https://www.ssllabs.com/ssltest/analyze.html - B rating per default

[waffel]

It would be nice if the default nginx.conf can contain the line

ssl_dhparam /etc/nginx/certs/dhparam.pem;

inside the http { tag

You can create the default dhparam file with

openssl dhparam -out dhparam.pem 2048

The problem is, that the default length ist 1024 which does the B rating. With a 2048 pem file, a A+ rating can be obtained.

No need to do this for every proxied container

[kamermans]

This sounds like a good idea, and I started to implement a pull request for it, but then it occurred to me that if we generate dhparam.pem in the Dockerfile, it will be the same for everyone on that version, which is not great for security, but if we generate it on startup, the container will take minutes to start, which is a show stopper. I am not an expert on SSL, but I assume that my first observation is already true for nginx-proxy today - that openssl has already generated some random-ish data which is used by nginx, but it's actually the same for everyone using that version since it was computed at the time of the Docker build.

The question I have is, "is it any less secure to generate a dhparam.pem in the Dockerfile at build time, than what we have without a dhparam.pem?"

[kamermans]

I've added a branch feature_ssl_improvement on my fork off master that contains these updates. Note that I put the default cert in /etc/nginx/dhparam.pem so it doesn't get removed if a user volume-mounts /etc/nginx/certs. If this was not the case, it would only be possible to volume mount that dir if you also included your own dhparam.pem. If this makes sense and solves your problem I can start a PR.

[waffel]

hmm .. I'am also not that SSL expert. But the idea to have a "default" pre-generated file and then use your own from /etc/nginx/certs sounds like a bullet proof concept.

There should be a place where this is documented for the end-user (like, please replace the default generated dhparam.pem file with your own. You can use this command: ....).

I was only stumbled over this problem after checking my new https site based on this nice solution. And I found it easy to get an A+ rating with this simple "replacement". But I'am with you, that a generation or startup of minutes because of generating such file is not a good solution.

[rakshazi]

Some addition problems:

Session resumption (caching) | No (IDs assigned but not accepted)
Strict Transport Security (HSTS) | No

And on handshake simulation:

IE 8 / XP   No FS 1	  No SNI 2 | Server sent fatal alert: handshake_failure

Got A grade on default configuration + configured DNS CAA

[kamermans]

Weird, I don't know why HSTS would have failed, and I believe session caching is enabled by default.

[tkw1536]

When using SSL Support and acme-companion the rating for ssllabs,com is now A+. Closing.