diff --git a/nginx/nginx.conf.default b/nginx/nginx.conf.default
index 0d57ca5..b7ed517 100644
--- a/nginx/nginx.conf.default
+++ b/nginx/nginx.conf.default
@@ -35,6 +35,7 @@ http {
       ssl_session_cache shared:SSL:50m;
       ssl_certificate /certs/cert.pem;
       ssl_certificate_key /certs/key.pem;
+      ssl_dhparam /etc/nginx/dhparam.pem;
 
       add_header Strict-Transport-Security max-age=15768000;
 
diff --git a/nginx/nginx.conf.fallback b/nginx/nginx.conf.fallback
index bf5cd86..9a63a3c 100644
--- a/nginx/nginx.conf.fallback
+++ b/nginx/nginx.conf.fallback
@@ -30,6 +30,7 @@ http {
       ssl_session_cache shared:SSL:50m;
       ssl_certificate /tmp/snakeoil.pem;
       ssl_certificate_key /tmp/snakeoil.pem;
+      ssl_dhparam /etc/nginx/dhparam.pem;
 
       add_header Strict-Transport-Security max-age=15768000;
 
diff --git a/nginx/start.sh b/nginx/start.sh
index 2cb65f1..216e62f 100755
--- a/nginx/start.sh
+++ b/nginx/start.sh
@@ -9,4 +9,8 @@ L=None/O=None/CN=$DOMAIN"
   cp /etc/nginx/nginx.conf.fallback /etc/nginx/nginx.conf
 fi
 
+if [ ! -r /etc/nginx/dhparam.pem ]; then
+  openssl dhparam -out /etc/nginx/dhparam.pem $NGINX_SSL_DHPARAM_BITS
+fi
+
 nginx -g 'daemon off;'