diff --git a/README.md b/README.md index 038358f..1605fc9 100644 --- a/README.md +++ b/README.md @@ -261,10 +261,10 @@ To use custom `dhparam.pem` files per-virtual-host, the files should be named af In the separate container setup, no pre-generated key will be available and neither the [jwilder/docker-gen](https://hub.docker.com/r/jwilder/docker-gen) image, nor the offical [nginx](https://registry.hub.docker.com/_/nginx/) image will provide one. If you still want A+ security in a separate container setup, you should mount an RFC7919 DH key file to the nginx container at `/etc/nginx/dhparam/dhparam.pem`. -Set `DHPARAM_SKIP` environment variable to `1` to disable using default Diffie-Hellman parameters. The default value is `0`. +Set `DHPARAM_SKIP` environment variable to `true` to disable using default Diffie-Hellman parameters. The default value is `false`. ```console -docker run -e DHPARAM_SKIP=1 .... +docker run -e DHPARAM_SKIP=true .... ``` #### Wildcard Certificates diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 0e74204..45d6cd2 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,6 +1,34 @@ #!/bin/bash set -e +function _parse_true() { + case "$1" in + + true | True | TRUE | 1) + return 0 + ;; + + *) + return 1 + ;; + + esac +} + +function _parse_false() { + case "$1" in + + false | False | FALSE | 0) + return 0 + ;; + + *) + return 1 + ;; + + esac +} + function _check_unix_socket() { # Warn if the DOCKER_HOST socket does not exist if [[ ${DOCKER_HOST} == unix://* ]]; then @@ -35,8 +63,6 @@ function _resolvers() { } function _setup_dhparam() { - echo 'Setting up DH Parameters..' - # DH params will be supplied for nginx here: local DHPARAM_FILE='/etc/nginx/dhparam/dhparam.pem' @@ -47,7 +73,11 @@ function _setup_dhparam() { if [[ -f ${DHPARAM_FILE} ]]; then echo 'Warning: A custom dhparam.pem file was provided. Best practice is to use standardized RFC7919 DHE groups instead.' >&2 return 0 - elif [[ ${DHPARAM_SKIP:=0} -eq 1 ]]; then + elif _parse_true "${DHPARAM_SKIP:=false}"; then + echo 'Skipping Diffie-Hellman parameters setup.' + return 0 + elif _parse_false "${DHPARAM_GENERATION:=true}"; then + echo 'Warning: The DHPARAM_GENERATION environment variable is deprecated, please consider using DHPARAM_SKIP set to true instead.' >&2 echo 'Skipping Diffie-Hellman parameters setup.' return 0 elif [[ ! ${DHPARAM_BITS} =~ ^(2048|3072|4096)$ ]]; then @@ -55,6 +85,8 @@ function _setup_dhparam() { exit 1 fi + echo 'Setting up DH Parameters..' + # Use an existing pre-generated DH group from RFC7919 (https://datatracker.ietf.org/doc/html/rfc7919#appendix-A): local RFC7919_DHPARAM_FILE="/app/dhparam/ffdhe${FFDHE_GROUP}.pem" diff --git a/test/test_ssl/test_dhparam.py b/test/test_ssl/test_dhparam.py index 1169775..6de92b2 100644 --- a/test/test_ssl/test_dhparam.py +++ b/test/test_ssl/test_dhparam.py @@ -189,6 +189,16 @@ def test_can_skip_dhparam(docker_compose): cannot_negotiate_dhe_ciphersuite(sut_container) +def test_can_skip_dhparam_backward_compatibility(docker_compose): + container_name="dh-skip-backward" + sut_container = docker_client.containers.get(container_name) + assert sut_container.status == "running" + + assert_log_contains("Warning: The DHPARAM_GENERATION environment variable is deprecated, please consider using DHPARAM_SKIP set to true instead.", container_name) + assert_log_contains("Skipping Diffie-Hellman parameters setup.", container_name) + + cannot_negotiate_dhe_ciphersuite(sut_container) + def test_web5_https_works(docker_compose, nginxproxy): r = nginxproxy.get("https://web5.nginx-proxy.tld/port", allow_redirects=False) diff --git a/test/test_ssl/test_dhparam.yml b/test/test_ssl/test_dhparam.yml index 6673f18..791a9d7 100644 --- a/test/test_ssl/test_dhparam.yml +++ b/test/test_ssl/test_dhparam.yml @@ -41,6 +41,13 @@ with_custom_file: with_skip: container_name: dh-skip environment: - - DHPARAM_SKIP=1 + - DHPARAM_SKIP=true + image: *img-nginxproxy + volumes: *vols-common + +with_skip_backward: + container_name: dh-skip-backward + environment: + - DHPARAM_GENERATION=false image: *img-nginxproxy volumes: *vols-common \ No newline at end of file