Variable Reference

$ssl_early_data

The $ssl_early_data variable indicates whether early data has been received in an SSL/TLS connection. — NGINX Core (HTTP)

$ssl_early_data NGINX Core (HTTP)

Description

In NGINX, the $ssl_early_data variable is used when the server is configured to support TLS 1.3, which allows for a feature known as "0-RTT" or early data. This feature lets clients send data before the TLS handshake is fully completed, enabling faster communication but with certain security considerations. When early data is received, the value of $ssl_early_data is set to "1"; otherwise, it is set to "0". This variable is particularly useful for determining how to handle requests that may have been sent using early data. For example, relying on early data may introduce risks such as replay attacks, so users must implement necessary logic to safeguard against such vulnerabilities. NGINX can leverage the value of this variable in conditional configurations, to apply different restrictions or responses based on whether early data was used during the request.

Config Example

server {
    listen 443 ssl;
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    location / {
        # Check if early data was received
        if ($ssl_early_data) {
            return 400;  # Reject early data requests if needed
        }
        # Normal processing for regular requests
        proxy_pass http://backend;
    }
}

Subsystem

http

Cacheable

No

Contexts

http, server, location, if

Using $ssl_early_data without enabling TLS 1.3 support will always yield 0 (no early data).

Assuming that early data processing is safe without implementing proper security measures can lead to vulnerabilities.

Related Variables

$ssl_protocols$ssl_preferences