feature(entrypoint): generate missing dhparam file if needed

This commit is contained in:
Asif Bacchus 2021-07-25 16:00:16 -06:00
parent 8890e662b0
commit 4ded854631
2 changed files with 16 additions and 2 deletions

View File

@ -22,7 +22,9 @@ RUN addgroup --gid ${GID} www-docker \
www-docker www-docker
# add libcap, allow nginx to bind to ports <1024, extract fun error pages & create LetsEncrypt challenge directory outside webroot # add libcap, allow nginx to bind to ports <1024, extract fun error pages & create LetsEncrypt challenge directory outside webroot
RUN apk --no-cache add libcap \ RUN apk --update --no-cache add \
libcap \
openssl \
&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
&& cd /usr/share/nginx \ && cd /usr/share/nginx \
&& rm -rf html/* \ && rm -rf html/* \

View File

@ -54,8 +54,20 @@ fi
if [ -f "/certs/fullchain.pem" ]; then if [ -f "/certs/fullchain.pem" ]; then
# activate SSL configuration as appropriate and only if certs exist # activate SSL configuration as appropriate and only if certs exist
if [ "$TLS13_ONLY" = 'FALSE' ]; then if [ "$TLS13_ONLY" = 'FALSE' ]; then
if [ -f "/certs/fullchain.pem" ] && [ -f "/certs/privkey.pem" ] && [ -f "/certs/chain.pem" ] && [ -f "/certs/dhparam.pem" ]; then if [ -f "/certs/fullchain.pem" ] && [ -f "/certs/privkey.pem" ] && [ -f "/certs/chain.pem" ]; then
printf "Certificates found. Securing deployment using TLS 1.2\n" printf "Certificates found. Securing deployment using TLS 1.2\n"
# check for dhparam file and generate, if necessary
if ! [ -f "/certs/dhparam.pem" ]; then
printf "Diffie-Hellman Parameters not found... generating (using Digital Signature Algorithm instead of Diffie-Hellman)...\n"
if ! openssl dhparam -dsaparam -out /certs/dhparam.pem 4096; then
printf "\n\nUnable to generate 'dhparam.pem'. Is your '/certs' directory writable by this container?\n"
printf "TLS version 1.2 requires DHParams (or DSAParams) in order to function securely. Exiting.\n\n"
exit 101
fi
printf "\nDSA-Params generated successfully\n"
fi
# activate shared SSL configuration file # activate shared SSL configuration file
if [ -f "/etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled" ]; then if [ -f "/etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled" ]; then
mv /etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled \ mv /etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled \