You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Enable HTTP3 in nginx #1660 adds logging of $http3, but maybe more should be logged, both in access log and error, to catch TLS connection errors (unsupported ciphers). Logging this would tell what the percentage of TLSv1.3 users is, and the support for certain elliptic-curves and post quantum crypto (related Should we start checking for PQC ? #1640) of the Internet.nl user base is. These number could support decisions about removing TLSv1.2 support or change from RSA to EC (and if so what curve should be picked for maximum support).
E.g. if a remote user is connecting over IPv6:
map$remote_addr$is_ipv6 {
~: 1;
default0;
}
And the following variables:
$http2
$http3
$server_protocol
$scheme
$is_ipv6
$connection_requests
$ssl_alpn_protocol
$ssl_cipher
$ssl_ciphers$ssl_curve$ssl_curves$ssl_early_data # the current NCSC-NL TLS config disables this, so it should always be empty
$ssl_protocol$ssl_server_name # maybe together with $http_host this would indicate HTTP/2 Connection Reuse (RFC 9113 §9.1.1)
$ssl_session_reused
$http3, but maybe more should be logged, both in access log and error, to catch TLS connection errors (unsupported ciphers). Logging this would tell what the percentage of TLSv1.3 users is, and the support for certain elliptic-curves and post quantum crypto (related Should we start checking for PQC ? #1640) of the Internet.nl user base is. These number could support decisions about removing TLSv1.2 support or change from RSA to EC (and if so what curve should be picked for maximum support).E.g. if a remote user is connecting over IPv6:
And the following variables:
See all nginx variables that can be logged.
The text was updated successfully, but these errors were encountered: