From 7e469459c7a257a3414f5675074f08e648ffcc5f Mon Sep 17 00:00:00 2001
From: Andreas Faerber <andreas@faerber.me>
Date: Sat, 25 Feb 2017 09:53:53 +0100
Subject: [PATCH 1/2] Create and use ssl dhparam file if not mounted,
 NGINX_SSL_DHPARAM_BITS variable in .env.dist file

---
 nginx/nginx.conf.default  | 1 +
 nginx/nginx.conf.fallback | 1 +
 nginx/start.sh            | 4 ++++
 3 files changed, 6 insertions(+)

diff --git a/nginx/nginx.conf.default b/nginx/nginx.conf.default
index 0d57ca50..b7ed5179 100644
--- a/nginx/nginx.conf.default
+++ b/nginx/nginx.conf.default
@@ -35,6 +35,7 @@ http {
       ssl_session_cache shared:SSL:50m;
       ssl_certificate /certs/cert.pem;
       ssl_certificate_key /certs/key.pem;
+      ssl_dhparam /etc/nginx/dhparam.pem;
 
       add_header Strict-Transport-Security max-age=15768000;
 
diff --git a/nginx/nginx.conf.fallback b/nginx/nginx.conf.fallback
index bf5cd869..9a63a3c9 100644
--- a/nginx/nginx.conf.fallback
+++ b/nginx/nginx.conf.fallback
@@ -30,6 +30,7 @@ http {
       ssl_session_cache shared:SSL:50m;
       ssl_certificate /tmp/snakeoil.pem;
       ssl_certificate_key /tmp/snakeoil.pem;
+      ssl_dhparam /etc/nginx/dhparam.pem;
 
       add_header Strict-Transport-Security max-age=15768000;
 
diff --git a/nginx/start.sh b/nginx/start.sh
index 2cb65f1a..216e62f5 100755
--- a/nginx/start.sh
+++ b/nginx/start.sh
@@ -9,4 +9,8 @@ L=None/O=None/CN=$DOMAIN"
   cp /etc/nginx/nginx.conf.fallback /etc/nginx/nginx.conf
 fi
 
+if [ ! -r /etc/nginx/dhparam.pem ]; then
+  openssl dhparam -out /etc/nginx/dhparam.pem $NGINX_SSL_DHPARAM_BITS
+fi
+
 nginx -g 'daemon off;'

From 49904c094520ccab6905e7b7cc6e86822b8a0c9b Mon Sep 17 00:00:00 2001
From: Andreas Faerber <andreas@faerber.me>
Date: Sat, 25 Feb 2017 09:55:00 +0100
Subject: [PATCH 2/2] Create and use ssl dhparam file if not existing
 (mounted), NGINX_SSL_DHPARAM_BITS variable in .env.dist file

---
 .env.dist | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.env.dist b/.env.dist
index c29bbbac..1bea9f78 100644
--- a/.env.dist
+++ b/.env.dist
@@ -69,6 +69,13 @@ RELAYHOST=
 # Fetchmail delay
 FETCHMAIL_DELAY=600
 
+###################################
+# Nginx settings
+###################################
+
+# SSL DHPARAM Bits
+NGINX_SSL_DHPARAM_BITS=2048
+
 ###################################
 # Developers
 ###################################