js_fetch_ciphers
The 'js_fetch_ciphers' directive specifies the TLS cipher suites to be used when fetching cryptographic data in NGINX via JavaScript.
Description
The 'js_fetch_ciphers' directive is used within the NGINX streaming context to define the cipher suites that should be employed for secure connections established by the NGINX server. Specifically, this directive enables developers to configure TLS settings directly from JavaScript code executed within NGINX, enhancing the server's flexibility in handling TLS connections. It takes one argument, which is a string that enumerates the cipher suite names as specified in the OpenSSL documentation.
In operational terms, when 'js_fetch_ciphers' is specified, the NGINX server adjusts its SSL/TLS handshake process accordingly, allowing it to negotiate secure sessions using the listed ciphers. This is particularly useful for applications that require strict compliance with security policies regarding cipher usage. The directive supports dynamic modifications and real-time configuration adjustments through the use of JavaScript, giving developers the power to adapt TLS settings without needing to reload the server's global configurations.
It's important to ensure that the ciphers specified are valid and compatible with the underlying OpenSSL version used by NGINX. Misconfiguration can lead to failed connections or security vulnerabilities if insecure ciphers are included in the list. Testing the configured cipher suite against known vulnerabilities is also recommended to maintain a secure environment.
Config Example
stream {
js_fetch_ciphers "HIGH:!aNULL:!MD5";
server {
listen 443;
proxy_pass backend;
}
}Ensure the cipher list adheres to OpenSSL standards; otherwise, connections may fail.
Ciphers listed must be supported by the version of OpenSSL being used with NGINX.
Be cautious about including weak or deprecated ciphers in the list.