Note: This article was originally published in 2014. Some steps, commands, or software versions may have changed. Check the current NginX documentation for the latest information.

In this step-by-step guide, you’ll learn improve ssl performance on nginx. Nginx is a high-performance HTTP server and reverse proxy, known for its stability, rich feature set, and low resource consumption.

Prerequisites

Before you begin, make sure you have:

  • A Linux server with Nginx installed
  • Root or sudo access to the server
  • Basic understanding of web server configuration

How to: Improve SSL performance on NginX

You would be surprised but a lot of people face SSL performance issues when using NginX. I recently deployed SPDY over SSL for my sites and came to realize that SPDY was in fact much slower than using standard HTTP. I proceeded to leave SSL alone and see its performance vs regular HTTP and again the speed was equally slow. Because of that I realized that SPDY was not the issue but rather the SSL layer. There are certain algorithms or cyphers that require a lot of processing (cpu power) which results on your SSL configurations being slow. Coming from Windows I never really messed with that or realized you could, but after using NginX you come to realize the wide range of things you can control but really getting to know them all requires a lot of specialized knowledge the amateur user might not have. Also while researching this topic I came across security advisories like these ones on CloudFlare; (http://blog.cloudflare.com/staying-on-top-of-tls-attacks “Staying on top of TLS attacks”) and (http://blog.cloudflare.com/taming-beast-better-ssl-now-available-across “Taming BEAST: Faster, Safer SSL now on CloudFlare”).The list keeps going on and on, and not surprisingly the recommendations keep changing with time. So as SSL gets more use things like performance and security start getting more attention and start receiving improvements. So getting back on topic, there are a number of things you can do to speed SSL like OCSP Stapling but also disable certain ciphers because they are simply terribly slow. For example, NginX uses the DHE algorithm to create the cypher. This algorithm is really slow with NginX. Disabling it results in dramatic improvements (at least it did for me and reading online it is mentioned a lot.) Long story short, there are a few recommendations (obviously with time you learn you can’t get it 100% right.):

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

So here is what’s going on: Obviously you want to use the latest version of TLS but that is not supported by all browsers so we offer versions 1, 1.1 and 1.2. Here is an improved list of which SSL ciphers you should support. The next line indicates that you should indicate the client that it prefer it uses the ciphers specified by the server. The next line allows to cache the ssl sessions. This is a very important improvement as having to re-create an SSL session in an expensive operation. The final line indicates the timeout for an SSL session.

(http://img.zemanta.com/zemified_h.png?x-id=059d4f1f-7c41-4838-8d11-32e0f90fd094)](http://www.zemanta.com/?px “Enhanced by Zemanta”)

Summary

You’ve successfully learned improve ssl performance on nginx. If you run into any issues, double-check the prerequisites and ensure your NginX environment is properly configured.