Mastering HTTP/2, TLS 1.3, ECC & Brotli: Boost Your Nginx Performance

HTTP/2

HTTP/2 (the next‑generation HTTP protocol) was developed by the IETF HTTP‑bis working group as the first major update since HTTP/1.1 in 1999, evolving from SPDY which is now deprecated.

Key HTTP/2 features:

Binary framing

Header compression

Flow control

Multiplexing

Request priority

Server push

Binary Framing

The binary framing layer is the core performance enhancer of HTTP/2. It inserts a binary framing layer between the application layer (HTTP) and the transport layer (TCP) without changing HTTP semantics, methods, status codes, URLs, or header fields.

All transmitted information is split into smaller messages and frames, encoded in binary.

A frame is the smallest unit of HTTP/2 communication, containing a header, stream identifier, priority, and payload.

Common frame types include:

DATA – transports HTTP message bodies

HEADERS – transports header fields

SETTINGS – negotiates client/server configuration (e.g., initial flow‑control window)

WINDOW_UPDATE – adjusts flow‑control windows for streams or the whole connection

PRIORITY – specifies or updates resource priority

RST_STREAM – signals abnormal stream termination

PUSH_PROMISE – server‑push permission

PING – measures round‑trip time and checks liveness

GOAWAY – tells the peer to stop creating new streams on the connection

Flags define specific semantics for each frame type; for example, a DATA frame can set

END_STREAM=true

to indicate the end of a message.

Header Compression

HTTP/2 uses a header table to track previously sent key‑value pairs, eliminating the need to resend headers on every request/response. The HPACK compression algorithm makes headers more compact and faster to transmit, especially on mobile networks.

Flow Control

HTTP/2 flow control operates per connection and per stream, using WINDOW_UPDATE frames. The receiver announces how many bytes it is willing to accept for each stream and for the whole connection, ensuring that only DATA frames consume flow‑control windows.

Multiplexing

Unlike HTTP/1.1, which limits concurrent requests per domain, HTTP/2 can send multiple requests and responses interleaved over a single TCP connection. Frames from different streams are mixed and reassembled based on stream IDs, eliminating head‑of‑line blocking at the HTTP layer.

Request Priority

Each stream can carry a 31‑bit priority value (0 = highest). Clients can specify priorities (e.g., .css > .js > .jpg) so servers can schedule responses accordingly, improving perceived performance.

Server Push

Server push allows the server to send additional resources (e.g., scripts, stylesheets) before the client explicitly requests them, using PUSH_PROMISE frames followed by DATA frames.

TLS 1.3

TLS (Transport Layer Security) provides privacy and data integrity. TLS 1.3, standardized in RFC 8446, introduces several improvements over earlier versions:

New key‑exchange mechanism (PSK)

0‑RTT data transmission, reducing round‑trips

Removal of insecure algorithms (3DES, RC4, AES‑CBC, SHA‑1, MD5)

Encrypted handshake messages after ServerHello

No compression of encrypted records and no renegotiation

DSA certificates are no longer allowed

These changes cut handshake latency by one RTT and speed up HTTPS connections.

To enable TLS 1.3 in Nginx, compile with OpenSSL 1.1.1 (or newer) and add

ssl_protocols TLSv1.3;

to the configuration. Use

ssl_early_data on;

to enable 0‑RTT if desired.

ECC (Elliptic Curve Cryptography)

ECC provides public‑key cryptography based on elliptic‑curve mathematics. ECC certificates (ECDSA) offer higher security per bit than RSA, allowing shorter keys (e.g., 256‑bit ECC ≈ 3072‑bit RSA) which reduces CPU, storage, and bandwidth usage—especially beneficial for mobile devices.

Considerations:

Not all certificate types support ECC; often requires a premium certificate.

Older browsers or devices may lack ECC support, necessitating a hybrid ECC+RSA deployment.

Brotli Compression

Brotli, introduced by Google in 2015, is a lossless compression algorithm that outperforms Gzip in both speed (17‑25% faster for typical web assets) and compression ratio (even at level 1 it beats Gzip level 9).

To use Brotli with Nginx, add the ngx_brotli module (https://github.com/eustas/ngx_brotli) during compilation (

--add-module=/path/to/ngx_brotli

) and enable it in the configuration.