How to Cut Nginx HTTPS Latency by 30%: Proven TLS Tuning Tips

Why Optimize Nginx HTTPS Latency

Nginx is commonly used as a load balancer, reverse proxy, and gateway. A well‑tuned Nginx instance can handle 50K‑80K requests per second while keeping CPU load manageable. For instant‑search experiences, each request must return to the user within 100‑200 ms, making latency reduction the top priority.

TLS Handshake and Latency

Network latency is largely caused by round‑trips between client and server. A TLS handshake can add multiple round‑trips; for example, three round‑trips at 28 ms each already consume 224 ms before any data is transferred. Reducing these round‑trips is essential for low‑latency services.

Nginx TLS Settings

Enable HTTP/2

HTTP/2 multiplexes many requests over a single connection, dramatically reducing round‑trips compared to HTTP/1.1. Enabling it in Nginx is as simple as adding the http2 flag:

listen 443 ssl;<br/># change to<br/>listen 443 ssl http2;

Clients that do not support HTTP/2 automatically fall back to HTTP/1.1.

Verify HTTP/2 Is Enabled

In Chrome DevTools, check the Protocol column; a value of h2 indicates HTTP/2. You can also use curl --http2 -I https://yourdomain.com and look for HTTP/2 in the response.

➜  ~ curl --http2 -I https://kalasearch.cn<br/>HTTP/2 403<br/>server: Tengine<br/>...

Adjust Cipher Preference

Prefer modern, fast ciphers to reduce handshake time:

# enable a custom cipher list<br/>ssl_prefer_server_ciphers on;<br/>ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

Enable OCSP Stapling

OCSP stapling eliminates an extra round‑trip for certificate validation, which can be especially slow with Let's Encrypt on some networks. Enable it with:

ssl_stapling on;<br/>ssl_stapling_verify on;<br/>ssl_trusted_certificate /path/to/full_chain.pem;

Verify it with:

openssl s_client -connect test.kalasearch.cn:443 -servername kalasearch.cn -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"

Tune ssl_buffer_size

Smaller buffer sizes reduce latency for typical API responses. A value of 4k is a good starting point:

ssl_buffer_size 4k;

Enable SSL Session Cache

Caching SSL sessions avoids repeated handshakes. A 50 MB shared cache with a 4‑hour timeout is sufficient for thousands of concurrent connections:

# Enable SSL cache to speed up repeat visits<br/>ssl_session_cache   shared:SSL:50m;<br/>ssl_session_timeout 4h;

Kalasearch Case Study: Reducing Latency by ~30%

Kalasearch, a domestic Algolia‑like service, requires sub‑200 ms end‑to‑end response times. After measuring, TLS processing in Nginx consumed over 300 ms on some devices, especially iOS with Let's Encrypt certificates. Applying the above TLS tweaks reduced average SSL time from ~140 ms to ~110 ms nationwide, eliminated the first‑visit slowdown on Apple devices, and brought overall search latency down to around 150 ms.

Conclusion

Optimizing Nginx TLS settings has a substantial impact on HTTPS service latency. The article covered relevant Nginx directives, their latency implications, and practical recommendations. Future posts will compare HTTP/2 with HTTP/1.x in more detail and discuss its pros and cons for REST APIs.