proxy_ssl_ciphers
The `proxy_ssl_ciphers` directive sets the list of acceptable SSL ciphers for proxied SSL connections in NGINX.
Description
The proxy_ssl_ciphers directive is critical to establish secure connections when NGINX acts as a reverse proxy for SSL/TLS connections. By specifying this directive, administrators can control which ciphers are used during the SSL handshake with upstream servers. This capability not only enhances security by allowing the use of strong ciphers but also enables compatibility with specific client requirements or compliance mandates.
The value accepted by the proxy_ssl_ciphers directive is a cipher list, which can follow the OpenSSL cipher string format. It can include specific ciphers and cipher groups and should be defined according to the desired level of security and performance. When configuring this directive, it's important to ensure the list is up to date and minimizes insecure ciphers to protect against vulnerabilities in older algorithms.
This directive can be placed in various contexts including http, server, and location, allowing for both broad and granular control over SSL configuration based on different levels of the NGINX configuration hierarchy. Adjustments to this directive will typically require a restart or reload of the NGINX service to take effect.
Config Example
server {
location / {
proxy_pass https://backend;
proxy_ssl_ciphers 'HIGH:!aNULL';
}
}Ensure that the specified ciphers are supported by OpenSSL version used by NGINX.
Using weak ciphers may expose the application to security vulnerabilities.
Testing the impact of changes on SSL/TLS connection establishment is crucial to avoid service disruption.