fbpx

Server Setup

Improving NGINX Performance with Kernel TLS on RHEL 8+ and Fedora Linux

by , , revisited on

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

Modern Linux kernels support offloading TLS to the kernel, and now NGINX-MOD does too! NGINX-MOD introduces support for kTLS when serving static files with SSL_sendfile(), which can hugely improve performance.

General Requirements

All you need to do is install the latest NGINX-MOD on any of the listed operating systems.

Operating systems:

  • RHEL 8+, including AlmaLinux, Rocky Linux, etc.
  • Fedora Linux
  • Amazon Linux 2023
  • SLES 15 SP2

Enabling kTLS in NGINX

Run the following command to enable the tls module in the kernel:

modprobe tls

Configuring NGINX

To enable kTLS, include the ssl_conf_command directive with the Options KTLS parameter in the http {} context in order to enable kLTS for all the websites:

worker_processes auto;
error_log /var/log/nginx/error.log debug;

events {}

http {
    sendfile on;
    ssl_conf_command Options KTLS;
    ssl_protocols TLSv1.3;

    ...
}

Now kTLS will greatly improve performance when serving static files with SSL_sendfile(). Our testing shows that performance improves by between 8% and 29%, depending on the operating system.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.