$ssl_cipher

Description

The $ssl_cipher variable in NGINX provides the name of the cipher suite that is currently being used for an SSL/TLS connection. This variable is particularly useful for logging and debugging purposes, as it allows administrators to determine which cipher was negotiated for secure connections. The value of $ssl_cipher is set during the SSL handshake process, which occurs when a client initiates a connection over HTTPS. Depending on the chosen cipher suite, the $ssl_cipher variable could contain values like 'ECDHE-RSA-AES256-GCM-SHA384' or 'ECDHE-ECDSA-CHACHA20-POLY1305', among others. When configuring SSL/TLS in NGINX, it is crucial to be aware of the ciphers supported by both the NGINX server and the client's SSL implementation. The supported ciphers can be specified in the NGINX configuration file using the ssl_ciphers directive. The effective value of $ssl_cipher will reflect the configuration set in this directive and may also depend on the OpenSSL version used in the NGINX build. If a client attempts to connect using a cipher not supported by the server, the connection will fail, and the $ssl_cipher variable will not be set. Aside from its existence during SSL connection handling, $ssl_cipher can also be combined with logging directives to capture security-related data, thus assisting in analyzing and monitoring secure sessions. This visibility helps in understanding client connections, enforcing security compliance, and optimizing cipher configurations.

Config Example

server {
    listen 443 ssl;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    ssl_ciphers 'HIGH:!aNULL:!MD5';
    access_log /var/log/nginx/access.log combined;
    location / {
        add_header X-SSL-Cipher $ssl_cipher;
    }
}