Optimize Nginx TLS Record Size For HTTP/2 TLS (Ubuntu, CentOS)

Previously we published some guides on optimising HTTP/2. Here is How to Optimize Nginx TLS Record Size For HTTP/2 TLS in Ubuntu & CentOS For Better PageLoading Speed. Easy to Follow Guide By Anyone.
We are taking it granted that the user who is reading is using Nginx either on CentOS from CentminMod build or using Ubuntu’s nginx-extras.

What You Exactly Say While Talking To Optimize Nginx TLS Record Size?

We promise that we will not deliver theory on TCP or TLS. We are talking around ssl_buffer_size size directive of Nginx configuration.

On the Internet data are transmitted using a multilayer protocol stack. We are interested in the area of TCP and TLS. TCP reliably deliver packets in the original order. If we have a service like HTTPS, then all encrypted TLS data will be sent via TCP. At the level of TCP, upon whitelisting a connection, the server may send no more than 3 packets for the old and 10 initcwnd packets. Then the server will wait for an acknowledgment from the client. Nginx uses a special buffer (which is indicated by the directive ssl_buffer_size), which controls the size of the TLS record. The browser can use the data only after receiving a complete TLS record. The maximum default size in Nginx of that ssl_buffer_size is 16k. Taking the opportunity of 10, this can cause minute delay in obtaining useful content.

Some associates HTTP/2 with ALPN with tweaking the directive http2_chunk_size. By default it is 8k. That is not exactly correct. But obviously, end result as TTFB will get affected.

Optimize Nginx TLS Record Size For HTTP/2 TLS (Ubuntu, CentOS)

Cloudflare has patch for supporting dynamic record sizing with Nginx, obviously it is useful if you are compiling Nginx from source. That is easiest in case of using CentminMod :

nginx-extras package do support change of Nginx TLS Record Size aka ssl_buffer_size size as default function. Cloudflare patch adds the dynamic function. You can actually control it.

ssl_dyn_rec_size_lo indicates what TLS record size to start with which defaults to 1369 bytes. ssl_dyn_rec_size_hi indicates what TLS record size will grow to which defaults to 4229 bytes.
ssl_dyn_rec_threshold is the number of records to be send before changing the record size. ssl_dyn_rec_timeout dynamically reduces the size to ssl_dyn_rec_size_lo if there is idling. If this value is 0 then dynamic TLS record sizes are disabled and the fixed ssl_buffer_size will be used. There is no way of tuning of the ssl_dyn_rec settings. To enable with default settings, you would (may) need to set the following directive ssl_dyn_rec_enable on;. Nginx hardcodes 16KB size in ngx_event_openssl but with nginx-extras, you can actually adjust ssl_buffer_size. It is directly related to processor, hence cipher :

When using OpenSSL 1.0.2 or higher, it is possible to specify multiple curves (1.11.0), for example:

We will suggest you to test with :

When ssl_buffer_size set to lower than default 16k value i.e. ssl_buffer_size is set to 1400 bytes, first byte should load just faster. ssl_buffer_size 6 to 8k is more than enough to ensure a minimum TTFB in most cases.

For different devices and also test higher value like :

We think, this much is enough for most of the common users.

How To Test and Optimize Nginx TLS Record Size?

Wireshark is a network protocol analyser which can be difficult to use by an ordinary user. We will suggest to allow some time (for cache) after change and test on WebPageTest. Obviously, this website as example never depends on ONLY this website’s domain and server. Time to First Byte of 60 ms to 80 ms is acceptable. Obviously if we load a plain text on this domain, it will load within a second! Actually PageSpeed Insights is overall practical. You are running to optimize Nginx TLS record size but your CSS is blocking – that is not acceptable.