Nginx

Configuring TLS ciphers used to involve copying a magic list from Mozilla SSL Configurator and moving on. In 2026 the landscape has shifted enough that revisiting is worth it. What changed TLS 1.3 is now supported by 95%+ of clients. Serving TLS 1.0 or 1.1 is an active liability. OpenSSL 3.x became the default on most modern distros. Some older ciphers are simply gone. Post-quantum hybrid key exchange (X25519-Kyber768) started rolling out in Chrome and Firefox. Perfect Forward Secrecy is universally expected. No more RSA key exchange. Recommended nginx config ssl_protocols TLSv1.2 TLSv1.3; # TLS 1.3 cipher suites (nginx picks automatically) ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'; ssl_prefer_server_ciphers off; ssl_ecdh_curve X25519:secp521r1:secp384r1; ssl_prefer_server_ciphers off is correct for modern deployments — clients know better than servers which ciphers perform well on their hardware. ...

After running nginx on everything from 512 MB VPS instances to multi-socket bare metal, here are the settings I’ve found actually matter. worker_processes and worker_connections Start with worker_processes auto;. worker_processes auto; worker_rlimit_nofile 65535; events { worker_connections 4096; use epoll; multi_accept on; } Keepalive tuning http { keepalive_timeout 30s; keepalive_requests 1000; upstream backend { server 10.0.0.1:8080; keepalive 32; } } Buffer sizes client_body_buffer_size 128k; client_max_body_size 50m; proxy_buffer_size 8k; proxy_buffers 8 8k; gzip and brotli gzip on; gzip_comp_level 5; gzip_types text/plain text/css application/json; brotli on; brotli_comp_level 4; brotli_types text/plain text/css application/json; Measurement None of this matters if you don’t measure. Install nginx-module-vts or expose stub_status, feed metrics to Prometheus, and compare before/after for any changes.