add dhparams to nginx

2021-04-12 10:36:07 +02:00 · 2021-04-12 10:36:07 +02:00 · c01879ab68
commit c01879ab68
parent e782cde4c7
4 changed files with 16 additions and 3 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -21,6 +21,7 @@ services:
      - ${NGINX_MATTERMOST_CONFIG}:/etc/nginx/conf.d/mattermost.conf:ro
      - ${LETSENCRYPT_FULLCHAIN_PATH}:/fullchain.pem:ro
      - ${LETSENCRYPT_PRIVKEY_PATH}:/privkey.pem:ro
+      - ${NGINX_DHPARAMS_FILE}:/dhparams4096.pem
      - /etc/localtime:/etc/localtime:ro
    ports:
      - ${HTTPS_PORT}:443
--- a/env.example
+++ b/env.example
@ -17,6 +17,7 @@ POSTGRES_DATA_PATH=./data/postgres  # relative paths will work but absolute are
 NGINX_MATTERMOST_CONFIG=./nginx/mattermost.conf
 LETSENCRYPT_FULLCHAIN_PATH=./certs/fullchain.pem
 LETSENCRYPT_PRIVKEY_PATH=./certs/privkey.pem
+NGINX_DHPARAMS_FILE=./nginx/dhparams4096.pem
 ## Exposed ports to the host. Inside the container 80 and 443 will be used
 HTTPS_PORT=443
 HTTP_PORT=80
--- a/nginx/dhparams4096.pem
+++ b/nginx/dhparams4096.pem
@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEAj9mn32DwQTAzqQqtvRwzeh2Yxg0UHFmoejLds9qYxnrxS9SWl8OJ
+rpx9xo1hb077DnfQ9RE9Dr/p5T4B7y7RhSfNBYqLt6nxTkHgUjvQBQI4K6Rfz6iQ
+G2miTrAatwQ2PSZcMPNme4FVh5USe2ppjYl+EqLUex0hNyxcV9U8PdG/TFcaje6g
+dgc3SQU6zSk+YK9aKfEFwO4YbfJbrun+t1UIoMtWAAicrF3vygzCRx02/uzGUvlf
+pvtsjYwcXFizU5rd+JQ/jomEO5lUUp4FuvlzcT6orPeJe5afKrxG092yHp+qgdCg
+QrmrWy9RZFzRxoHPzW1zreinUvqP8qemCBX4J+qgxtqGM+c6aTDsfq5G/YWmVeYT
+ue2pFhX+lWBDsPELvzUbuceehmCWjdoII0iDoUHqRqMiZVMjVLiVtd1YhNa41tWZ
+kO+EhZkg8rPC/7oqehEx2GOXfjZzA/8+t1YCbhAsL4/wpbuynVgZ3TNR+nVfKs5d
+2Bht+dWfSNpuYyK6oDerycnDRF/cmEGHg0E419H9UPAHktS9ZYGhq7nIgrBiuE1P
+PO01p/rXYKGaDqFAK3F86aGxj0+2Am5TfSMiSNobDMp61IRt0P/T0vp2ZE5wpzS+
+39QGrQpJ8phAr8PE7Q9bo4Z+qabBn+aJkAsFH+M4IkX0JYEjk3wpMssCAQI=
+-----END DH PARAMETERS-----
--- a/nginx/mattermost.conf
+++ b/nginx/mattermost.conf
@ -27,9 +27,7 @@ server {
    listen [::]:443 ssl http2;

    ## ssl
-    # to generate the DH params execute: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
-    # with 4096 bits this can take a while; 2048 would be sufficient as well
-    #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+    ssl_dhparam /dhparams4096.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;