Permalink

2

Performance Tweaking nginx For Static Files Over SSL

A few small changes to your nginx.conf can increase your SSL performance. Enabling session cache and extending its timeout will allow reuse of the secure connection without having to renegotiate the key exchange. Increasing the keepalive will allow the workers to serve more requests before being restarted. Disabling the EDH cipher will significantly reduce the connection time. Thanks to Mike for pointing out in the comments that by disabling the Ephemeral Diffie-Hellman cipher you gain speed but lose perfect forward secrecy. In my particular case of serving static assets this was an acceptable trade-off.

http {
        keepalive_timeout 65;
 
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_ciphers ALL:!kEDH!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        // ....
}

If you want to examine which ciphers are being used on an SSL connection you can use this openssl command:

openssl s_client -host HOSTNAME -port 443

Then in your server block of your nginx config you can set cache control headers far in the future for your image assets.

server {
        listen x.x.x.x:443 ssl;
        server_name  images.example.com;
 
        root /var/www/example.com/images;
 
        index index.html;
 
        location ~* \.(?:ico|gif|jpe?g|png)$ {
                expires max;
                add_header Pragma public;
                add_header Cache-Control "public";
        }
}

Author: Matt Drollette

I am a software developer in Dallas, TX.

2 Comments

  1. Maybe it’s worth a mention that by disabling DH you’re throwing away forward secrecy?
    I’m totally blowing this out of proportion here, but going that way, you can just disable all TLS and send stuff in plaintext – these algos are actually preferred for a reason.

Leave a Reply

Required fields are marked *.