Why Optimize SSL/TLS?
SSL/TLS encryption adds overhead to every connection. Properly tuning Nginx for SSL can reduce handshake latency, improve throughput, and achieve better scores on security audits while keeping your Breeze responsive under heavy HTTPS traffic.
Prerequisites
- A Breeze running Ubuntu 22.04+ with Nginx installed
- A valid SSL certificate (e.g., from Let's Encrypt)
- Root or sudo access
Step 1: Enable SSL Session Caching
Edit your Nginx configuration:
sudo nano /etc/nginx/conf.d/ssl-params.confssl_session_cache shared:SSL:20m;
ssl_session_timeout 1d;
ssl_session_tickets off;Session caching allows clients to resume connections without a full handshake, dramatically reducing latency for returning visitors.
Step 2: Configure Modern Protocols and Ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve X25519:secp384r1;Step 3: Enable OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;OCSP stapling eliminates the need for clients to contact the certificate authority, shaving off round trips.
Step 4: Add Security Headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;Step 5: Test and Reload
sudo nginx -t
sudo systemctl reload nginxPerformance Tips
- Use TLS 1.3 where possible — it requires only one round trip for the handshake
- Enable HTTP/2 with
listen 443 ssl http2;for multiplexed connections - Monitor handshake times with
openssl s_client -connect yourdomain.com:443