added a way to skip dhparam generation -- NO_DHPARAM envvar

1019b235 · Michał 'rysiek' Woźniak · 01953d0e · 1019b235 · 1019b235
Commit 1019b235 authored Jul 11, 2017 by Michał 'rysiek' Woźniak
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

README.md README.md +3 -0

run.sh run.sh +4 -1

No files found.
--- a/README.md
+++ b/README.md
@@ -18,6 +18,9 @@ The `NGINX_VERSION` build argument controls the `nginx` package version that is

 - `NGINX_BOOT` (default: unset)  
    if set to string `"false"`, the entrypoint script will exit immediately before running `nginx`, in effect making it possible to use the image to generate `dhparam` file and quit (curtesy [@cguess](https://twitter.com/cguess)).
+    
+ - `NO_DHPARAM` (default: unset)  
+    if set to string `"true"`, `dhparam` generation will be skipped entirely; this is *not* a good idea, and should be used only for internal/utility nginx instances that run behind another webserver with TLS support.

 ### Examples


--- a/run.sh
+++ b/run.sh
@@ -56,7 +56,10 @@ function watch_logfiles {
 }

 # create the dhparams
-if [ ! -e "$DHPARAM_FILE" ]; then
+if [ "$NO_DHPARAM" -eq "true" ]; then
+  echo "+-- dhparam generation explicitly disabled"
+  echo "    THIS IS INSECURE"
+elif [ ! -e "$DHPARAM_FILE" ]; then
  echo "+-- generating dhparam in $DHPARAM_FILE"
  mkdir -p "$( dirname "$DHPARAM_FILE" )"
  openssl dhparam -out "$DHPARAM_FILE" 4096