Nginx Tuning Tips: TLS/SSL HTTPS – Improved TTFB/Latency

As of 30 June 2018, the PCI Security Standards Council has required that support for SSL 3.0 and TLS 1.0 be disabled and, most recently, to disable TLS 1.1. using the TLS 1.2 and 1.3 are strongly recommended, In addition, as of July 2018, Google Chrome has started marking ‘HTTP’ websites as “.not secure.” over the past few years, The Internet is rapidly transitioning to HTTPS, More than 90% of Chrome’s traffic loads over HTTPS and 97 of the web’s top 100 websites now use it HTTPS by default,

With that in mind, check out Nginx Tuning Tips to Improve Nginx + HTTPS Performance for Better TTFB and Lower Latency.

Enable HTTP/2 or HTTP/3 and QUIC on Nginx

The first step in tuning Nginx for fast TTFB/latency with HTTPS is to make sure that at least HTTP / 2 Is enabled. HTTP/2 was first implemented in Nginx version 1.9. speedy, Enabling the HTTP/2 module on Nginx is simple. we need to add the word http2 in Server Block of our Nginx config file (eg /etc/nginx/sites-enabled/sitename). (Remember: HTTP/2 requires HTTPS)

Look for this line:

listen 443 ssl;

Change it to:

listen 443 ssl http2;

and that is all! HTTP/2 is used by 40% of all websites, and HTTP/3 is used by only 20% of all websites. ,Source) you can enable http/3 And Quick by following This (French) guide,

Check whether HTTP/2 or HTTP/3 is enabled using Google Chrome

To confirm whether HTTP/2 or HTTP/3 is enabled:

> Open your website in Google Chrome
> Right-click anywhere on the web page and select Supervision
> Click network tab
> Press F5 (on your keyboard) or refresh your web page manually
> the Etiquette The column should now show h2 (either H3-29) for all assets loaded through your server
> If Protocol column is missing, you can add it using right-click.

Google Chrome inspect network http/2 (h2) check

Check if HTTP/2 or HTTP/3 is enabled using the command line

Test with curl from your Linux/Mac command line:
(Don’t forget to curl test your CDN-hosted requests. Example: cdn.domain.com.
Compare KeyCDN, BunnyCDN and other CDNs that support HTTP/2)

curl --http2 -I 
curl --http3 -I 

If -http3 The command doesn’t work, you can also check here:

enable ssl session cache

With HTTPS connections, instead of end-users connecting via a round trip (the request is sent, then the server responds), the connection requires an additional handshake. However, using HTTP/2 and enabling Nginx ssl_session_cache Fast HTTPS for the initial connection will ensure performance and faster-than-http page load.

use option ssl_session_cache shared:ssl:[size], You can configure Nginx to share cache among all worker processes. One megabyte can store about 4000 sessions. You may also want to specify during the time allowed for reuse (cache TTL):

ssl_session_cache shared:SSL:1m; # holds approx 4000 sessions
ssl_session_timeout 1h; # 1 hour during which sessions can be re-used.

Disable SSL Session Ticket

ssl handshake

because the session ticket is the proper rotation of the encryption key Not yet implemented in NginxYou should turn it off for now.

ssl_session_tickets off;

Disable TLS Version 1.0 and 1.1

As we discussed in the beginning, HTTPS and HTTP/2(3) are a step towards the latest, fastest and most secure web technology. In this context, TLS 1.0 must be disabled, update: i would also recommend Disabling TLSv1.1 and enabling TLSv1.3 (needed for Nginx 1.13+ TLSv1.3).

Search:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Modify the line to:

ssl_protocols TLSv1.2;

Nginx 1.13+

To enable TLSv1.3 for Nginx 1.13+, look for:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Modify the line to:

ssl_protocols TLSv1.2 TLSv1.3;

Enable OCSP Stapling

OCSP (Online Certificate Status Protocol) stapling is an alternative method to OCSP for checking the revocation status of X.509 certificates. Enabling OCSP stapling allows Nginx to cover the resource cost involved in providing OCSP responses by adding a time-stamped OCSP response (“stapling”) signed by the CA to the initial TLS handshake, allowing clients to contact the CA. need is eliminated. See more: Using OCSP Stapling to Improve Response Time and Privacy,

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/full_chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

note: ssl_trusted_certificate Specifies the Trusted CA Certificate Chain file, in PEM format, used to verify client certificates and OCSP responses.

reduce ssl buffer size

the nginx ssl_buffer_size The config option sets the size of the buffer used to send data via HTTPS. By default, the buffer is set to 16k, which is a one-size-fits-all approach geared towards large responses. However, to reduce TTFB (Time to First Byte), it is often better to use a smaller value, for example:
(I was able to shave about 30 – 50ms away from the TTFB. Your mileage may vary.)

ssl_buffer_size 4k;

Full Nginx SSL_ Configuration for Better TTFB

etc-nginx-snippets-ssl-params-conf

Above is my tuned Nginx SSL config. Pasted below for convenience:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_ecdh_curve secp384r1; # see here and here (pg. 485)
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 24h;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/your/CA/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_buffer_size 4k; # I've since found 8k works best for this blog. (test!!) Default = 16k

Test the configuration, then reload Nginx after the changes:

nginx -t
nginx -s reload

Enable HTTP Strict Transport Security (HSTS)

Another Nginx HTTPS device is to be enabled HSTS Preload, HTTP Strict Transport Security (HSTS) is a header that allows web servers to declare a policy that browsers will connect using only secure HTTPS connections and ensures that end users can “click-through” critical security warnings. Do not (Locks the client to HTTPS) This policy enforcement protects secure websites from downgrade attacks, SSL stripping, and cookie hijacking. See aso:

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

The other headers I use in my Nginx config for this blog are:

add_header X-Frame-Options sameorigin; # read here
add_header X-Content-Type-Options nosniff; # read here
add_header X-Xss-Protection "1; mode=block"; #read here

See more Analyze your website’s TTFB (time to first byte)

HTTP/2 Reference and Useful Reading

HTTP/3 and QUIC Reference and Useful Reading

Posted: June 30th, 2018
Last Updated: June 14, 2021

Leave a Comment