# ---------------------------------------------------------------------- # | SSL engine | # ---------------------------------------------------------------------- # (1) Optimize SSL by caching session parameters for 10 minutes. # This cuts down on the number of expensive SSL handshakes. # By enabling a cache, we tell the client to re-use the already # negotiated state. # A 1Mb cache can hold about 4000 sessions, so we can hold 40000 sessions. # # (2) Use a higher keepalive timeout to reduce the need for repeated handshakes # (!) Shouldn't be done unless you serve primarily HTTPS. # Default is 75s # # (3) SSL buffer size # Set 1400 bytes to fit in one MTU. # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size # # (4) Disable session tickets # Session tickets keys are not auto-rotated. Only a HUP / restart will do # so and when a restart is performed the previous key is lost, which resets # all previous sessions. # Only enable session tickets if you set up a manual rotation mechanism. # https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets # # (5) Basic security improvements # (1) ssl_session_cache shared:SSL:10m; ssl_session_timeout 24h; # (2) keepalive_timeout 300s; # (3) # ssl_buffer_size 1400; # (4) ssl_session_tickets off; # (5) ssl_prefer_server_ciphers on;