High‑Performance Nginx HTTPS TLS Tuning to Reduce Request Latency by 30%

Nginx is commonly used as a load balancer, reverse proxy, and gateway, and a well‑tuned instance can handle 50K‑80K requests per second while keeping CPU load manageable. For instant‑search services like Kalasearch, each search request must return within 100‑200 ms, making request latency the primary optimization target.

The article first outlines how TLS handshakes and certificate verification introduce multiple round‑trips, which can add hundreds of milliseconds to the overall latency, especially on slower networks or with Let's Encrypt certificates.

TLS Handshake and Latency

Understanding that each TLS handshake may involve three round‑trips (≈28 ms each) helps explain why users can experience 200 ms+ delays before any data is transferred.

Nginx TLS Settings

Several configuration changes are recommended to minimise these delays:

Enable HTTP/2

HTTP/2 reduces the number of connections needed for parallel requests, cutting latency dramatically. Enabling it in Nginx is as simple as adding the http2 flag to the listen directive:

listen 443 ssl;
# change to
listen 443 ssl http2;

Clients that do not support HTTP/2 automatically fall back to HTTP/1.1.

Adjust Cipher Preference

Prefer modern, fast ciphers to reduce handshake time:

# enable modern cipher list
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

Enable OCSP Stapling

OCSP stapling avoids an extra network request to the certificate authority, which can otherwise add seconds of delay, especially on iOS devices. Enable it with:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/full_chain.pem;

Verification can be done via:

openssl s_client -connect test.kalasearch.cn:443 -servername kalasearch.cn -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"

Adjust ssl_buffer_size

Smaller buffer sizes (e.g., 4k) can lower TLS latency for REST APIs, though larger buffers may be better for big file transfers:

ssl_buffer_size 4k;

Enable SSL Session Cache

Caching SSL sessions reduces repeated handshakes. A 50 MB shared cache can store ~4000 connections with a 4‑hour timeout:

# Enable SSL session cache
ssl_session_cache   shared:SSL:50m;
ssl_session_timeout 4h;

Results

After applying these tweaks, Kalasearch observed a reduction of average SSL handshake time from ~140 ms to ~110 ms nationwide, and the overall end‑to‑end search latency dropped to around 150 ms, meeting the 100‑200 ms budget.

Conclusion

Optimising Nginx TLS settings has a substantial impact on HTTPS service latency. The article summarises the most effective parameters, their expected effects, and provides concrete configuration examples for practitioners seeking to improve response times.