My goal is to ensure proper security for clients connecting to my nginx. I'm following Mozilla's guide to configure TLS properly on my nginx installation, but I don't have an overview of the actual protocols/ciphersuites being used in practice.
What I have now:
server {
listen 443;
ssl on;
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_dhparam /path/to/dhparam.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'the_long_ciphersuite_listed_there';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
}
With this, I'd like to log which SSL protocol was used for a connection and what ciphersuite was chosen after the client/server negotiated. E.g.:
10.1.2.3 - - [13/Aug/2014:12:34:56 +0200] "GET / HTTP/1.1" 200 1234 "-" "User agent bla"
to
10.1.2.3 - - [13/Aug/2014:12:34:56 +0200] ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 "GET / HTTP/1.1" 200 1234 "-" "User agent bla"
This way I can quickly identify clients which are using outdated browsers or automated machines which do not support PFS or other relevant security enabling technologies.
How do I configure nginx to log this information?
Add
$ssl_cipherto yourlog_formatconfiguration.Refer to http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables for all SSL-related variables.
Example
Define a custom
log_formatin thehttpcontext (e.g./etc/nginx/nginx.conf):The above is based on the default
combinedformat with an additional'$ssl_protocol/$ssl_cipher 'line.Then add in a
servercontext (with SSL enabled) theaccess_logdirective with the custom log format:After restarting nginx, logs appear like: