Nginx tuning tips: TLS/SSL HTTPS – Improved TTFB/latency

As of 30th June 2018, the PCI Security Standards Council requires that support for SSL 3.0 and TLS 1.0 be disabled. TLS 1.1 or higher must be used and TLS 1.2 is strongly recommended. In addition, starting this July, Google Chrome will begin to mark HTTP web sites as “not secure”. Over the past few years, the internet has swiftly been transitioning to HTTPS, with over 70% of Chrome’s traffic and 81 of the web’s top 100 sites now using HTTPS by default. Let’s look at Nginx tuning tips to help improve the performance of Nginx w/ HTTPS for better TTFB and reduced latency.

 

Enable HTTP/2

The first step in tuning Nginx for faster ttfb/latency with https is to make sure HTTP/2 is enabled. HTTP/2 was first implemented in Nginx version 1.9.5 to replace spdy. Enabling the HTTP/2 module on Nginx is simple. We just need to add the word http2 in the server block of our Nginx config file (ex. /etc/nginx/sites-enabled/sitename). (Note: HTTP/2 requires https)

Look for this line:

listen 443 ssl;

modify line to:

listen 443 ssl http2;

Thats it! Now to confirm this works:

> open your website in Google Chrome
> right click anywhere on the web page and select Inspect
> click the Network tab
> press F5 (on your keyboard) or refresh your web page manually
> the Protocol column should now show H2 for all assets loaded via your Nginx server
> If the Protocol column is missing, you can add it using right-click.

 

Nginx tuning: Chrome http2 check h2

Test from your Linux/Mac command line with curl:
(Don’t forget to also curl test using cdn.domain.com. KeyCDN and others support HTTP/2)

curl --http2 -I https://domain.com/

 

Enable SSL session cache

With HTTPS connections, instead of end-users connecting via one round trip (request sent, then server responds), the connection needs an extra handshake. However, using HTTP/2 and enabling Nginx ssl_session_cache will ensure faster HTTPS performance for initial connections and faster-than-http page loads.

By using the option ssl_session_cache shared:SSL:[size] you can configure Nginx to share cache between all worker processes. One megabyte can store about 4000 sessions. You’ll also want to specify the time during (cache TTL) allowed for reuse:

ssl_session_cache shared:SSL:1m; # holds approx 4000 sessions
ssl_session_timeout 1h; # 1 hour during which sessions can be re-used.

 

Disable SSL session tickets

Because proper rotation of session ticket encryption key is not yet implemented in Nginx, you should turn this off for now.

ssl_session_tickets off;

 

Disable TLS version 1.0

As we’ve discussed in the opening, HTTPS and HTTP/2 are a move towards the latest, fast and most secure web technology. In light of this,  TLS 1.0 should be disabled.

Look for:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

modify line to:

ssl_protocols TLSv1.1 TLSv1.2;

 

Enable OCSP Stapling

OCSP (Online Certificate Status Protocol) stapling, is an alternative approach to the OCSP for checking the revocation status of X.509 certificates. Enabling OCSP stapling allows the Nginx to bear the resource cost involved in providing OCSP responses by appending (“stapling”) a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the CA. Also see: Using OCSP Stapling to Improve Response Time and Privacy.

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/full_chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

Note: ssl_trusted_certificate specifies the trusted CA certificates chain file, in PEM format, used to verify client certificates and OCSP responses.

 

Reduce ssl buffer size

The Nginx ssl_buffer_size config option sets the size of the buffer used for sending data via HTTPS. By default, the buffer is set to 16k, which is a one-size-fits-all approach geared toward big responses. However, to minimize TTFB (Time To First Byte) it is often better to use a smaller value, for example:
(I was able to shave about 30 – 50ms off TTFB. Your mileage may vary.)

ssl_buffer_size 4k;

Full Nginx SSL_ config for improved TTFB

Nginx tuning: https tls conf

Above is my tuned Nginx ssl config. Pasted below for convenience:

ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_ecdh_curve secp384r1; # see here and here (pg. 485)
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 24h;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/your/CA/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_buffer_size 4k; # I've since found 8k works best for this blog. (test!!) Default = 16k

Remember to test, then reload Nginx config after changes:

nginx -t
nginx -s reload

Enable HTTP Strict Transport Security (HSTS)

Another Nginx https tip, is to enable hsts preload. HTTP Strict Transport Security (HSTS) is a header which allows a web server to declare a policy that browsers will only connect to using secure HTTPS connections, and ensures end users do not “click through” critical security warnings. (locks clients to https) This policy enforcement protects secure websites from downgrade attacks, SSL stripping, and cookie hijacking. Aso see: https://hstspreload.org/#submission-requirements

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

Other headers I use in my Nginx config for this blog are:

add_header X-Frame-Options sameorigin; # read here
add_header X-Content-Type-Options nosniff; # read here
add_header X-Xss-Protection "1; mode=block"; #read here

 

Reference:

Tags: , , , ,