sed -r "s/$SCOPED_IPV6_REGEX//g" | xargs echo -n); export RESOLVERS fi -# If the user has run the default command and the socket doesn't exist, fail -if [ "$socketMissing" = 1 ] && [ "$1" = forego ] && [ "$2" = start ] && [ "$3" = '-r' ]; then - exit 1 -fi - exec "$@" From 2e6d7561a3cc5d50577f94f8b3e5a824d9b1c6b4 Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Tue, 28 Sep 2021 11:11:49 +1300 Subject: [PATCH 03/18] chore: 2/6 - Handle CMD check early, wrap init logic into a function --- docker-entrypoint.sh | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 95e1fad..aa7ed96 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -32,6 +32,7 @@ function _setup_dhparam() { fi } +function _init() { # Warn if the DOCKER_HOST socket does not exist if [[ $DOCKER_HOST = unix://* ]]; then socket_file=${DOCKER_HOST#unix://} @@ -41,11 +42,9 @@ if [[ $DOCKER_HOST = unix://* ]]; then Typically you should run your nginxproxy/nginx-proxy with: \`-v /var/run/docker.sock:$socket_file:ro\` See the documentation at http://git.io/vZaGJ EOT - - # If the user has run the default command and the socket doesn't exist, fail - if [ "$1" = forego ] && [ "$2" = start ] && [ "$3" = '-r' ]; then - exit 1 - fi + + exit 1 + fi fi @@ -64,5 +63,11 @@ elif [[ $RESOLVERS =~ $SCOPED_IPV6_REGEX ]]; then echo "$RESOLVERS" | grep -Eo "$SCOPED_IPV6_REGEX" | paste -s -d ' ' >&2 RESOLVERS=$(echo "$RESOLVERS" | sed -r "s/$SCOPED_IPV6_REGEX//g" | xargs echo -n); export RESOLVERS fi +} + +# Run the init logic if the default CMD was provided +if [[ $* == 'forego start -r' ]]; then + _init +fi exec "$@" From 091dd855afca83b727253d32e347bcf0948a2d56 Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Sat, 25 Sep 2021 15:47:20 +1200 Subject: [PATCH 04/18] chore: 3/6 - Indent function content This is a white-space only change to ease review diff noise. --- docker-entrypoint.sh | 47 ++++++++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index aa7ed96..680fdf1 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -33,36 +33,35 @@ function _setup_dhparam() { } function _init() { -# Warn if the DOCKER_HOST socket does not exist -if [[ $DOCKER_HOST = unix://* ]]; then - socket_file=${DOCKER_HOST#unix://} - if ! [ -S "$socket_file" ]; then - cat >&2 <<-EOT - ERROR: you need to share your Docker host socket with a volume at $socket_file - Typically you should run your nginxproxy/nginx-proxy with: \`-v /var/run/docker.sock:$socket_file:ro\` - See the documentation at http://git.io/vZaGJ - EOT - - exit 1 + # Warn if the DOCKER_HOST socket does not exist + if [[ $DOCKER_HOST = unix://* ]]; then + socket_file=${DOCKER_HOST#unix://} + if ! [ -S "$socket_file" ]; then + cat >&2 <<-EOT + ERROR: you need to share your Docker host socket with a volume at $socket_file + Typically you should run your nginxproxy/nginx-proxy with: \`-v /var/run/docker.sock:$socket_file:ro\` + See the documentation at http://git.io/vZaGJ + EOT + exit 1 + fi fi -fi -_setup_dhparam + _setup_dhparam -# Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in [] -RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g'); export RESOLVERS + # Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in [] + RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g'); export RESOLVERS -SCOPED_IPV6_REGEX="\[fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\]" + SCOPED_IPV6_REGEX="\[fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\]" -if [ "$RESOLVERS" = "" ]; then - echo "Warning: unable to determine DNS resolvers for nginx" >&2 - unset RESOLVERS -elif [[ $RESOLVERS =~ $SCOPED_IPV6_REGEX ]]; then - echo -n "Warning: Scoped IPv6 addresses removed from resolvers: " >&2 - echo "$RESOLVERS" | grep -Eo "$SCOPED_IPV6_REGEX" | paste -s -d ' ' >&2 - RESOLVERS=$(echo "$RESOLVERS" | sed -r "s/$SCOPED_IPV6_REGEX//g" | xargs echo -n); export RESOLVERS -fi + if [ "$RESOLVERS" = "" ]; then + echo "Warning: unable to determine DNS resolvers for nginx" >&2 + unset RESOLVERS + elif [[ $RESOLVERS =~ $SCOPED_IPV6_REGEX ]]; then + echo -n "Warning: Scoped IPv6 addresses removed from resolvers: " >&2 + echo "$RESOLVERS" | grep -Eo "$SCOPED_IPV6_REGEX" | paste -s -d ' ' >&2 + RESOLVERS=$(echo "$RESOLVERS" | sed -r "s/$SCOPED_IPV6_REGEX//g" | xargs echo -n); export RESOLVERS + fi } # Run the init logic if the default CMD was provided From ed009c0ec85080eff81458fe12f82e012ad08459 Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Tue, 28 Sep 2021 20:48:41 +1300 Subject: [PATCH 05/18] chore: 4/6 - Extract grouped logic to their own methods --- docker-entrypoint.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 680fdf1..7b21e36 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -32,7 +32,7 @@ function _setup_dhparam() { fi } -function _init() { +function _check_unix_socket() { # Warn if the DOCKER_HOST socket does not exist if [[ $DOCKER_HOST = unix://* ]]; then socket_file=${DOCKER_HOST#unix://} @@ -46,9 +46,9 @@ function _init() { exit 1 fi fi +} - _setup_dhparam - +function _resolvers() { # Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in [] RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g'); export RESOLVERS @@ -66,7 +66,11 @@ function _init() { # Run the init logic if the default CMD was provided if [[ $* == 'forego start -r' ]]; then - _init + _check_unix_socket + + _resolvers + + _setup_dhparam fi exec "$@" From 0f330b85b10b05355e4bddd2183e8a3e69d7ad1a Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Tue, 28 Sep 2021 20:57:03 +1300 Subject: [PATCH 06/18] chore: 5/6 - Shift dhparam method to the bottom Minor change on error message. --- docker-entrypoint.sh | 62 ++++++++++++++++++++++---------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 7b21e36..bcc8f1b 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,37 +1,6 @@ #!/bin/bash set -e -function _setup_dhparam() { - echo 'Setting up DH Parameters..' - - # DH params will be supplied for nginx here: - DHPARAM_FILE='/etc/nginx/dhparam/dhparam.pem' - - # DH params may be provided by the user (rarely necessary), - # or use an existing pre-generated group from RFC7919, defaulting to 4096-bit: - if [[ -f ${DHPARAM_FILE} ]] - then - echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2 - else - # ENV DHPARAM_BITS - Defines which RFC7919 DHE group to use (default: 4096-bit): - local FFDHE_GROUP="${DHPARAM_BITS:-4096}" - # RFC7919 groups are defined here: - # https://datatracker.ietf.org/doc/html/rfc7919#appendix-A - local RFC7919_DHPARAM_FILE="/app/dhparam/ffdhe${FFDHE_GROUP}.pem" - - # Only the following pre-generated sizes are supported, - # emit an error and kill the container if provided an invalid value: - if [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]] - then - echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}, use 2048, 3072, or 4096 (default)." >&2 - exit 1 - fi - - # Provide the DH params file to nginx: - cp "${RFC7919_DHPARAM_FILE}" "${DHPARAM_FILE}" - fi -} - function _check_unix_socket() { # Warn if the DOCKER_HOST socket does not exist if [[ $DOCKER_HOST = unix://* ]]; then @@ -64,6 +33,37 @@ function _resolvers() { fi } +function _setup_dhparam() { + echo 'Setting up DH Parameters..' + + # DH params will be supplied for nginx here: + DHPARAM_FILE='/etc/nginx/dhparam/dhparam.pem' + + # DH params may be provided by the user (rarely necessary), + # or use an existing pre-generated group from RFC7919, defaulting to 4096-bit: + if [[ -f ${DHPARAM_FILE} ]] + then + echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2 + else + # ENV DHPARAM_BITS - Defines which RFC7919 DHE group to use (default: 4096-bit): + local FFDHE_GROUP="${DHPARAM_BITS:-4096}" + # RFC7919 groups are defined here: + # https://datatracker.ietf.org/doc/html/rfc7919#appendix-A + local RFC7919_DHPARAM_FILE="/app/dhparam/ffdhe${FFDHE_GROUP}.pem" + + # Only the following pre-generated sizes are supported, + # emit an error and kill the container if provided an invalid value: + if [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]] + then + echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}, use 2048, 3072, or 4096 (default)." >&2 + exit 1 + fi + + # Provide the DH params file to nginx: + cp "${RFC7919_DHPARAM_FILE}" "${DHPARAM_FILE}" + fi +} + # Run the init logic if the default CMD was provided if [[ $* == 'forego start -r' ]]; then _check_unix_socket From 6f7eb8bd97de5db8fbe1f22d8291288bc595697e Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Sat, 25 Sep 2021 16:06:11 +1200 Subject: [PATCH 07/18] chore: 6/6 - Update shell syntax - `==` for string equality since we're using bash `[[ test ]]` already. - Uppercase `socket_file` variable to be consistent with other internal variables used in the script. - Convert `[ test ]` to `[[ test ]]` for consistency, improving maintenance. Double-bracket (_not posix compatible_) does not require quoted variables, ShellCheck lint knows this is safe too :) - `-z` test for `$RESOLVERS` is native syntax to check for empty string value. - Referenced variables should generally be wrapped like so `"${VAR}"`. - Variable assignments with string values should be double quotes for content with variables, otherwise use single quotes (_no interpolation_). - Converted my if statements to use the same style used in the rest of the file. --- docker-entrypoint.sh | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index bcc8f1b..bbdcdd9 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -3,12 +3,13 @@ set -e function _check_unix_socket() { # Warn if the DOCKER_HOST socket does not exist - if [[ $DOCKER_HOST = unix://* ]]; then - socket_file=${DOCKER_HOST#unix://} - if ! [ -S "$socket_file" ]; then + if [[ ${DOCKER_HOST} == unix://* ]]; then + local SOCKET_FILE="${DOCKER_HOST#unix://}" + + if [[ ! -S ${SOCKET_FILE} ]]; then cat >&2 <<-EOT - ERROR: you need to share your Docker host socket with a volume at $socket_file - Typically you should run your nginxproxy/nginx-proxy with: \`-v /var/run/docker.sock:$socket_file:ro\` + ERROR: you need to share your Docker host socket with a volume at ${SOCKET_FILE} + Typically you should run your nginxproxy/nginx-proxy with: \`-v /var/run/docker.sock:${SOCKET_FILE}:ro\` See the documentation at http://git.io/vZaGJ EOT @@ -21,15 +22,15 @@ function _resolvers() { # Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in [] RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g'); export RESOLVERS - SCOPED_IPV6_REGEX="\[fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\]" + SCOPED_IPV6_REGEX='\[fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\]' - if [ "$RESOLVERS" = "" ]; then - echo "Warning: unable to determine DNS resolvers for nginx" >&2 + if [[ -z ${RESOLVERS} ]]; then + echo 'Warning: unable to determine DNS resolvers for nginx' >&2 unset RESOLVERS - elif [[ $RESOLVERS =~ $SCOPED_IPV6_REGEX ]]; then - echo -n "Warning: Scoped IPv6 addresses removed from resolvers: " >&2 - echo "$RESOLVERS" | grep -Eo "$SCOPED_IPV6_REGEX" | paste -s -d ' ' >&2 - RESOLVERS=$(echo "$RESOLVERS" | sed -r "s/$SCOPED_IPV6_REGEX//g" | xargs echo -n); export RESOLVERS + elif [[ ${RESOLVERS} =~ ${SCOPED_IPV6_REGEX} ]]; then + echo -n 'Warning: Scoped IPv6 addresses removed from resolvers: ' >&2 + echo "${RESOLVERS}" | grep -Eo "$SCOPED_IPV6_REGEX" | paste -s -d ' ' >&2 + RESOLVERS=$(echo "${RESOLVERS}" | sed -r "s/${SCOPED_IPV6_REGEX}//g" | xargs echo -n); export RESOLVERS fi } @@ -41,8 +42,7 @@ function _setup_dhparam() { # DH params may be provided by the user (rarely necessary), # or use an existing pre-generated group from RFC7919, defaulting to 4096-bit: - if [[ -f ${DHPARAM_FILE} ]] - then + if [[ -f ${DHPARAM_FILE} ]]; then echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2 else # ENV DHPARAM_BITS - Defines which RFC7919 DHE group to use (default: 4096-bit): @@ -53,9 +53,8 @@ function _setup_dhparam() { # Only the following pre-generated sizes are supported, # emit an error and kill the container if provided an invalid value: - if [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]] - then - echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}, use 2048, 3072, or 4096 (default)." >&2 + if [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]]; then + echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default)." >&2 exit 1 fi From a7a2d6e44b8331fc5f1a9f98e2148bbc45ae5e35 Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Sat, 25 Sep 2021 16:29:03 +1200 Subject: [PATCH 08/18] chore: Use direct URL instead of URL shortener Implicit URL is unnecessary (_and presently relies on Github redirecting from it's original mapped URL_). Use an explicit URL instead to reduce the guesswork/trust of where the shortener was going to redirect to. --- docker-entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index bbdcdd9..b4dbd2c 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -10,7 +10,7 @@ function _check_unix_socket() { cat >&2 <<-EOT ERROR: you need to share your Docker host socket with a volume at ${SOCKET_FILE} Typically you should run your nginxproxy/nginx-proxy with: \`-v /var/run/docker.sock:${SOCKET_FILE}:ro\` - See the documentation at http://git.io/vZaGJ + See the documentation at: https://github.com/nginx-proxy/nginx-proxy/#usage EOT exit 1 From 004e4a5cda916b3759c89a1e9e201853c49b822b Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Sun, 26 Sep 2021 16:51:37 +1300 Subject: [PATCH 09/18] chore: Refactor `_setup_dh()` - `DHPARAM_FILE` is a local var not intended for overriding via ENV. Clarified that with `local` declaration. - `FFDHE_GROUP` var uses default assignment (_`:=4096` instead of only substitute `:-4096`_), so that `DHPARAM_BITS` retains the default 4096 value in subsequent references if no custom size was provided. - Refactored the conditional statements to only handle early failure conditions. Shifting out the RFC7919 support that can run after all checks have passed. - Revised comments. --- docker-entrypoint.sh | 34 +++++++++++++++------------------- 1 file changed, 15 insertions(+), 19 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index b4dbd2c..2dba7ea 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -38,29 +38,25 @@ function _setup_dhparam() { echo 'Setting up DH Parameters..' # DH params will be supplied for nginx here: - DHPARAM_FILE='/etc/nginx/dhparam/dhparam.pem' + local DHPARAM_FILE='/etc/nginx/dhparam/dhparam.pem' - # DH params may be provided by the user (rarely necessary), - # or use an existing pre-generated group from RFC7919, defaulting to 4096-bit: + # Should be 2048, 3072, or 4096 (default): + local FFDHE_GROUP="${DHPARAM_BITS:=4096}" + + # DH params may be provided by the user (rarely necessary) if [[ -f ${DHPARAM_FILE} ]]; then echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2 - else - # ENV DHPARAM_BITS - Defines which RFC7919 DHE group to use (default: 4096-bit): - local FFDHE_GROUP="${DHPARAM_BITS:-4096}" - # RFC7919 groups are defined here: - # https://datatracker.ietf.org/doc/html/rfc7919#appendix-A - local RFC7919_DHPARAM_FILE="/app/dhparam/ffdhe${FFDHE_GROUP}.pem" - - # Only the following pre-generated sizes are supported, - # emit an error and kill the container if provided an invalid value: - if [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]]; then - echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default)." >&2 - exit 1 - fi - - # Provide the DH params file to nginx: - cp "${RFC7919_DHPARAM_FILE}" "${DHPARAM_FILE}" + return 0 + elif [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]]; then + echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default)." >&2 + exit 1 fi + + # Use an existing pre-generated DH group from RFC7919 (https://datatracker.ietf.org/doc/html/rfc7919#appendix-A): + local RFC7919_DHPARAM_FILE="/app/dhparam/ffdhe${FFDHE_GROUP}.pem" + + # Provide the DH params file to nginx: + cp "${RFC7919_DHPARAM_FILE}" "${DHPARAM_FILE}" } # Run the init logic if the default CMD was provided From 9299a2801e694a843e50bb36ac300ed73def7a50 Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Sat, 25 Sep 2021 17:42:27 +1200 Subject: [PATCH 10/18] tests: Remove dhparam volume No longer necessary for the majority of tests. --- test/test_DOCKER_HOST_unix_socket.yml | 1 - test/test_composev2.yml | 1 - test/test_custom/test_defaults-location.yml | 1 - test/test_custom/test_defaults.yml | 1 - test/test_custom/test_location-per-vhost.yml | 1 - test/test_custom/test_per-vhost.yml | 1 - test/test_custom/test_proxy-wide.yml | 1 - test/test_debug/test_proxy-debug-flag.yml | 1 - test/test_debug/test_server-debug-flag.yml | 1 - test/test_default-host.yml | 1 - test/test_dockergen/test_dockergen_v2.yml | 1 - test/test_dockergen/test_dockergen_v3.yml | 1 - test/test_events.yml | 1 - test/test_headers/test_http.yml | 1 - test/test_headers/test_https.yml | 1 - test/test_http_port.yml | 1 - test/test_ipv6.yml | 1 - test/test_multiple-hosts.yml | 1 - test/test_multiple-networks.yml | 1 - .../test_VIRTUAL_PORT-single-different-from-single-port.yml | 1 - test/test_multiple-ports/test_VIRTUAL_PORT.yml | 1 - test/test_multiple-ports/test_default-80.yml | 1 - test/test_multiple-ports/test_single-port-not-80.yml | 1 - test/test_nominal.yml | 1 - test/test_raw-ip-vhost.yml | 1 - test/test_server-down/test_load-balancing.yml | 1 - test/test_server-down/test_no-server-down.yml | 1 - test/test_server-down/test_server-down.yml | 1 - test/test_ssl/test_hsts.yml | 1 - test/test_ssl/test_https_port.yml | 1 - test/test_ssl/test_nohttp.yml | 1 - test/test_ssl/test_nohttps.yml | 1 - test/test_ssl/test_noredirect.yml | 1 - test/test_ssl/test_wildcard.yml | 1 - test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml | 1 - test/test_upstream-name/test_predictable-name.yml | 1 - test/test_upstream-name/test_sha1-name.yml | 1 - test/test_wildcard_host.yml | 1 - 38 files changed, 38 deletions(-) diff --git a/test/test_DOCKER_HOST_unix_socket.yml b/test/test_DOCKER_HOST_unix_socket.yml index d1aba4b..1563872 100644 --- a/test/test_DOCKER_HOST_unix_socket.yml +++ b/test/test_DOCKER_HOST_unix_socket.yml @@ -19,6 +19,5 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/f00.sock:ro - - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro environment: DOCKER_HOST: unix:///f00.sock diff --git a/test/test_composev2.yml b/test/test_composev2.yml index 283e070..4a0c9fa 100644 --- a/test/test_composev2.yml +++ b/test/test_composev2.yml @@ -4,7 +4,6 @@ services: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro web: image: web diff --git a/test/test_custom/test_defaults-location.yml b/test/test_custom/test_defaults-location.yml index 3069273..8b185f7 100644 --- a/test/test_custom/test_defaults-location.yml +++ b/test/test_custom/test_defaults-location.yml @@ -2,7 +2,6 @@ nginx-proxy: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro - ./my_custom_proxy_settings.conf:/etc/nginx/vhost.d/default_location:ro - ./my_custom_proxy_settings_bar.conf:/etc/nginx/vhost.d/web3.nginx-proxy.local_location:ro diff --git a/test/test_custom/test_defaults.yml b/test/test_custom/test_defaults.yml index 165264c..6086f40 100644 --- a/test/test_custom/test_defaults.yml +++ b/test/test_custom/test_defaults.yml @@ -4,7 +4,6 @@ services: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro - ./my_custom_proxy_settings.conf:/etc/nginx/proxy.conf:ro web1: diff --git a/test/test_custom/test_location-per-vhost.yml b/test/test_custom/test_location-per-vhost.yml index 3622325..99f31f3 100644 --- a/test/test_custom/test_location-per-vhost.yml +++ b/test/test_custom/test_location-per-vhost.yml @@ -4,7 +4,6 @@ services: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro - ./my_custom_proxy_settings.conf:/etc/nginx/vhost.d/web1.nginx-proxy.local_location:ro web1: diff --git a/test/test_custom/test_per-vhost.yml b/test/test_custom/test_per-vhost.yml index 256c207..5eba9f6 100644 --- a/test/test_custom/test_per-vhost.yml +++ b/test/test_custom/test_per-vhost.yml @@ -4,7 +4,6 @@ services: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro - ./my_custom_proxy_settings.conf:/etc/nginx/vhost.d/web1.nginx-proxy.local:ro web1: diff --git a/test/test_custom/test_proxy-wide.yml b/test/test_custom/test_proxy-wide.yml index 1715b8b..0cd6c40 100644 --- a/test/test_custom/test_proxy-wide.yml +++ b/test/test_custom/test_proxy-wide.yml @@ -4,7 +4,6 @@ services: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro - ./my_custom_proxy_settings.conf:/etc/nginx/conf.d/my_custom_proxy_settings.conf:ro web1: diff --git a/test/test_debug/test_proxy-debug-flag.yml b/test/test_debug/test_proxy-debug-flag.yml index e7af54c..f930da3 100644 --- a/test/test_debug/test_proxy-debug-flag.yml +++ b/test/test_debug/test_proxy-debug-flag.yml @@ -22,6 +22,5 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro environment: DEBUG: "true" diff --git a/test/test_debug/test_server-debug-flag.yml b/test/test_debug/test_server-debug-flag.yml index 0256cf8..89bb6b5 100644 --- a/test/test_debug/test_server-debug-flag.yml +++ b/test/test_debug/test_server-debug-flag.yml @@ -23,4 +23,3 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_default-host.yml b/test/test_default-host.yml index 47b8525..2cb94d9 100644 --- a/test/test_default-host.yml +++ b/test/test_default-host.yml @@ -13,6 +13,5 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro environment: DEFAULT_HOST: web1.tld diff --git a/test/test_dockergen/test_dockergen_v2.yml b/test/test_dockergen/test_dockergen_v2.yml index 0fc8af5..919461d 100644 --- a/test/test_dockergen/test_dockergen_v2.yml +++ b/test/test_dockergen/test_dockergen_v2.yml @@ -6,7 +6,6 @@ services: container_name: nginx volumes: - /etc/nginx/conf.d - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro dockergen: image: jwilder/docker-gen diff --git a/test/test_dockergen/test_dockergen_v3.yml b/test/test_dockergen/test_dockergen_v3.yml index fad145a..5bc4bff 100644 --- a/test/test_dockergen/test_dockergen_v3.yml +++ b/test/test_dockergen/test_dockergen_v3.yml @@ -5,7 +5,6 @@ services: container_name: nginx volumes: - nginx_conf:/etc/nginx/conf.d - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro dockergen: image: jwilder/docker-gen diff --git a/test/test_events.yml b/test/test_events.yml index dcaaafc..260529e 100644 --- a/test/test_events.yml +++ b/test/test_events.yml @@ -2,4 +2,3 @@ nginxproxy: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_headers/test_http.yml b/test/test_headers/test_http.yml index 0e3880d..93795dc 100644 --- a/test/test_headers/test_http.yml +++ b/test/test_headers/test_http.yml @@ -20,4 +20,3 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_headers/test_https.yml b/test/test_headers/test_https.yml index c0c67b4..49dcec4 100644 --- a/test/test_headers/test_https.yml +++ b/test/test_headers/test_https.yml @@ -26,4 +26,3 @@ sut: - ./certs/web.nginx-proxy.tld.key:/etc/nginx/certs/web.nginx-proxy.tld.key:ro - ./certs/web-server-tokens-off.nginx-proxy.tld.crt:/etc/nginx/certs/web-server-tokens-off.nginx-proxy.tld.crt:ro - ./certs/web-server-tokens-off.nginx-proxy.tld.key:/etc/nginx/certs/web-server-tokens-off.nginx-proxy.tld.key:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_http_port.yml b/test/test_http_port.yml index a7fa0eb..72f142f 100644 --- a/test/test_http_port.yml +++ b/test/test_http_port.yml @@ -10,6 +10,5 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro environment: HTTP_PORT: 8080 \ No newline at end of file diff --git a/test/test_ipv6.yml b/test/test_ipv6.yml index c98c17e..4dce515 100644 --- a/test/test_ipv6.yml +++ b/test/test_ipv6.yml @@ -33,7 +33,6 @@ services: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro environment: ENABLE_IPV6: "true" networks: diff --git a/test/test_multiple-hosts.yml b/test/test_multiple-hosts.yml index bdc2804..b72da83 100644 --- a/test/test_multiple-hosts.yml +++ b/test/test_multiple-hosts.yml @@ -11,4 +11,3 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_multiple-networks.yml b/test/test_multiple-networks.yml index 1cc6d30..e4548b5 100644 --- a/test/test_multiple-networks.yml +++ b/test/test_multiple-networks.yml @@ -9,7 +9,6 @@ services: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro networks: - net1 - net2 diff --git a/test/test_multiple-ports/test_VIRTUAL_PORT-single-different-from-single-port.yml b/test/test_multiple-ports/test_VIRTUAL_PORT-single-different-from-single-port.yml index e28a481..dff6212 100644 --- a/test/test_multiple-ports/test_VIRTUAL_PORT-single-different-from-single-port.yml +++ b/test/test_multiple-ports/test_VIRTUAL_PORT-single-different-from-single-port.yml @@ -12,4 +12,3 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_multiple-ports/test_VIRTUAL_PORT.yml b/test/test_multiple-ports/test_VIRTUAL_PORT.yml index 3ee2d1a..1a3ecaa 100644 --- a/test/test_multiple-ports/test_VIRTUAL_PORT.yml +++ b/test/test_multiple-ports/test_VIRTUAL_PORT.yml @@ -12,4 +12,3 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_multiple-ports/test_default-80.yml b/test/test_multiple-ports/test_default-80.yml index ca61286..10047dc 100644 --- a/test/test_multiple-ports/test_default-80.yml +++ b/test/test_multiple-ports/test_default-80.yml @@ -11,4 +11,3 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_multiple-ports/test_single-port-not-80.yml b/test/test_multiple-ports/test_single-port-not-80.yml index fbb5b6a..18b3655 100644 --- a/test/test_multiple-ports/test_single-port-not-80.yml +++ b/test/test_multiple-ports/test_single-port-not-80.yml @@ -11,4 +11,3 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_nominal.yml b/test/test_nominal.yml index 2b62d04..fe02034 100644 --- a/test/test_nominal.yml +++ b/test/test_nominal.yml @@ -33,6 +33,5 @@ services: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro networks: - net1 diff --git a/test/test_raw-ip-vhost.yml b/test/test_raw-ip-vhost.yml index e265d74..066dade 100644 --- a/test/test_raw-ip-vhost.yml +++ b/test/test_raw-ip-vhost.yml @@ -41,7 +41,6 @@ services: ENABLE_IPV6: "true" volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro networks: net1: ipv4_address: 172.20.0.4 diff --git a/test/test_server-down/test_load-balancing.yml b/test/test_server-down/test_load-balancing.yml index b7162d1..d420072 100644 --- a/test/test_server-down/test_load-balancing.yml +++ b/test/test_server-down/test_load-balancing.yml @@ -27,4 +27,3 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_server-down/test_no-server-down.yml b/test/test_server-down/test_no-server-down.yml index 2f99f05..b3d4629 100644 --- a/test/test_server-down/test_no-server-down.yml +++ b/test/test_server-down/test_no-server-down.yml @@ -10,4 +10,3 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_server-down/test_server-down.yml b/test/test_server-down/test_server-down.yml index fc20e85..938d26a 100644 --- a/test/test_server-down/test_server-down.yml +++ b/test/test_server-down/test_server-down.yml @@ -11,4 +11,3 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_ssl/test_hsts.yml b/test/test_ssl/test_hsts.yml index 779dc07..b4af3b6 100644 --- a/test/test_ssl/test_hsts.yml +++ b/test/test_ssl/test_hsts.yml @@ -38,5 +38,4 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro - ./certs:/etc/nginx/certs:ro diff --git a/test/test_ssl/test_https_port.yml b/test/test_ssl/test_https_port.yml index adcf2a8..7b674d7 100644 --- a/test/test_ssl/test_https_port.yml +++ b/test/test_ssl/test_https_port.yml @@ -10,7 +10,6 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro - ./certs:/etc/nginx/certs:ro environment: HTTP_PORT: 8080 diff --git a/test/test_ssl/test_nohttp.yml b/test/test_ssl/test_nohttp.yml index 7a7ea08..48a7aa3 100644 --- a/test/test_ssl/test_nohttp.yml +++ b/test/test_ssl/test_nohttp.yml @@ -12,5 +12,4 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro - ./certs:/etc/nginx/certs:ro diff --git a/test/test_ssl/test_nohttps.yml b/test/test_ssl/test_nohttps.yml index 0a6a9a5..3f3df19 100644 --- a/test/test_ssl/test_nohttps.yml +++ b/test/test_ssl/test_nohttps.yml @@ -12,4 +12,3 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_ssl/test_noredirect.yml b/test/test_ssl/test_noredirect.yml index 9ac7169..ecd93f6 100644 --- a/test/test_ssl/test_noredirect.yml +++ b/test/test_ssl/test_noredirect.yml @@ -12,5 +12,4 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro - ./certs:/etc/nginx/certs:ro diff --git a/test/test_ssl/test_wildcard.yml b/test/test_ssl/test_wildcard.yml index 6168084..e1504ed 100644 --- a/test/test_ssl/test_wildcard.yml +++ b/test/test_ssl/test_wildcard.yml @@ -10,5 +10,4 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro - ./certs:/etc/nginx/certs:ro diff --git a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml index 6257aee..98f41a0 100644 --- a/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml +++ b/test/test_ssl/wildcard_cert_and_nohttps/docker-compose.yml @@ -7,7 +7,6 @@ services: volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./certs:/etc/nginx/certs:ro - - ../../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro web1: image: web diff --git a/test/test_upstream-name/test_predictable-name.yml b/test/test_upstream-name/test_predictable-name.yml index 1265230..cd8d250 100644 --- a/test/test_upstream-name/test_predictable-name.yml +++ b/test/test_upstream-name/test_predictable-name.yml @@ -13,4 +13,3 @@ services: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro diff --git a/test/test_upstream-name/test_sha1-name.yml b/test/test_upstream-name/test_sha1-name.yml index d2095f3..54989ae 100644 --- a/test/test_upstream-name/test_sha1-name.yml +++ b/test/test_upstream-name/test_sha1-name.yml @@ -13,6 +13,5 @@ services: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro environment: SHA1_UPSTREAM_NAME: "true" diff --git a/test/test_wildcard_host.yml b/test/test_wildcard_host.yml index d39dad4..b745e31 100644 --- a/test/test_wildcard_host.yml +++ b/test/test_wildcard_host.yml @@ -35,4 +35,3 @@ sut: image: nginxproxy/nginx-proxy:test volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ./lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro From fd35a0924072851648b049972ffea01789513a95 Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Tue, 28 Sep 2021 21:54:22 +1300 Subject: [PATCH 11/18] tests: Revise dhparams tests - `dhparam_generation` tests are no longer necessary, dropped. Modified the remaining `dhparam` test to use multiple `nginx-proxy` images to verify correct behavior for different configs. Tests now cover: - Default (ffdhe4096) is used. - Alternative via ENV (ffdhe2048) works correctly. - Invalid group via ENV (1024-bit) fails. - Custom DH params provided via file mount works with warning emitted. --- - `assert_log_contains`: added a `container_name` arg with `nginxproxy` as the default value. This allows multiple nginx-proxy containers to utilize this method instead. - Extracted out the `openssl` test (_to `negotiate_cipher()`_) and modified it to be a bit more flexible. It now takes a container with optional extra args to pass to `openssl` command called, as well as the `grep` string to match. This made the original test redundant, so I've dropped it. - Added two methods to use `negotiate_cipher()`, one verifies a DHE cipher suite was negotiated and checks that a DH emphermal key was also mentioned in the output. The other method verifies the expectation of failing to negotiate a valid cipher if DH params have not been set, while verifying that non-DHE cipher suites can be successfully negotiated. - Added a `get_env()` method for extracting attached environments on a container. This is useful for verifying invalid `DHPARAM_BITS` values (eg `1024`-bit). - The original `Server Temp Key` assertion was incorrect, it was expecting a value that is unrelated to DHE cipher suite support (_`X25519` is related to ECDHE_). This is due to TLS 1.3 being negotiated where you cannot use custom DH params, nor influence the negotiated cipher due to this mechanism changing from TLS 1.3. TLS 1.3 does support DH params, but it internally negotiates RFC 7919 group between server and client instead. Thus to verify expectations, the connection via `openssl` is made explicitly with TLS 1.2 instead. --- test/test_ssl/test_dhparam.py | 117 ++++++++++++++++++---- test/test_ssl/test_dhparam.yml | 33 +++++- test/test_ssl/test_dhparam_generation.py | 44 -------- test/test_ssl/test_dhparam_generation.yml | 8 -- 4 files changed, 128 insertions(+), 74 deletions(-) delete mode 100644 test/test_ssl/test_dhparam_generation.py delete mode 100644 test/test_ssl/test_dhparam_generation.yml diff --git a/test/test_ssl/test_dhparam.py b/test/test_ssl/test_dhparam.py index acb4269..0e567d2 100644 --- a/test/test_ssl/test_dhparam.py +++ b/test/test_ssl/test_dhparam.py @@ -15,7 +15,7 @@ docker_client = docker.from_env() ############################################################################### @backoff.on_exception(backoff.constant, AssertionError, interval=2, max_tries=15, jitter=None) -def assert_log_contains(expected_log_line): +def assert_log_contains(expected_log_line, container_name="nginxproxy"): """ Check that the nginx-proxy container log contains a given string. The backoff decorator will retry the check 15 times with a 2 seconds delay. @@ -24,7 +24,7 @@ def assert_log_contains(expected_log_line): :return: None :raises: AssertError if the expected string is not found in the log """ - sut_container = docker_client.containers.get("nginxproxy") + sut_container = docker_client.containers.get(container_name) docker_logs = sut_container.logs(stdout=True, stderr=True, stream=False, follow=False) assert bytes(expected_log_line, encoding="utf8") in docker_logs @@ -58,36 +58,117 @@ def require_openssl(required_version): reason=f"openssl v{openssl_version} is less than required version {required_version}") +@require_openssl("1.0.2") +def negotiate_cipher(sut_container, additional_params='', grep='Cipher is'): + host = f"{sut_container.attrs['NetworkSettings']['IPAddress']}:443" + + return subprocess.check_output( + f"echo '' | openssl s_client -connect {host} -tls1_2 {additional_params} | grep '{grep}'", + shell=True + ) + + +def can_negotiate_dhe_ciphersuite(sut_container): + r = negotiate_cipher(sut_container, "-cipher 'EDH'") + assert b"New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384\n" == r + + r2 = negotiate_cipher(sut_container, "-cipher 'EDH'", "Server Temp Key") + assert b"DH" in r2 + + +def cannot_negotiate_dhe_ciphersuite(sut_container): + # Fail to negotiate a DHE cipher suite: + r = negotiate_cipher(sut_container, "-cipher 'EDH'") + assert b"New, (NONE), Cipher is (NONE)\n" == r + + # Correctly establish a connection (TLS 1.2): + r2 = negotiate_cipher(sut_container) + assert b"New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384\n" == r2 + + r3 = negotiate_cipher(sut_container, grep="Server Temp Key") + assert b"X25519" in r3 + + +# Parse array of container ENV, splitting at the `=` and returning the value, otherwise `None` +def get_env(sut_container, var): + env = sut_container.attrs['Config']['Env'] + + for e in env: + if e.startswith(var): + return e.split('=')[1] + + return None + + ############################################################################### # # Tests # ############################################################################### -def test_dhparam_is_not_generated_if_present(docker_compose): - sut_container = docker_client.containers.get("nginxproxy") +def test_default_dhparam_is_ffdhe4096(docker_compose): + container_name="dh-default" + sut_container = docker_client.containers.get(container_name) assert sut_container.status == "running" - assert_log_contains("Custom dhparam.pem file found, generation skipped") + assert_log_contains("Setting up DH Parameters..", container_name) - # Make sure the dhparam in use is not the default, pre-generated one - default_checksum = sut_container.exec_run("md5sum /app/dhparam.pem.default").output.split() + # Make sure the dhparam file used is the default ffdhe4096.pem: + default_checksum = sut_container.exec_run("md5sum /app/dhparam/ffdhe4096.pem").output.split() + current_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").output.split() + assert default_checksum[0] == current_checksum[0] + + can_negotiate_dhe_ciphersuite(sut_container) + + +def test_can_change_dhparam_group(docker_compose): + container_name="dh-env" + sut_container = docker_client.containers.get(container_name) + assert sut_container.status == "running" + + assert_log_contains("Setting up DH Parameters..", container_name) + + # Make sure the dhparam file used is ffdhe2048.pem, not the default (ffdhe4096.pem): + default_checksum = sut_container.exec_run("md5sum /app/dhparam/ffdhe2048.pem").output.split() + current_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").output.split() + assert default_checksum[0] == current_checksum[0] + + can_negotiate_dhe_ciphersuite(sut_container) + + +def test_fail_if_dhparam_group_not_supported(docker_compose): + container_name="invalid-group-1024" + sut_container = docker_client.containers.get(container_name) + assert sut_container.status == "exited" + + DHPARAM_BITS = get_env(sut_container, "DHPARAM_BITS") + assert DHPARAM_BITS == "1024" + + assert_log_contains( + f"ERROR: Unsupported DHPARAM_BITS size: {DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default).", + container_name + ) + + +def test_custom_dhparam_is_supported(docker_compose): + container_name="dh-file" + sut_container = docker_client.containers.get(container_name) + assert sut_container.status == "running" + + assert_log_contains( + "Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.", + container_name + ) + + # Make sure the dhparam file used is not the default (ffdhe4096.pem): + default_checksum = sut_container.exec_run("md5sum /app/dhparam/ffdhe4096.pem").output.split() current_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").output.split() assert default_checksum[0] != current_checksum[0] + can_negotiate_dhe_ciphersuite(sut_container) + def test_web5_https_works(docker_compose, nginxproxy): r = nginxproxy.get("https://web5.nginx-proxy.tld/port", allow_redirects=False) assert r.status_code == 200 assert "answer from port 85\n" in r.text - - -@require_openssl("1.0.2") -def test_web5_dhparam_is_used(docker_compose): - sut_container = docker_client.containers.get("nginxproxy") - assert sut_container.status == "running" - - host = f"{sut_container.attrs['NetworkSettings']['IPAddress']}:443" - r = subprocess.check_output( - f"echo '' | openssl s_client -connect {host} -cipher 'EDH' | grep 'Server Temp Key'", shell=True) - assert b"Server Temp Key: X25519, 253 bits\n" == r diff --git a/test/test_ssl/test_dhparam.yml b/test/test_ssl/test_dhparam.yml index 9b29842..fd254f1 100644 --- a/test/test_ssl/test_dhparam.yml +++ b/test/test_ssl/test_dhparam.yml @@ -6,11 +6,36 @@ web5: WEB_PORTS: "85" VIRTUAL_HOST: "web5.nginx-proxy.tld" - -sut: +# sut - System Under Test +with_default_group: image: nginxproxy/nginx-proxy:test - container_name: nginxproxy + container_name: dh-default volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro - ./certs:/etc/nginx/certs:ro + +with_alternative_group: + image: nginxproxy/nginx-proxy:test + container_name: dh-env + environment: + - DHPARAM_BITS=2048 + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + - ./certs:/etc/nginx/certs:ro + +with_invalid_group: + image: nginxproxy/nginx-proxy:test + container_name: invalid-group-1024 + environment: + - DHPARAM_BITS=1024 + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + - ./certs:/etc/nginx/certs:ro + +with_custom_file: + image: nginxproxy/nginx-proxy:test + container_name: dh-file + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + - ./certs:/etc/nginx/certs:ro + - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro \ No newline at end of file diff --git a/test/test_ssl/test_dhparam_generation.py b/test/test_ssl/test_dhparam_generation.py deleted file mode 100644 index ec1c90e..0000000 --- a/test/test_ssl/test_dhparam_generation.py +++ /dev/null @@ -1,44 +0,0 @@ -import backoff -import docker - -docker_client = docker.from_env() - - -############################################################################### -# -# Tests helpers -# -############################################################################### - -@backoff.on_exception(backoff.constant, AssertionError, interval=2, max_tries=15, jitter=None) -def assert_log_contains(expected_log_line): - """ - Check that the nginx-proxy container log contains a given string. - The backoff decorator will retry the check 15 times with a 2 seconds delay. - - :param expected_log_line: string to search for - :return: None - :raises: AssertError if the expected string is not found in the log - """ - sut_container = docker_client.containers.get("nginxproxy") - docker_logs = sut_container.logs(stdout=True, stderr=True, stream=False, follow=False) - assert bytes(expected_log_line, encoding="utf8") in docker_logs - - -############################################################################### -# -# Tests -# -############################################################################### - -def test_dhparam_is_generated_if_missing(docker_compose): - sut_container = docker_client.containers.get("nginxproxy") - assert sut_container.status == "running" - - assert_log_contains("Generating DSA parameters") - assert_log_contains("dhparam generation complete, reloading nginx") - - # Make sure the dhparam in use is not the default, pre-generated one - default_checksum = sut_container.exec_run("md5sum /app/dhparam.pem.default").output.split() - generated_checksum = sut_container.exec_run("md5sum /etc/nginx/dhparam/dhparam.pem").output.split() - assert default_checksum[0] != generated_checksum[0] diff --git a/test/test_ssl/test_dhparam_generation.yml b/test/test_ssl/test_dhparam_generation.yml deleted file mode 100644 index 6df55c1..0000000 --- a/test/test_ssl/test_dhparam_generation.yml +++ /dev/null @@ -1,8 +0,0 @@ -sut: - image: nginxproxy/nginx-proxy:test - container_name: nginxproxy - volumes: - - /var/run/docker.sock:/tmp/docker.sock:ro - - ./certs:/etc/nginx/certs:ro - environment: - - DHPARAM_BITS=256 From 1d2f308cdff1c0771d4faf8a91da497c013ad90b Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Tue, 28 Sep 2021 21:49:06 +1300 Subject: [PATCH 12/18] feat: Bring back ability to skip default DH params Adds back the ability to avoid using DH params, provided no file was explicitly supplied. This used to be `DHPARAM_GENERATION=false`, the equivalent is now `DHPARAM_SKIP=1` (default 0). Previous name was no longer appropriate. Ensures that if a user has explicitly provided their own dhparam file to still output a warning instead of the skip message, since `DHPARAM_SKIP=1` doesn't disable the support in nginx. --- README.md | 6 ++++++ docker-entrypoint.sh | 3 +++ test/test_ssl/test_dhparam.py | 10 ++++++++++ test/test_ssl/test_dhparam.yml | 11 ++++++++++- 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2177056..038358f 100644 --- a/README.md +++ b/README.md @@ -261,6 +261,12 @@ To use custom `dhparam.pem` files per-virtual-host, the files should be named af In the separate container setup, no pre-generated key will be available and neither the [jwilder/docker-gen](https://hub.docker.com/r/jwilder/docker-gen) image, nor the offical [nginx](https://registry.hub.docker.com/_/nginx/) image will provide one. If you still want A+ security in a separate container setup, you should mount an RFC7919 DH key file to the nginx container at `/etc/nginx/dhparam/dhparam.pem`. +Set `DHPARAM_SKIP` environment variable to `1` to disable using default Diffie-Hellman parameters. The default value is `0`. + +```console +docker run -e DHPARAM_SKIP=1 .... +``` + #### Wildcard Certificates Wildcard certificates and keys should be named after the domain name with a `.crt` and `.key` extension. For example `VIRTUAL_HOST=foo.bar.com` would use cert name `bar.com.crt` and `bar.com.key`. diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 2dba7ea..0e74204 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -47,6 +47,9 @@ function _setup_dhparam() { if [[ -f ${DHPARAM_FILE} ]]; then echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2 return 0 + elif [[ ${DHPARAM_SKIP:=0} -eq 1 ]]; then + echo 'Skipping Diffie-Hellman parameters setup.' + return 0 elif [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]]; then echo "ERROR: Unsupported DHPARAM_BITS size: ${DHPARAM_BITS}. Use: 2048, 3072, or 4096 (default)." >&2 exit 1 diff --git a/test/test_ssl/test_dhparam.py b/test/test_ssl/test_dhparam.py index 0e567d2..33b2ed7 100644 --- a/test/test_ssl/test_dhparam.py +++ b/test/test_ssl/test_dhparam.py @@ -168,6 +168,16 @@ def test_custom_dhparam_is_supported(docker_compose): can_negotiate_dhe_ciphersuite(sut_container) +def test_can_skip_dhparam(docker_compose): + container_name="dh-skip" + sut_container = docker_client.containers.get(container_name) + assert sut_container.status == "running" + + assert_log_contains("Skipping Diffie-Hellman parameters setup.", container_name) + + cannot_negotiate_dhe_ciphersuite(sut_container) + + def test_web5_https_works(docker_compose, nginxproxy): r = nginxproxy.get("https://web5.nginx-proxy.tld/port", allow_redirects=False) assert r.status_code == 200 diff --git a/test/test_ssl/test_dhparam.yml b/test/test_ssl/test_dhparam.yml index fd254f1..8906937 100644 --- a/test/test_ssl/test_dhparam.yml +++ b/test/test_ssl/test_dhparam.yml @@ -38,4 +38,13 @@ with_custom_file: volumes: - /var/run/docker.sock:/tmp/docker.sock:ro - ./certs:/etc/nginx/certs:ro - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro \ No newline at end of file + - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro + +with_skip: + image: nginxproxy/nginx-proxy:test + container_name: dh-skip + environment: + - DHPARAM_SKIP=1 + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + - ./certs:/etc/nginx/certs:ro \ No newline at end of file From e81001615cc77428b810dc40b16548c08b68e088 Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Tue, 28 Sep 2021 19:47:59 +1300 Subject: [PATCH 13/18] tests: Improve error handling output and use regular string comparisons As this project isn't exactly python focused apart from the test suite, I'll assume other contributors are probably not as experienced with python either. Since this is a rather technical test, the extra comments should help grok the functionality without floundering around with the docs. When the subprocess raises an exception due to an issue with the command (_eg using `-CAfile` arg to `openssl` with an invalid path_), the tests would output large walls of text that wasn't particularly helpful in troubleshooting the issue. `stderr` was also leaking out inbetween the test case results in the terminal, this has been resolved by ensuring that output is caught and piped, which keeps it available to python when an exception is raised. Identifying the actual error cause and location is now much nicer. Updated the output to be plain string content instead of byte strings, this works fine :) --- test/test_ssl/test_dhparam.py | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/test/test_ssl/test_dhparam.py b/test/test_ssl/test_dhparam.py index 33b2ed7..1169775 100644 --- a/test/test_ssl/test_dhparam.py +++ b/test/test_ssl/test_dhparam.py @@ -61,32 +61,44 @@ def require_openssl(required_version): @require_openssl("1.0.2") def negotiate_cipher(sut_container, additional_params='', grep='Cipher is'): host = f"{sut_container.attrs['NetworkSettings']['IPAddress']}:443" - - return subprocess.check_output( - f"echo '' | openssl s_client -connect {host} -tls1_2 {additional_params} | grep '{grep}'", - shell=True - ) + + try: + # Enforce TLS 1.2 as newer versions don't support custom dhparam or ciphersuite preference. + # The empty `echo` is to provide `openssl` user input, so that the process exits: https://stackoverflow.com/a/28567565 + # `shell=True` enables using a single string to execute as a shell command. + # `text=True` prevents the need to compare against byte strings. + # `stderr=subprocess.PIPE` removes the output to stderr being interleaved with test case status (output during exceptions). + return subprocess.check_output( + f"echo '' | openssl s_client -connect {host} -tls1_2 {additional_params} | grep '{grep}'", + shell=True, + text=True, + stderr=subprocess.PIPE, + ) + except subprocess.CalledProcessError as e: + # Output a more helpful error, the original exception in this case isn't that helpful. + # `from None` to ignore undesired output from exception chaining. + raise Exception("Failed to process CLI request:\n" + e.stderr) from None def can_negotiate_dhe_ciphersuite(sut_container): r = negotiate_cipher(sut_container, "-cipher 'EDH'") - assert b"New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384\n" == r + assert "New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384\n" == r r2 = negotiate_cipher(sut_container, "-cipher 'EDH'", "Server Temp Key") - assert b"DH" in r2 + assert "DH" in r2 def cannot_negotiate_dhe_ciphersuite(sut_container): # Fail to negotiate a DHE cipher suite: r = negotiate_cipher(sut_container, "-cipher 'EDH'") - assert b"New, (NONE), Cipher is (NONE)\n" == r + assert "New, (NONE), Cipher is (NONE)\n" == r # Correctly establish a connection (TLS 1.2): r2 = negotiate_cipher(sut_container) - assert b"New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384\n" == r2 + assert "New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384\n" == r2 r3 = negotiate_cipher(sut_container, grep="Server Temp Key") - assert b"X25519" in r3 + assert "X25519" in r3 # Parse array of container ENV, splitting at the `=` and returning the value, otherwise `None` From 0cd573f043b78ff587b9b3682b08c5c7aa9e7e36 Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Sat, 25 Sep 2021 20:07:08 +1200 Subject: [PATCH 14/18] tests(`pytest.sh`): Update Syntax - Added clarification comment of the DIR command - Quoted `ARGS` usage required wrapping `ARGS` assignment in an array to properly expand. This wasn't broken before, but is required change to keep ShellCheck lint happy. - Quote wrapped `DIR` usage, the volume target had an extra `/` before the `DIR` which seems unnecessary as `pwd` should return absolute path. - Expanded `docker run` options to long-form. --- test/pytest.sh | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/test/pytest.sh b/test/pytest.sh index a9745f5..99c054c 100755 --- a/test/pytest.sh +++ b/test/pytest.sh @@ -8,17 +8,18 @@ # # ############################################################################### +# Returns the absolute directory path to this script DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -ARGS="$@" +ARGS=("$@") # check requirements echo "> Building nginx-proxy-tester image..." -docker build -t nginx-proxy-tester -f $DIR/requirements/Dockerfile-nginx-proxy-tester $DIR/requirements +docker build -t nginx-proxy-tester -f "${DIR}/requirements/Dockerfile-nginx-proxy-tester" "${DIR}/requirements" # run the nginx-proxy-tester container setting the correct value for the working dir in order for # docker-compose to work properly when run from within that container. exec docker run --rm -it \ - -v ${DIR}:/${DIR} \ - -w ${DIR} \ - -v /var/run/docker.sock:/var/run/docker.sock \ - nginx-proxy-tester ${ARGS} +--volume /var/run/docker.sock:/var/run/docker.sock \ +--volume "${DIR}:${DIR}" \ +--workdir "${DIR}" \ +nginx-proxy-tester "${ARGS[@]}" \ No newline at end of file From 391ca3e3b536d98fa34c34cf32bc96ae8746edb3 Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Sat, 25 Sep 2021 16:47:46 +1200 Subject: [PATCH 15/18] fix(Dockerfile): Remove `VOLUME` in Dockerfile Anonymous volumes are discouraged for reliable persistence. Users should use named volumes or bind mounts instead. Potentially breaking change, users can also use explicit anonymous volumes instead of relying on implicit anonymous volumes. `nginx-proxy` really should not be creating implicit anonymous volumes as in most cases it is undesirable. `git blame` reveals this was added in 2014 by jwilder, with a message that implies implicit anonymous volumes was never intended.. --- Dockerfile | 2 -- Dockerfile.alpine | 2 -- 2 files changed, 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5642e2c..a08f223 100644 --- a/Dockerfile +++ b/Dockerfile @@ -70,7 +70,5 @@ WORKDIR /app/ ENV DOCKER_HOST unix:///tmp/docker.sock -VOLUME ["/etc/nginx/certs"] - ENTRYPOINT ["/app/docker-entrypoint.sh"] CMD ["forego", "start", "-r"] diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 546de81..1281f8f 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -67,7 +67,5 @@ WORKDIR /app/ ENV DOCKER_HOST unix:///tmp/docker.sock -VOLUME ["/etc/nginx/certs"] - ENTRYPOINT ["/app/docker-entrypoint.sh"] CMD ["forego", "start", "-r"] From 41bd4076c09ce23ea8d55e566ee4588d9c3847aa Mon Sep 17 00:00:00 2001 From: polarathene <5098581+polarathene@users.noreply.github.com> Date: Wed, 29 Sep 2021 15:19:38 +1300 Subject: [PATCH 16/18] chore: DRY up `test_dhparam.yml` Use YAML anchors for repeated values providing a single source of truth. I would use `x-*` convention to store anchors above service containers, but this seems to require a compose config that defines the services (and version?) keys, which this test setup was failing to be compatible with for some reason.. --- test/test_ssl/test_dhparam.yml | 36 +++++++++++++++------------------- 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/test/test_ssl/test_dhparam.yml b/test/test_ssl/test_dhparam.yml index 8906937..6673f18 100644 --- a/test/test_ssl/test_dhparam.yml +++ b/test/test_ssl/test_dhparam.yml @@ -7,44 +7,40 @@ web5: VIRTUAL_HOST: "web5.nginx-proxy.tld" # sut - System Under Test +# `docker.sock` required for functionality +# `certs` required to enable HTTPS via template with_default_group: - image: nginxproxy/nginx-proxy:test container_name: dh-default - volumes: - - /var/run/docker.sock:/tmp/docker.sock:ro - - ./certs:/etc/nginx/certs:ro + image: &img-nginxproxy nginxproxy/nginx-proxy:test + volumes: &vols-common + - &docker-sock /var/run/docker.sock:/tmp/docker.sock:ro + - &nginx-certs ./certs:/etc/nginx/certs:ro with_alternative_group: - image: nginxproxy/nginx-proxy:test container_name: dh-env environment: - DHPARAM_BITS=2048 - volumes: - - /var/run/docker.sock:/tmp/docker.sock:ro - - ./certs:/etc/nginx/certs:ro + image: *img-nginxproxy + volumes: *vols-common with_invalid_group: - image: nginxproxy/nginx-proxy:test container_name: invalid-group-1024 environment: - DHPARAM_BITS=1024 - volumes: - - /var/run/docker.sock:/tmp/docker.sock:ro - - ./certs:/etc/nginx/certs:ro + image: *img-nginxproxy + volumes: *vols-common with_custom_file: - image: nginxproxy/nginx-proxy:test container_name: dh-file - volumes: - - /var/run/docker.sock:/tmp/docker.sock:ro - - ./certs:/etc/nginx/certs:ro + image: *img-nginxproxy + volumes: + - *docker-sock + - *nginx-certs - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro with_skip: - image: nginxproxy/nginx-proxy:test container_name: dh-skip environment: - DHPARAM_SKIP=1 - volumes: - - /var/run/docker.sock:/tmp/docker.sock:ro - - ./certs:/etc/nginx/certs:ro \ No newline at end of file + image: *img-nginxproxy + volumes: *vols-common \ No newline at end of file From ab7ac0aadbdfd505651800bdcbfeb006dd0a3bc1 Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Wed, 20 Oct 2021 19:15:27 +0200 Subject: [PATCH 17/18] fix: backward compatibility w/ DHPARAM_GENERATION Also use true rather than 1 to stay consistent with other boolean environment variables --- README.md | 4 ++-- docker-entrypoint.sh | 38 +++++++++++++++++++++++++++++++--- test/test_ssl/test_dhparam.py | 10 +++++++++ test/test_ssl/test_dhparam.yml | 9 +++++++- 4 files changed, 55 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 038358f..1605fc9 100644 --- a/README.md +++ b/README.md @@ -261,10 +261,10 @@ To use custom `dhparam.pem` files per-virtual-host, the files should be named af In the separate container setup, no pre-generated key will be available and neither the [jwilder/docker-gen](https://hub.docker.com/r/jwilder/docker-gen) image, nor the offical [nginx](https://registry.hub.docker.com/_/nginx/) image will provide one. If you still want A+ security in a separate container setup, you should mount an RFC7919 DH key file to the nginx container at `/etc/nginx/dhparam/dhparam.pem`. -Set `DHPARAM_SKIP` environment variable to `1` to disable using default Diffie-Hellman parameters. The default value is `0`. +Set `DHPARAM_SKIP` environment variable to `true` to disable using default Diffie-Hellman parameters. The default value is `false`. ```console -docker run -e DHPARAM_SKIP=1 .... +docker run -e DHPARAM_SKIP=true .... ``` #### Wildcard Certificates diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 0e74204..45d6cd2 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,6 +1,34 @@ #!/bin/bash set -e +function _parse_true() { + case "$1" in + + true | True | TRUE | 1) + return 0 + ;; + + *) + return 1 + ;; + + esac +} + +function _parse_false() { + case "$1" in + + false | False | FALSE | 0) + return 0 + ;; + + *) + return 1 + ;; + + esac +} + function _check_unix_socket() { # Warn if the DOCKER_HOST socket does not exist if [[ ${DOCKER_HOST} == unix://* ]]; then @@ -35,8 +63,6 @@ function _resolvers() { } function _setup_dhparam() { - echo 'Setting up DH Parameters..' - # DH params will be supplied for nginx here: local DHPARAM_FILE='/etc/nginx/dhparam/dhparam.pem' @@ -47,7 +73,11 @@ function _setup_dhparam() { if [[ -f ${DHPARAM_FILE} ]]; then echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2 return 0 - elif [[ ${DHPARAM_SKIP:=0} -eq 1 ]]; then + elif _parse_true "${DHPARAM_SKIP:=false}"; then + echo 'Skipping Diffie-Hellman parameters setup.' + return 0 + elif _parse_false "${DHPARAM_GENERATION:=true}"; then + echo 'Warning: The DHPARAM_GENERATION environment variable is deprecated, please consider using DHPARAM_SKIP set to true instead.' >&2 echo 'Skipping Diffie-Hellman parameters setup.' return 0 elif [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]]; then @@ -55,6 +85,8 @@ function _setup_dhparam() { exit 1 fi + echo 'Setting up DH Parameters..' + # Use an existing pre-generated DH group from RFC7919 (https://datatracker.ietf.org/doc/html/rfc7919#appendix-A): local RFC7919_DHPARAM_FILE="/app/dhparam/ffdhe${FFDHE_GROUP}.pem" diff --git a/test/test_ssl/test_dhparam.py b/test/test_ssl/test_dhparam.py index 1169775..6de92b2 100644 --- a/test/test_ssl/test_dhparam.py +++ b/test/test_ssl/test_dhparam.py @@ -189,6 +189,16 @@ def test_can_skip_dhparam(docker_compose): cannot_negotiate_dhe_ciphersuite(sut_container) +def test_can_skip_dhparam_backward_compatibility(docker_compose): + container_name="dh-skip-backward" + sut_container = docker_client.containers.get(container_name) + assert sut_container.status == "running" + + assert_log_contains("Warning: The DHPARAM_GENERATION environment variable is deprecated, please consider using DHPARAM_SKIP set to true instead.", container_name) + assert_log_contains("Skipping Diffie-Hellman parameters setup.", container_name) + + cannot_negotiate_dhe_ciphersuite(sut_container) + def test_web5_https_works(docker_compose, nginxproxy): r = nginxproxy.get("https://web5.nginx-proxy.tld/port", allow_redirects=False) diff --git a/test/test_ssl/test_dhparam.yml b/test/test_ssl/test_dhparam.yml index 6673f18..791a9d7 100644 --- a/test/test_ssl/test_dhparam.yml +++ b/test/test_ssl/test_dhparam.yml @@ -41,6 +41,13 @@ with_custom_file: with_skip: container_name: dh-skip environment: - - DHPARAM_SKIP=1 + - DHPARAM_SKIP=true + image: *img-nginxproxy + volumes: *vols-common + +with_skip_backward: + container_name: dh-skip-backward + environment: + - DHPARAM_GENERATION=false image: *img-nginxproxy volumes: *vols-common \ No newline at end of file From 36c4ed7632037515bec256ff46cb3e8ecc7388ef Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Wed, 20 Oct 2021 21:04:29 +0200 Subject: [PATCH 18/18] test: replace test dhparam.pem with ffdhe3072.pem --- test/lib/ssl/dhparam.pem | 8 -------- test/test_ssl/test_dhparam.yml | 2 +- 2 files changed, 1 insertion(+), 9 deletions(-) delete mode 100644 test/lib/ssl/dhparam.pem diff --git a/test/lib/ssl/dhparam.pem b/test/lib/ssl/dhparam.pem deleted file mode 100644 index eb3218c..0000000 --- a/test/lib/ssl/dhparam.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEA1cae6HqPSgicEuAuSCf6Ii3d6qMX9Ta8lnwoX0JQ0CWK7mzaiiIi -dY7oHmc4cq0S3SH+g0tdLP9yqygFS9hdUGINwS2VV6poj2/vdL/dUshegyxpEH58 -nofCPnFDeKkcPDMYAlGS8zjp60TsBkRJKcrxxwnjod1Q5mWuMN5KH3sxs842udKH -0nHFE9kKW/NfXb+EGsjpocGpf786cGuCO2d00THsoItOEcM9/aI8DX1QcyxAHR6D -HaYTFJnyyx8Q44u27M15idI4pbNoKORlotiuOwCTGYCfbN14aOV+Ict7aSF8FWpP -48j9SMNuIu2DlF9pNLo6fsrOjYY3c9X12wIBAg== ------END DH PARAMETERS----- diff --git a/test/test_ssl/test_dhparam.yml b/test/test_ssl/test_dhparam.yml index 791a9d7..d49afc9 100644 --- a/test/test_ssl/test_dhparam.yml +++ b/test/test_ssl/test_dhparam.yml @@ -36,7 +36,7 @@ with_custom_file: volumes: - *docker-sock - *nginx-certs - - ../lib/ssl/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro + - ../../dhparam/ffdhe3072.pem:/etc/nginx/dhparam/dhparam.pem:ro with_skip: container_name: dh-skip