dhparam directory required by nginx

[slyrus]

My previous workflow had me creating certs/dhparam.pem. Apparently new (?) nginx images look for /etc/nginx/dhparam/dhparam.pem instead of /etc/nginx/certs/dhparam.pem.

I've solved this by creating the dhparam directory and adding a volume for it in the nginx container.

If my interpretation is correct, can you update the documentation?

[buchdag]

Can you explain what exactly you had to solve ?

I run this container with the latest version of nginx.tmpl that does include a default dhparam file at /etc/nginx/dhparam/dhparam.pem but nginx never complained about this file missing.

[returntrip]

@buchdag In my case, If the path is not corrected (in the nginx.tmpl), then nginx container throws the following error (and its container keeps restarting):

2017/10/20 08:09:34 [emerg] 1#1: BIO_new_file("/etc/nginx/dhparam/dhparam.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/dhparam/dhparam.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
2017/10/20 08:09:35 [emerg] 1#1: BIO_new_file("/etc/nginx/dhparam/dhparam.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/dhparam/dhparam.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

I am not expert, but this is what I think is happening: since this change to nginx.tmpl: nginx-proxy/nginx-proxy@02121df#diff-6c19a779564e1e2f88854a4a2fffbb78, which adds the default dhparam.pem in /etc/nginx/dhparam/, there might be an issue with https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion, in the sense that:
https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/blob/master/app/entrypoint.sh#L64
https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/blob/master/app/entrypoint.sh#L67
https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/blob/master/app/letsencrypt_service#L32

should be updated with the correct path to dhparam.pem from /etc/nginx/certs/ to /etc/nginx/dhparam/

Or maybe should it be the other way round :

https://github.com/jwilder/nginx-proxy/blob/master/nginx.tmpl#L45 should be update with the dhparam.pem path pointing to /etc/nginx/certs/?

This is true for docker-gen container + official nginx container + docker-letsencrypt-nginx-proxy-companion + standard nginx.tmpl and when using self signed default.crt and default.key.

Have not tried using nginx-proxy container.

[buchdag]

I really don't get how you end up with this error, I tried again with a fresh three container setup on a new VM and the latest nginx.tmpl, I did not manage to trigger it.

In which case is this default dhparam file supposed to be used (by nginx) ? If you provide a certificate and a key but no dhparam ?

[returntrip]

Did you also manually generate default.crt and default.key? More info about the default dhparam.pem are here: https://github.com/jwilder/nginx-proxy#diffie-hellman-groups

[buchdag]

So if I understand correctly, this default dhparam is used if you also have a (self signed, obviously) default.cert and a default.key in /etc/nginx/certs ?

[returntrip]

That is my understanding too. But I am no expert. I do not understand why this happens.... But I guess a ver small amount of people is in my situation and would not notice this happening (i.e.: generating self signed default certs to achieve this nginx-proxy/nginx-proxy#950

There is either a problem somewhere or it is me doing something wrong...

[buchdag]

Can you give a try to this nginx.tmpl file: https://raw.githubusercontent.com/buchdag/nginx-proxy/dhparam-separate-container/nginx.tmpl

diff from the latest nginx.tmpl:

 # Default dhparam
+{{ if (exists "/etc/nginx/dhparam/dhparam.pem") }}
 ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
+{{ end }}

[buchdag]

BTW:

1. the standalone nginx-proxy does not have this issue because it is using a pre generated default dhparam at /etc/nginx/dhparam/dhparam.pem and generating a stronger one at first launch.
2. this issue is not related to letsencrypt-nginx-proxy-companion because it isn't supposed to handle self signed certs.

Because of 1), if you use nginx-proxy with letsencrypt-nginx-proxy-companion you end up wasting ressource by generating two 2048 bits DH parameters at first launch.

[returntrip]

OK with your modified nginx.tmpl all works also fine.

I think I understand what you mean, although, I am using docker-gen. All I can think off, is that the certs volumes was previously used by nginx-proxy, maybe I should have started from scratch with fresh volumes.

[buchdag]

I don't think you are doing anything wrong, I mean when the dhparam stuff was added to nginx-proxy (and to more specifically to the nginx.tmpl), the fact that the two container setup won't get an auto generated DH parameter file and that the nginx container would fail if you provide a default.crt and default.key was clearly overlooked.

The problem would be exactly the same if you didn't use letsencrypt-nginx-proxy-companion at all.

I'll submit a PR for this change to the nginx.tmpl

If you still want better security with your self signed SSL, you can create a DH parameter file with this command:

openssl dhparam -out /path/to/your/dhparam.pem 2048

and then mount it inside you nginx container:

-v /path/to/your/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro

[returntrip]

I can now rest in peace :)

[returntrip]

Should I close this or you want to reference it in your PR?

[returntrip]

@buchdag Thanks for the help closing this issue.

[buchdag]

@slyrus nginx-proxy/nginx-proxy#955 took care of this issue, could you close please ?