Use background DH group creation

[buchdag]

This PR mirrors what is being done by jwilder/nginx-proxy : create the DH group in the background with a low priority job and use a temporary pre-generated 2048 bits DH group while it's being done. This way the container can start working immediately while still being secure.

Credits goes to @kamermans for the original code contibution to jwilder/nginx-proxy.

[buchdag]

Might fix #396

[NicolasDorier]

why md5sum and not sha256sum ?

[buchdag]

Because we're just doing a quick internal file comparison and an md5 hash is more than enough for that purpose.

Worst case and extremely improbable scenario is you generate a dh params file whose md5 collide with the pre generated dh params and a new one is generated again at container restart.

[NicolasDorier]

sha256sum is 2 letters longer and actually safe.

Also unrelated, if I understand using this new PR means that for 1 deployment there will be 2 certificate requests right? It need to be documented so people don't go over the limits for their domain unexpectedly.

[buchdag]

No, this is completely unrelated to certificate requests.

What this PR does is outlined in the first message:

• check if a custom (ie different from the bundled one) DH parameters file is present.
• if not, use the pre generated DH parameters file bundled with the image and start generating a new one in the background, with a low priority process.
• when the new DH parameters file is generated, reload nginx so it start using it.

The goal here was to remove the initial wait and service unavailability due to foreground DH parameters file generation (which could be quite long on some low end hardware) whilst still using a strong 2048 bits DH parameters on first start.

[NicolasDorier]

Awesome, I thought the DH parameter was used for the private key generation of the certificate, but it is used only in the diffie hellman.