Cut Nginx HTTPS Latency by 30%: Practical TLS Tuning Guide

Why Optimize Nginx HTTPS Latency

Nginx is commonly used as a load balancer, reverse proxy, and gateway. A well‑configured Nginx instance can handle 50K‑80K requests per second while keeping CPU load manageable. For instant‑search experiences, each request must return within 100‑200 ms, making request latency the primary optimization target.

TLS Handshake and Latency

Reducing round‑trips between client and server is key to lowering latency. A typical HTTPS handshake may involve three round‑trips, adding up to hundreds of milliseconds, especially over long distances or unstable networks. Understanding this context helps identify effective TLS optimizations.

Nginx TLS Settings

Enable HTTP/2

HTTP/2 reduces latency by allowing multiple parallel requests over a single connection. To enable it, add the http2 flag to the listen directive:

listen 443 ssl;<br># change to<br>listen 443 ssl http2;

Clients that do not support HTTP/2 automatically fall back to HTTP/1.1.

Verify HTTP/2 Is Enabled

In Chrome DevTools, check the Protocol column for h2. Alternatively, use curl:

curl --http2 -I https://kalasearch.cn

Adjust Cipher Preference

Prefer modern, fast ciphers to reduce handshake time:

# enable custom cipher list<br>ssl_prefer_server_ciphers on;<br>ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

Enable OCSP Stapling

OCSP stapling avoids an extra network call to the certificate authority, which can add seconds of delay, especially for Let's Encrypt certificates. Enable it with:

ssl_stapling on;<br>ssl_stapling_verify on;<br>ssl_trusted_certificate /path/to/full_chain.pem;

Check status with:

openssl s_client -connect test.kalasearch.cn:443 -servername kalasearch.cn -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"

Adjust ssl_buffer_size

Smaller buffers reduce latency for small responses. For web or API services, a value around 4k is recommended:

ssl_buffer_size 4k;

Enable SSL Session Cache

Caching SSL sessions cuts repeated handshakes. A 50 MB cache with a 4‑hour timeout is sufficient for thousands of concurrent connections:

# Enable SSL cache to speed up repeat visitors<br>ssl_session_cache shared:SSL:50m;<br>ssl_session_timeout 4h;

Case Study: Kalasearch Reduces Latency by ~30%

Kalasearch, a Chinese Algolia‑like service, aims for sub‑200 ms end‑to‑end search. After measuring that TLS processing in Nginx consumed >300 ms, the team applied the above settings. Average SSL handshake time dropped from ~140 ms to ~110 ms nationwide, and the first‑visit slowdown on iOS devices disappeared.

Overall search latency across the country fell to around 150 ms.

Conclusion

Optimizing Nginx TLS settings—enabling HTTP/2, selecting fast ciphers, using OCSP stapling, tuning buffer sizes, and caching sessions—can dramatically reduce HTTPS request latency, delivering a smoother instant‑search experience.