Регистрация информации о шифровании и протоколе SSL в Nginx

Thank you for reading this post, don't forget to subscribe!

Определим собственный формат логов Nginx для хранения информации о шифровании и протоколе SSL.

Создайте каталог для хранения сертификата ssl.

$ sudo mkdir /etc/nginx/ssl

1	$ sudo mkdir /etc/nginx/ssl

Сгенерируем сертификат ssl для IP-адреса.

$ sudo openssl req -subj "/commonName=$(ip address show dev eth0 scope global | awk '/inet / {split($2,var,"/"); print var[1]}')/" -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

1	$ sudo openssl req -subj "/commonName=$(ip address show dev eth0 scope global \| awk '/inet / {split($2,var,"/"); print var[1]}')/" -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Определим собственный формат логов, который расширяет стандартный формат с добавлением информации о протоколе SSL и списка шифров, поддерживаемых клиентом.

[codesyntax lang="php"]

$ cat &lt;&lt;"EOF" | sudo tee /etc/nginx/conf.d/log_format_combined_ssl.conf
log_format combined_ssl '$remote_addr - $remote_user [$time_local] '
                        '"$request" $status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent" '
                        '$ssl_protocol/$ssl_cipher $ssl_ciphers';
EOF

$ cat <<"EOF" | sudo tee /etc/nginx/conf.d/log_format_combined_ssl.conf

log_format combined_ssl '$remote_addr - $remote_user [$time_local] '

'"$request" $status $body_bytes_sent '

'"$http_referer" "$http_user_agent" '

'$ssl_protocol/$ssl_cipher $ssl_ciphers';

EOF

[/codesyntax]

[codesyntax lang="php"]

log_format combined_ssl '$remote_addr - $remote_user [$time_local] '
                        '"$request" $status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent" '
                        '$ssl_protocol/$ssl_cipher $ssl_ciphers';

log_format combined_ssl '$remote_addr - $remote_user [$time_local] '

'"$request" $status $body_bytes_sent '

'"$http_referer" "$http_user_agent" '

'$ssl_protocol/$ssl_cipher $ssl_ciphers';

[/codesyntax]

Создадим минимальную конфигурацию виртуального хоста nginx, с использованием настраиваемого формата логов.

[codesyntax lang="php"]

$ cat &lt;&lt;EOF | sudo tee /etc/nginx/sites-available/service
server {
  listen 8080 ssl;
  server_name default;
  ssl_certificate_key /etc/nginx/ssl/nginx.key;
  ssl_certificate     /etc/nginx/ssl/nginx.crt;
  access_log /var/log/nginx/service-access.log combined_ssl;
  error_log /var/log/nginx/service-error.log;
  location / {
     proxy_pass http://127.0.0.1:19999/;
  }
}
EOF

$ cat <<EOF | sudo tee /etc/nginx/sites-available/service

server {

listen 8080 ssl;

server_name default;

ssl_certificate_key /etc/nginx/ssl/nginx.key;

ssl_certificate /etc/nginx/ssl/nginx.crt;

access_log /var/log/nginx/service-access.log combined_ssl;

error_log /var/log/nginx/service-error.log;

location / {

proxy_pass http://127.0.0.1:19999/;

}

EOF

[/codesyntax]

[codesyntax lang="php"]

server {
  listen 8080 ssl;
  server_name default;
  ssl_certificate_key /etc/nginx/ssl/nginx.key;
  ssl_certificate     /etc/nginx/ssl/nginx.crt;
  access_log /var/log/nginx/service-access.log combined_ssl;
  error_log /var/log/nginx/service-error.log;
  location / {
     proxy_pass http://127.0.0.1:19999/;
  }
}

server {

listen 8080 ssl;

server_name default;

ssl_certificate_key /etc/nginx/ssl/nginx.key;

ssl_certificate /etc/nginx/ssl/nginx.crt;

access_log /var/log/nginx/service-access.log combined_ssl;

error_log /var/log/nginx/service-error.log;

location / {

proxy_pass http://127.0.0.1:19999/;

}

[/codesyntax]

Перезагрузите конфигурацию nginx.

$ sudo systemctl reload nginx

1	$ sudo systemctl reload nginx

Проверьте файл логов, чтобы определить используемый протокол SSL / шифр SSL и получить список шифров, поддерживаемых клиентом.

$ tail -f /var/log/nginx/service-access.log

1	$ tail -f /var/log/nginx/service-access.log

[codesyntax lang="php"]

192.168.50.1 - - [21/Jan/2020:00:18:15 +0000] "GET / HTTP/1.1" 200 129572 "-" "curl/7.58.0" TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:TLS_EMPTY_RENEGOTIATION_INFO_SCSV
192.168.50.1 - - [21/Jan/2020:00:18:59 +0000] "GET / HTTP/1.1" 200 20197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36" TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 0x0a0a:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:0x000a
192.168.50.1 - - [21/Jan/2020:00:19:38 +0000] "GET / HTTP/1.1" 200 20197 "-" "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0" TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:0x000a

192.168.50.1 - - [21/Jan/2020:00:18:15 +0000] "GET / HTTP/1.1" 200 129572 "-" "curl/7.58.0" TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:TLS_EMPTY_RENEGOTIATION_INFO_SCSV

192.168.50.1 - - [21/Jan/2020:00:18:59 +0000] "GET / HTTP/1.1" 200 20197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36" TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 0x0a0a:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:0x000a

192.168.50.1 - - [21/Jan/2020:00:19:38 +0000] "GET / HTTP/1.1" 200 20197 "-" "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0" TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:0x000a

[/codesyntax]

Вы можете пропустить список шифров, поддерживаемых клиентом, и сосредоточиться на протоколе SSL, особенно если вы хотите отказаться от поддержки TLS 1.0 и TLS 1.1.

Centos

Регистрация информации о шифровании и протоколе SSL в Nginx

https://github.com/midnight47/

Апрель 2024
Пн	Вт	Ср	Чт	Пт	Сб	Вс
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30