Ultimate Nginx Performance Tuning Checklist (HTTP/2, TLS, Caching)

Nginx is known for its high performance and low resource usage, but the default configuration is rarely optimal for production workloads. In 2025, with rising traffic demands, TLS-heavy sites, and containerized apps, fine-tuning Nginx is critical to achieving maximum throughput and low latency.

This checklist provides advanced system administrators with practical Nginx tuning tips for HTTP/2, TLS, caching, worker configuration, and even sysctl kernel parameters. These optimizations are battle-tested in high-traffic environments, including CDN edge nodes, large WordPress clusters, and API gateways.

🔧 Worker Processes and Connections

Nginx workers handle connections. Properly tuning these parameters ensures Nginx can handle high concurrency without running out of file descriptors or CPU headroom.

worker_processes auto;
worker_rlimit_nofile 65535;

events {
    worker_connections 8192;
    multi_accept on;
    use epoll;
}

worker_processes auto; uses one process per CPU core.
worker_connections defines how many connections per worker can be handled (8192 x cores = max concurrent connections).
epoll (Linux) or kqueue (BSD) provides efficient I/O event handling.

⚡ HTTP/2 and TLS 1.3

Modern browsers and APIs rely heavily on TLS. HTTP/2 multiplexing significantly reduces latency under load.

server {
    listen 443 ssl http2;
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256';
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 8.8.8.8 valid=300s;
}

Enable http2 for multiplexing, header compression, and prioritization.
TLS 1.3 reduces handshake time and improves security.
OCSP stapling reduces latency for certificate validation.

🗂️ Buffer and Timeout Tuning

Default buffer values may cause bottlenecks when serving large responses or dealing with slow clients.

sendfile on;
tcp_nopush on;
tcp_nodelay on;

client_body_buffer_size 128k;
client_max_body_size 100m;

keepalive_timeout 65;
keepalive_requests 10000;

proxy_buffers 16 64k;
proxy_buffer_size 128k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;

sendfile enables zero-copy file transfers from kernel to socket.
tcp_nopush and tcp_nodelay optimize packet handling.
Adjust proxy_buffers to prevent “upstream prematurely closed connection” errors.

📦 Caching for Static and Dynamic Content

Nginx excels as a caching reverse proxy, reducing load on backend applications and databases.

Static Assets:

location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 365d;
    add_header Cache-Control "public";
}

Dynamic Content (FastCGI Cache for PHP):

fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=PHP:100m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";

server {
    location ~ \.php$ {
        fastcgi_cache PHP;
        fastcgi_cache_valid 200 301 302 1h;
        fastcgi_cache_bypass $http_cookie;
        add_header X-FastCGI-Cache $upstream_cache_status;
    }
}

Static files: Long expiry times reduce repeat requests.
Dynamic content: FastCGI caching reduces load on PHP-FPM, especially for CMS platforms like WordPress.

📈 Gzip and Brotli Compression

Enable compression to save bandwidth and reduce response times.

gzip on;
gzip_types text/plain text/css application/json application/javascript application/xml;
gzip_min_length 256;
gzip_comp_level 5;

For even better results, enable Brotli:

load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;

brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css application/javascript application/json;

🖥️ Kernel and sysctl Optimizations

System-level tuning is as important as Nginx configuration:

# /etc/sysctl.conf
net.core.somaxconn = 65535
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_fastopen = 3

Apply changes:

sysctl -p

🚀 Monitoring and Benchmarking

After tuning, always benchmark and monitor:

ab (ApacheBench) or wrk for stress testing.
Grafana + Prometheus for real-time metrics.
Zabbix to monitor connection counts, latency, and error rates.

Remember: tuning is workload-specific. A CDN edge node serving static files needs different tuning than an API gateway proxying JSON requests.

✅ Conclusion

Nginx’s power lies in its flexibility and performance, but only if tuned correctly. By optimizing workers, enabling HTTP/2 + TLS 1.3, configuring buffers and caching, and applying kernel tweaks, you can handle 10x more concurrent connections than the defaults allow. Always test changes in staging before rolling to production.

At WeHaveServers.com, we configure Nginx stacks for maximum efficiency, whether for e-commerce, high-traffic WordPress sites, or latency-sensitive APIs. These optimizations ensure our clients get the most out of their VPS and Dedicated Server infrastructure.

❓ FAQ

Is HTTP/3 supported in Nginx?

Yes, with the QUIC/HTTP3 patch or in Nginx mainline builds. It’s still evolving in 2025 but worth enabling for mobile-first sites.

How many worker connections should I set?

Start with 8192 per worker. Multiply by your CPU cores to estimate max concurrency.

Is Brotli better than Gzip?

Brotli compresses better, especially for text-based assets, but uses more CPU. Enable both with proper priorities.

What’s the most important sysctl tweak?

net.core.somaxconn and tcp_max_syn_backlog are crucial for handling large SYN floods and bursts of traffic.

Should I disable TLS 1.0/1.1?

Yes, only TLS 1.2 and 1.3 should be enabled in 2025 for compliance and performance.