fips-check: FIPS status check module for NGINX

Installation

CentOS/RHEL 6, 7, 8 or Amazon Linux 2

bash yum -y install https://extras.getpagespeed.com/release-latest.rpm yum -y install nginx-module-fips-check

Enable the module by adding the following at the top of /etc/nginx/nginx.conf:

nginx load_module modules/ngx_fips_check_module.so;

This document describes nginx-module-fips-check v0.1 released on Jan 11 2021.

---

Introduction

This module applies to NGINX builds that use OpenSSL for SSL/TLS crypto. It runs after NGINX startup and queries the OpenSSL library, reporting if the library is in FIPS mode or not.

sh sudo tail /var/log/nginx/error.log 2020/04/03 07:45:54 [notice] 11250#11250: using the "epoll" event method 2020/04/03 07:45:54 [notice] 11250#11250: OpenSSL FIPS Mode is enabled 2020/04/03 07:45:54 [notice] 11250#11250: nginx/1.17.6 (nginx-plus-r20) 2020/04/03 07:45:54 [notice] 11250#11250: built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) 2020/04/03 07:45:54 [notice] 11250#11250: OS: Linux 3.10.0-1062.el7.x86_64

For more information on using NGINX in FIPS mode, see the NGINX Plus FIPS documentation, which applies to both NGINX open source builds and NGINX Plus. To determine which TLS ciphers NGINX offers, the nmap ssl-enum-ciphers script is useful.

GitHub

You may find additional configuration tips and documentation for this module in the GitHub repository for nginx-module-fips-check.