I'm in the progress of switching to 100% https.
Server is running nginx+libressl.
Before going https:100% I'm interested in seeing which clients would no longer be able to connect to my site.
E.g. As I do not support SSL3.
I checked nginx error and access log, but none contains valuable information if I try to connect with SSL3.
What I expect to see: E.g.:
Client [IP]: Connection failed due to protocol/cipher mismatch.
I would then be able to grep the access/error logs for that and see how many clients can no longer access my site.
Is this possible?
Current nginx.conf
:
user www-data www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 100000;
error_log /var/log/nginx/error.log;
events {
worker_connections 2048;
use epoll;
multi_accept on;
}
http {
server_tokens off;
autoindex off;
charset UTF-8;
include mime.types;
default_type application/octet-stream;
log_format main '$host - $remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
keepalive_timeout 10;
reset_timedout_connection on;
client_body_timeout 10;
send_timeout 10;
client_max_body_size 512k;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server {
listen 80;
server_name domain.com www.domain.com;
return 301 https://www.domain.com$request_uri;
}
server {
listen 443 ssl spdy;
server_name domain.com;
include conf.d/ssl.conf;
return 301 https://www.domain.com$request_uri;
}
server {
listen 443 ssl spdy;
server_name www.domain.com;
root /var/www/vhosts/domain.com/public_html;
include conf.d/ssl.conf;
default_type text/html;
location / {
return 200 'Hello World!';
}
}
}
conf.d/ssl.conf
:
ssl on;
ssl_dhparam ssl/dhparam4096.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_buffer_size 1400;
spdy_headers_comp 6;
add_header Alternate-Protocol 443:npn-spdy/3;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
ssl_certificate ssl/public.crt;
ssl_certificate_key ssl/private.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate ssl/ca-certs.pem;
resolver 8.8.8.8 valid=300s;
resolver_timeout 10s;
Best Answer
I am not sure if you would be able to setup Nginx to log detailed errors when say SSLv3 connection is made. But you can definitely configure it to log all SSL or TLS connections and then you can parse the SSLv3 type connections. In order to do that you will need to add the
'$ssl_protocol '
option to thelog_format
line in your nginx configuration file.In my case for instance, i have the following lines in
/etc/nginx/nginx.conf
-If i make an SSLv3 connection using curl -
I see the following lines in
/var/log/nginx/access.log
-If you disable SSLv3 on the Nginx server, you will get an error on the client side -
And on the server side, the log file will contain the protocol version and an HTTP code of
400
, you can use that information to identify the clients which are using SSLv3.