TLS Session Resumption in Nginx
Enable shared session caching: Configure ssl_session_cache shared:SSL:10m and ssl_session_timeout 10m, suitable for scenarios where sticky sessions are enabled by a single server or load balancer; 2. Enable session tickets: Configure ssl_session_tickets on and unified ticket.key files, suitable for multi-server clusters and sessions need to be restored across nodes; 3. Verify session multiplexing: Use openssl or curl commands to confirm that "Reused" or Session-ID matches appear in the connection; 4. Avoid common mistakes: Make sure that the cache is enabled, the ticket key is consistent, the cache size is sufficient, and monitor the multiplexing rate through stub_status to optimize performance, and ultimately achieve the goal of reducing TLS handshake overhead and ensuring security.
TLS session resumption in Nginx is a performance optimization that reduces the overhead of repeated TLS handshakes between clients and servers. When a client reconnects to your Nginx server (eg, during page asset loading or API retries), recovering a previous session avoids the full handshake, cutting latency and CPU usage.
Here's how to configure it effectively:
✅ Enable Session Caching
Nginx supports both shared memory session caches (for multi-worker setups) and SSL session tickets (for stateless resumption across servers).
1. Shared Session Cache (Per-server resumption)
ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m;
-
10m≈ 40,000 sessions (1 session ~ 256 bytes) -
10mtimeout means sessions stay valid for 10 minutes - This works well for single-server setups or with sticky sessions in load balancers
2. Session Tickets (Stateless, good for clusters)
ssl_session_tickets on; ssl_session_ticket_key /etc/nginx/ticket.key;
- Generate the key securely:
openssl rand 48 > /etc/nginx/ticket.key chmod 400 /etc/nginx/ticket.key
- If you have multiple Nginx instances, use the same key on all to allow cross-server resumption
- Rotate keys periodically for security (keep old key briefly for active sessions)
? Verify It's Working
Use openssl to test session reuse:
# First connection echo | openssl s_client -connect yoursite.com:443 -servername yoursite.com # Look for: "Session-ID:" and "Session-ID-ctx:" # Reconnect immediately (within timeout) echo | openssl s_client -connect yoursite.com:443 -servername yoursite.com
If the second connection shows Reused, TLSv1.3 or Session-ID: matches the first — resumption is working.
Or check with curl verbose TLS:
curl -v https://yoursite.com --tls-max 1.2 2>&1 | grep -i "reused"
⚠️ Common Gotchas
- No cache = no resumption : If
ssl_session_cacheisn't set, Nginx defaults tooff— each connection does a full handshake. - Ticket key mismatch : In multi-server setups, different keys break resumption — use shared keys.
- Too small cache : Monitor with
nginx -Tand check active sessions via stub_status if needed. - TLS 1.3 : Uses "PSK" (Pre-Shared Key) instead of session IDs, but Nginx handles it automatically if caching is enabled.
Bonus: Monitor Resumption Rate
Enable stub_status and check:
location /nginx_status {
stub_status on;
allow 127.0.0.1;
}Then:
curl http://localhost/nginx_status
Look for:
SSL Handshakes: 1000 SSL Handshakes Reused: 750
→ 75% resumption rate = good!
That's it. With proper session caching and ticket keys, you'll reduce handshake overhead without compromising security. Just don't forget to rotate keys and monitor cache usage in production.
The above is the detailed content of TLS Session Resumption in Nginx. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
How to set up an Nginx server block (virtual host)?
Jul 19, 2025 am 02:00 AM
TosetupanNginxserverblock,firstunderstanditsstructureusingtheserverdirectivewithsettingslikelisten,server_name,andlocation;next,createadirectorystructureforyoursitesuchas/var/www/example.com/htmlandsetproperpermissions;thenenabletheserverblockbycreat
How to block specific user agents?
Jul 26, 2025 am 08:20 AM
To block a specific User-Agent, it can be implemented in Nginx, Apache, or code (such as PHP, Python). 1. In Nginx, judge $http_user_agent by if and return 403; 2. In Apache, use SetEnvIfNoCase and Deny to deny access; 3. judge User-Agent in the program and intercept the request. Common UAs that need to be blocked include python-requests, curl, empty UA, etc. Choosing the appropriate method can effectively reduce garbage traffic and security risks.
How to serve MP4 video files efficiently with the mp4 module?
Jul 20, 2025 am 04:01 AM
To efficiently provide MP4 video files, you need to enable byte range requests, optimize file structure, rational encoding and compression, and adopt strategic caching. First, enable byte range request (Accept-Ranges:bytes) to support video jumps, interrupted broadcasts and adaptive bit rate streams; second, use tools such as qt-faststart to move MOOV atoms to the beginning of the file to achieve bottom-playing; third, use H.264/H.265 encoding, reasonably set the bit rate and enable double-pass encoding to reduce the file size while ensuring quality; finally, by setting long-term Cache-Control headers and using CDN for edge caching, reduce server load and improve response speed.
How to secure an Nginx server?
Jul 25, 2025 am 01:00 AM
Key measures to protect the security of Nginx servers include: 1. Configure HTTPS encrypted connections, use Let'sEncrypt free certificates and automatically configure them through Certbot, set up forced jumps and appropriate encryption suites, and enable automatic renewal; 2. Restrict access permissions, protect sensitive paths through IP control and BasicAuth authentication; 3. Turn off information leakage, hide version numbers, prohibit directory browsing, and customize error pages to reduce the attack surface.
Why won't Nginx start and how do I find the error?
Jul 18, 2025 am 02:24 AM
Nginx failure to start is usually caused by configuration errors, port conflicts, or permission issues. First check the Nginx error log, use the command sudotail-f/var/log/nginx/error.log to view the latest error information in real time; secondly, test the configuration file syntax, run sudonginx-t to ensure there are no syntax errors; then confirm whether other processes occupy port 80 or 443, and use sudonetstat-tulpn|grep':80\|:443' to detect and handle conflicts; finally verify file permissions and ownership to ensure that Nginx has permission to access relevant directories and files.
How to use Nginx as a simple HTTP load balancer?
Jul 21, 2025 am 01:48 AM
How to implement HTTP load balancing using Nginx? The answers are as follows: 1. Use the upstream module to define the backend server group and forward the request through proxy_pass in server or location; 2. Support polling, weighted polling, minimum connection and IP hashing policies; 3. You can configure down, backup, fail_timeout and max_fails parameters to enhance stability; 4. After modifying the configuration, execute nginx-t check syntax and use nginx-sreload to take effect. For example, the basic configuration structure includes three backend nodes using polling to distribute traffic by default, while weighted polling allows the allocation of requests by weight, least_conn will send the request
How to use wildcards or regular expressions in server_name?
Jul 23, 2025 am 01:43 AM
When using server_name in Nginx to match multiple domains or subdomains, it can be achieved through wildcards and regular expressions. 1. When using wildcards, the asterisk can only be used for the beginning or ending, and must be a complete label boundary. For example, .example.com can match first-level subdomains but does not include root domains or multi-level subdomains. If you need to match both root domains and first-level subdomains, it should be written as example.com*.example.com; 2. When using regular expressions, you must start with ~, such as ~^\w .(dev|test)$ can match domain names ending with .dev or .test, and support capture group calls; 3. The matching priority is the exact name>Longest wildcard prefix>Longest wildcard suffix&
Nginx Worker Processes and Connections
Jul 27, 2025 am 03:15 AM
Set worker_processes to auto (i.e., the number of CPU cores) to make full use of multi-core performance; 2. Set worker_connections (such as 1024 or higher) according to the system file descriptor limitation and expected traffic to ensure that ulimit-n is large enough; 3. The maximum number of concurrent connections = worker_processes × worker_connections, reasonable configuration can support thousands to tens of thousands of connections, avoid bottlenecks, and improve the performance of Nginx production environment.
