32 lines
1.5 KiB
Nginx Configuration File
32 lines
1.5 KiB
Nginx Configuration File
# ----------------------------------------------------------------------
|
|
# | SSL engine |
|
|
# ----------------------------------------------------------------------
|
|
|
|
# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
|
|
# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
|
|
# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
|
|
# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
|
|
#
|
|
# A 1Mb cache can hold about 4000 sessions, so we can hold 40000 sessions
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 24h;
|
|
|
|
# SSL buffer size
|
|
# 1400 bytes to fit in one MTU
|
|
# ssl_buffer_size 1400;
|
|
|
|
# Session tickets
|
|
#
|
|
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
|
|
# when a restart is performed the previous key is lost, which resets all previous
|
|
# sessions. The fix for this is to setup a manual rotation mechanism:
|
|
# https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
|
|
#
|
|
# Note that you'll have to define and rotate the keys securely by yourself. In absence
|
|
# of such infrastructure, consider turning off session tickets:
|
|
ssl_session_tickets off;
|
|
|
|
# Use a higher keepalive timeout to reduce the need for repeated handshakes
|
|
# Default: 75s
|
|
keepalive_timeout 300s;
|