Boost Site Performance: HTTPS Optimization with Nginx, HTTP/2, TLS 1.3 & Brotli

Preface

Sharing an HTTPS optimization case. Browsers now flag insecure HTTP, iOS ATS requires HTTPS, and mini‑programs like WeChat and Alipay enforce HTTPS, while compliance standards such as graded protection also demand secure transmission.

Although HTTPS improves user experience and prevents hijacking, many site owners encounter slower page loads, higher server load, and certificate expiration issues after enabling it.

This article explores practical HTTPS optimization techniques.

Selection

Web servers such as Apache, Lighttpd, and Caddy can enable HTTPS, but Nginx offers a richer ecosystem and higher update frequency. Nginx powers many large‑scale sites (e.g., Alibaba’s Tengine, Cloudflare’s cloudflare‑nginx, Upyun’s OpenResty) and benefits from extensive community extensions.

New Features

HTTP/2

Compared with HTTP/1.x, HTTP/2 introduces major transport improvements:

Single connection per server saves connection‑setup time, especially noticeable with TLS.

Accelerated TLS delivery: only one TLS handshake is needed, with multiplexing on a single connection.

Enhanced security by reducing TLS performance loss, encouraging broader TLS adoption.

In Akamai’s HTTP/2 demo, loading 300 images took less than 1 s versus 14.8 s with HTTP/1.x.

HTTP/2 is supported by most modern browsers; Nginx ≥ 1.9.5 is sufficient, though the latest stable version is recommended. OpenSSL ≥ 1.0.2 is also required.

TLS 1.3

TLS 1.3, standardized in RFC 8446 (August 2018), supersedes TLS 1.1/1.2. It reduces handshake latency, supports 0‑RTT data, encrypts handshake messages after ServerHello, adopts PSK‑based session resumption, and mandates forward‑secure (PFS) key exchange algorithms while dropping RSA key exchange and CBC‑mode ciphers.

OpenSSL 1.1.1 introduced TLS 1.3 support; Nginx ≥ 1.13 is required.

Brotli

Brotli, released by Google in September 2015, is a lossless compression algorithm that outperforms Gzip by 17‑25 % on typical web assets and offers faster compression at level 1 with higher compression ratios than Gzip ‑9.

It works only over HTTPS; enabling it in Nginx requires the ngx_brotli module.

ECC Certificate

Elliptic Curve Cryptography (ECC) provides public‑key encryption with shorter keys (256‑bit ECC ≈ 3072‑bit RSA) and faster operations. ECC certificates (ECDSA) are smaller than RSA certificates and, when combined with ECDHE, offer optimal security and performance.

ECC certificates can replace RSA in HTTPS, SSH, and SMTP TLS scenarios, but not all certificate types support ECC; commercial “enhanced” certificates usually do. For legacy clients, a dual‑certificate setup (RSA + ECC) may be needed.

Installation

Requirements for the new features:

HTTP/2: Nginx ≥ 1.9.5, OpenSSL ≥ 1.0.2

TLS 1.3: Nginx ≥ 1.13, OpenSSL ≥ 1.1.1

Brotli: HTTPS enabled, ngx_brotli module added to Nginx

ECC dual‑certificate: Nginx ≥ 1.11 (recommended ≥ 1.15)

Download the latest Nginx, OpenSSL, and ngx_brotli releases from their official sites.

Compilation

Compile Nginx with the required modules (e.g., --with-http_v2_module, --with-openssl=../openssl‑1.1.1, --add-module=../ngx_brotli). Detailed steps are omitted for brevity.

Configuration

In the server block, add: listen 443 ssl http2; Enable TLS 1.3 and preferred ciphers, optionally turn on ssl_early_data on; for 0‑RTT support. Remove legacy TLS 1.0/1.1 and 3DES suites if not needed.

For Brotli, add: brotli on; Configure dual ECC/RSA certificates:

ssl_certificate /path/to/ecc.crt;

ssl_certificate /path/to/rsa.crt;

Verification

Use browser developer tools:

Network tab → Protocol shows h2 for HTTP/2.

Security tab → Connection shows TLS 1.3.

Network tab → Request headers contain accept‑encoding: br for Brotli.

Conclusion

Applying the above measures can significantly improve HTTPS performance, often making HTTPS‑enabled sites faster than non‑HTTPS ones. The approach suits single‑server or simple cluster deployments; however, cloud‑level L4/L7 services (SLB, WAF, CDN) may override these settings. Those services usually provide hardware‑accelerated TLS offloading, reducing ECS load while maintaining compatibility.

Author: 妙正灰 Source: 云栖社区