# ----------------------------------------------------------------------
# | SSL engine                                                         |
# ----------------------------------------------------------------------

# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
#
# A 1Mb cache can hold about 4000 sessions, so we can hold 40000 sessions
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 24h;

# SSL buffer size
# 1400 bytes to fit in one MTU
# ssl_buffer_size 1400;

# Session tickets
#
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
# when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism:
# https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
#
# Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets:
ssl_session_tickets off;

# Use a higher keepalive timeout to reduce the need for repeated handshakes
# Default: 75s
keepalive_timeout 300s;