How to: Improve SSL performance on NginX

How to: Improve SSL performance on NginX

You would be surprised but a lot of people face SSL performance issues when using NginX. I recently deployed SPDY over SSL for my sites and came to realize that SPDY was in fact much slower than using standard HTTP. I proceeded to leave SSL alone and see its performance vs regular HTTP and again the speed was equally slow. Because of that I realized that SPDY was not the issue but rather the SSL layer. There are certain algorithms or cyphers that require a lot of processing (cpu power) which results on your SSL configurations being slow. Coming from Windows I never really messed with that or realized you could, but after using NginX you come to realize the wide range of things you can control but really getting to know them all requires a lot of specialized knowledge the amateur user might not have. Also while researching this topic I came across security advisories like these ones on CloudFlare; Staying on top of TLS attacks and Taming BEAST: Faster, Safer SSL now on CloudFlare.The list keeps going on and on, and not surprisingly the recommendations keep changing with time. So as SSL gets more use things like performance and security start getting more attention and start receiving improvements.

So getting back on topic, there are a number of things you can do to speed SSL like OCSP Stapling but also disable certain ciphers because they are simply terribly slow. For example, NginX uses the DHE algorithm to create the cypher. This algorithm is really slow with NginX. Disabling it results in dramatic improvements (at least it did for me and reading online it is mentioned a lot.)

Long story short, there are a few recommendations (obviously with time you learn you can’t get it 100% right.):

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

So here is what’s going on:

Obviously you want to use the latest version of TLS but that is not supported by all browsers so we offer versions 1, 1.1 and 1.2.

Here is an improved list of which SSL ciphers you should support.

The next line indicates that you should indicate the client that it prefer it uses the ciphers specified by the server.

The next line allows to cache the ssl sessions. This is a very important improvement as having to re-create an SSL session in an expensive operation.

The final line indicates the timeout for an SSL session.