{"id":39668881,"url":"https://github.com/fooinha/nginx-ssl-ja3","last_synced_at":"2026-01-18T09:35:47.435Z","repository":{"id":37743019,"uuid":"100275336","full_name":"fooinha/nginx-ssl-ja3","owner":"fooinha","description":"nginx module for SSL/TLS ja3 fingerprint.","archived":false,"fork":false,"pushed_at":"2024-09-14T19:16:53.000Z","size":60,"stargazers_count":195,"open_issues_count":13,"forks_count":48,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-11-15T04:10:26.782Z","etag":null,"topics":["fingerprint","ja3","nginx","ssl","tls","tls-ja3-fingerprint"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fooinha.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-08-14T14:15:16.000Z","updated_at":"2024-11-10T14:07:03.000Z","dependencies_parsed_at":"2024-01-27T17:25:54.699Z","dependency_job_id":"1ae283c7-239d-4b61-9833-6660d85f2609","html_url":"https://github.com/fooinha/nginx-ssl-ja3","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/fooinha/nginx-ssl-ja3","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fooinha%2Fnginx-ssl-ja3","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fooinha%2Fnginx-ssl-ja3/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fooinha%2Fnginx-ssl-ja3/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fooinha%2Fnginx-ssl-ja3/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fooinha","download_url":"https://codeload.github.com/fooinha/nginx-ssl-ja3/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fooinha%2Fnginx-ssl-ja3/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28534168,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-18T00:39:45.795Z","status":"online","status_checked_at":"2026-01-18T02:00:07.578Z","response_time":98,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fingerprint","ja3","nginx","ssl","tls","tls-ja3-fingerprint"],"created_at":"2026-01-18T09:35:46.853Z","updated_at":"2026-01-18T09:35:47.428Z","avatar_url":"https://github.com/fooinha.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# nginx-ssl-ja3\n\nnginx module for SSL/TLS ja3 fingerprint.\n\n## Description\n\nThis module adds to nginx the ability of new nginx variables for the TLS/SSL ja3 fingerprint.\n\nFor details about the ja3 fingerprint algorithm, check initial [project](https://github.com/salesforce/ja3).\n\n## Configuration\n\n### Directives\n\nRevision 110 of chrome browser introduces TLS ClientHello extensions random permutation, which makes fingerprinting irrelevant with this browser (firefox is planning to do the same).\nUsing JA3_SORT_EXT cc macro during nginx configure invocation (--with-cc-opt='-DJA3_SORT_EXT') configures the module to sort TLS extensions in the JA3 string. The resulting fincgerprint is not compliant anymore with the JA3 algorithm (at this time of writing), but allow to get back effectiveness of fingerprinting.\n\n### Variables\n\n#### $http_ssl_ja3\n\nThe ja3 fingerprint string for a SSL connection for a HTTP server.\n\n```\n771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53-10,0-23-65281-10-11-35-16-5-13-18-51-45-43-21,0-29-23-24,0\n```\n\n#### $http_ssl_ja3_hash\n\nThe ja3 fingerprint MD5 hash for a SSL connection for a HTTP server.\n\nExample:\n\n```\nhttp {\n    server {\n        listen                 127.0.0.1:443 ssl;\n        ssl_certificate        cert.pem;\n        ssl_certificate_key    rsa.key;\n        error_log              /dev/stderr debug;\n        return                 200 \"$time_iso8601\\n\\n$http_user_agent\\n\\n$http_ssl_ja3\\n\\n$http_ssl_ja3_hash\\n\";\n    }\n}\n```\n\n#### $stream_ssl_ja3\n\nThe ja3 fingerprint string for a SSL connection for a stream server.\n\n#### $stream_ssl_ja3_hash\n\nThe ja3 fingerprint MD5 hash for a SSL connection for a stream server.\n\nExample:\n\n```\nstream {\n    server {\n        listen                 127.0.0.1:12345 ssl;\n        ssl_certificate        cert.pem;\n        ssl_certificate_key    rsa.key;\n        error_log              /dev/stderr debug;\n        return                 \"$time_iso8601\\n\\n$stream_ssl_ja3\\n\\n$stream_ssl_ja3_hash\\n\";\n    }\n}\n```\n\n## Build\n\n### Dependencies\n\n* [OpenSSL](https://github.com/openssl) - 3.3.2 (branch openssl-3.3.2)\n\nThe master version OpenSSL is required because this module fetches the\nextensions types declared at SSL/TLS Client Hello by using the new early\ncallback [SSL_CTX_set_client_hello_cb](https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_client_hello_cb.html).\n\nI was unable to find a way to get these values with the current versions of\nnginx and OpenSSL.\n\nSo, in order to, have the client extensions available for the fingerprint,\nwe also need to apply a patch to the nginx code.\n\nIf you use, for development, the [docker](#docker) supplied in this repo,\nthe patch is already applied. Check the Dockerfile of the dev image.\n\n### Patches\n\n - [nginx - save client hello extensions](patches/nginx.latest.patch)\n - [openssl - more tls extensions](patches/openssl-3.extensions.patch)\n\n\n### Compilation and installation\n\nBuild as a common nginx module.\n\n```bash\n\n# Hack/patch openssl - to include more common extensions\n\n$ patch  -p1 \u003c /build/nginx-ssl-ja3/patches/openssl-3.extensions.patch\n\npatching file include/openssl/tls1.h\n...\npatching file ssl/statem/extensions.c\n...\n\n\n# Hack/patch nginx\n\n$ patch -p1 \u003c /build/ngx_ssl_ja3/patches/nginx.latest.patch\n\npatching file src/event/ngx_event_openssl.c\n...\npatching file src/event/ngx_event_openssl.h\n...\n\n# Configure\n\n$ ./configure --add-module=/build/ngx_ssl_ja3 --with-http_ssl_module --with-stream_ssl_module --with-debug --with-stream\n\n# Install\n\n$ make \u0026\u0026 make install\n\n```\n## Tests\n\nMake sure that the lib directory for nginx-tests is available in the 't' directory.\n\n\n```\n$ TEST_NGINX_BINARY=/usr/local/nginx/sbin/nginx prove -v\n```\n\n## Docker\n\nDocker images and a docker compose file is available at the ./docker directory.\n\n```\n$ docker-compose up --build -d\n\nCreating nginx-ssl-ja3\n\n```\n\n\n\n## Contributors\n\n@**fooinha**  - author\n\n## Fair Warning\n\n**THIS IS NOT PRODUCTION** ready.\n\nSo there's no guarantee of success. It most probably blow up when running in real life scenarios.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffooinha%2Fnginx-ssl-ja3","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffooinha%2Fnginx-ssl-ja3","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffooinha%2Fnginx-ssl-ja3/lists"}