diff --git a/build/Dockerfile b/build/Dockerfile index 298da09..d6261ab 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -22,7 +22,9 @@ RUN addgroup --gid ${GID} www-docker \ www-docker # add libcap, allow nginx to bind to ports <1024, extract fun error pages & create LetsEncrypt challenge directory outside webroot -RUN apk --no-cache add libcap \ +RUN apk --update --no-cache add \ + libcap \ + openssl \ && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ && cd /usr/share/nginx \ && rm -rf html/* \ diff --git a/build/entrypoint.sh b/build/entrypoint.sh index ff8827d..98da74f 100755 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -54,8 +54,20 @@ fi if [ -f "/certs/fullchain.pem" ]; then # activate SSL configuration as appropriate and only if certs exist if [ "$TLS13_ONLY" = 'FALSE' ]; then - if [ -f "/certs/fullchain.pem" ] && [ -f "/certs/privkey.pem" ] && [ -f "/certs/chain.pem" ] && [ -f "/certs/dhparam.pem" ]; then + if [ -f "/certs/fullchain.pem" ] && [ -f "/certs/privkey.pem" ] && [ -f "/certs/chain.pem" ]; then printf "Certificates found. Securing deployment using TLS 1.2\n" + + # check for dhparam file and generate, if necessary + if ! [ -f "/certs/dhparam.pem" ]; then + printf "Diffie-Hellman Parameters not found... generating (using Digital Signature Algorithm instead of Diffie-Hellman)...\n" + if ! openssl dhparam -dsaparam -out /certs/dhparam.pem 4096; then + printf "\n\nUnable to generate 'dhparam.pem'. Is your '/certs' directory writable by this container?\n" + printf "TLS version 1.2 requires DHParams (or DSAParams) in order to function securely. Exiting.\n\n" + exit 101 + fi + printf "\nDSA-Params generated successfully\n" + fi + # activate shared SSL configuration file if [ -f "/etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled" ]; then mv /etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled \