Merge pull request #3 from macbre/ssl-grade-a

macbre · web-flow · commit 15c21848cb74 · 2020-04-01T19:51:18.000+02:00
SSL grade A+ handling
diff --git a/Dockerfile b/Dockerfile
@@ -121,6 +121,10 @@ RUN GPG_KEYS=B0F4253373F8F6F510D42178520A9993A1C052F8 \
 	&& rm -rf /usr/src/nginx-$NGINX_VERSION \
 	&& rm -rf /usr/src/ngx_brotli \
 	\
+	# https://tools.ietf.org/html/rfc7919
+	# https://github.com/mozilla/ssl-config-generator/blob/master/docs/ffdhe2048.txt
+	&& curl -fSL https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/ssl/dhparam.pem \
+	\
 	# Bring in gettext so we can get `envsubst`, then throw
 	# the rest away. To do this, we need to install `gettext`
 	# then move `envsubst` out of the way so `gettext` can
diff --git a/readme.md b/readme.md
@@ -9,3 +9,11 @@ docker pull macbre/nginx-brotli:1.17.9
 ```
 
 > [nginx release notes](https://nginx.org/en/CHANGES)
+
+# SSL Grade A+ handling
+
+Please refer to [Mozilla's SSL Configuration Generator](https://ssl-config.mozilla.org/). This image has `https://ssl-config.mozilla.org/ffdhe2048.txt` fetched and stored in `/etc/ssl/dhparam.pem`:
+
+```
+    ssl_dhparam /etc/ssl/dhparam.pem;
+```
