Commit 1019b235 authored by Michał 'rysiek' Woźniak's avatar Michał 'rysiek' Woźniak
Browse files

added a way to skip dhparam generation -- NO_DHPARAM envvar

parent 01953d0e
......@@ -18,6 +18,9 @@ The `NGINX_VERSION` build argument controls the `nginx` package version that is
- `NGINX_BOOT` (default: unset)
if set to string `"false"`, the entrypoint script will exit immediately before running `nginx`, in effect making it possible to use the image to generate `dhparam` file and quit (curtesy [@cguess](https://twitter.com/cguess)).
- `NO_DHPARAM` (default: unset)
if set to string `"true"`, `dhparam` generation will be skipped entirely; this is *not* a good idea, and should be used only for internal/utility nginx instances that run behind another webserver with TLS support.
### Examples
......
......@@ -56,7 +56,10 @@ function watch_logfiles {
}
# create the dhparams
if [ ! -e "$DHPARAM_FILE" ]; then
if [ "$NO_DHPARAM" -eq "true" ]; then
echo "+-- dhparam generation explicitly disabled"
echo " THIS IS INSECURE"
elif [ ! -e "$DHPARAM_FILE" ]; then
echo "+-- generating dhparam in $DHPARAM_FILE"
mkdir -p "$( dirname "$DHPARAM_FILE" )"
openssl dhparam -out "$DHPARAM_FILE" 4096
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment