{"id":13490058,"url":"https://github.com/nginx-modules/ngx_http_tls_dyn_size","last_synced_at":"2025-08-12T17:32:08.358Z","repository":{"id":45969046,"uuid":"75315037","full_name":"nginx-modules/ngx_http_tls_dyn_size","owner":"nginx-modules","description":"Optimizing TLS over TCP to reduce latency for NGINX","archived":false,"fork":false,"pushed_at":"2024-10-08T15:46:28.000Z","size":24,"stargazers_count":33,"open_issues_count":1,"forks_count":8,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-12-09T14:54:18.954Z","etag":null,"topics":["cloudflare","dynamic","http2","https","nginx","optimization","segment","tcp","tls"],"latest_commit_sha":null,"homepage":"https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nginx-modules.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-12-01T17:14:58.000Z","updated_at":"2024-11-09T06:42:26.000Z","dependencies_parsed_at":"2024-10-31T03:32:12.491Z","dependency_job_id":"7c5b38cd-1d66-4903-a864-3cf7c0350df9","html_url":"https://github.com/nginx-modules/ngx_http_tls_dyn_size","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nginx-modules%2Fngx_http_tls_dyn_size","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nginx-modules%2Fngx_http_tls_dyn_size/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nginx-modules%2Fngx_http_tls_dyn_size/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nginx-modules%2Fngx_http_tls_dyn_size/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nginx-modules","download_url":"https://codeload.github.com/nginx-modules/ngx_http_tls_dyn_size/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":229699840,"owners_count":18109849,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloudflare","dynamic","http2","https","nginx","optimization","segment","tcp","tls"],"created_at":"2024-07-31T19:00:40.064Z","updated_at":"2024-12-14T11:32:36.246Z","avatar_url":"https://github.com/nginx-modules.png","language":null,"funding_links":[],"categories":["Others"],"sub_categories":[],"readme":"# Optimizing TLS over TCP to reduce latency for NGINX\n\n* [`nginx__dynamic_tls_records`](https://github.com/cloudflare/sslconfig/blob/3e45b99/patches/)\n* [`Optimizing HTTP/2 prioritization with BBR and tcp_notsent_lowat`](https://blog.cloudflare.com/http-2-prioritization-with-nginx/)\n\n### What we do now\n\nWe use a static record size of 4K.\nThis gives a good balance of latency and throughput.\n\n#### Configuration\n\n*Example*\n\n```nginx\nhttp {\n  ssl_dyn_rec_enable on;\n}\n```\n\n#### Optimize latency\n\nBy initialy sending small (1 TCP segment) sized records,\nwe are able to avoid HoL blocking of the first byte.\nThis means TTFB is sometime lower by a whole RTT.\n\n#### Optimizing throughput\n\nBy sending increasingly larger records later in the connection,\nwhen HoL is not a problem, we reduce the overhead of TLS record\n(29 bytes per record with GCM/CHACHA-POLY).\n\n#### Logic\n\nStart each connection with small records\n(1369 byte default, change with `ssl_dyn_rec_size_lo`).\n\nAfter a given number of records (40, change with `ssl_dyn_rec_threshold`)\nstart sending larger records (4229, `ssl_dyn_rec_size_hi`).\n\nEventually after the same number of records,\nstart sending the largest records (`ssl_buffer_size`).\n\nIn case the connection idles for a given amount of time\n(1s, `ssl_dyn_rec_timeout`), the process repeats itself\n(i.e. begin sending small records again).\n\n### Configuration directives\n\n#### ssl_dyn_rec_enable\n* **syntax**: `ssl_dyn_rec_enable bool`\n* **default**: `off`\n* **context**: `http`, `server`\n\n#### ssl_dyn_rec_timeout\n* **syntax**: `ssl_dyn_rec_timeout number`\n* **default**: `1000`\n* **context**: `http`, `server`\n\nWe want the initial records to fit into one TCP segment\nso we don't get TCP HoL blocking due to TCP Slow Start.\n\nA connection always starts with small records, but after\na given amount of records sent, we make the records larger\nto reduce header overhead.\n\nAfter a connection has idled for a given timeout, begin\nthe process from the start. The actual parameters are\nconfigurable. If `ssl_dyn_rec_timeout` is `0`, we assume `ssl_dyn_rec` is `off`.\n\n#### ssl_dyn_rec_size_lo\n* **syntax**: `ssl_dyn_rec_size_lo number`\n* **default**: `1369`\n* **context**: `http`, `server`\n\nDefault sizes for the dynamic record sizes are defined to fit maximal\nTLS + IPv6 overhead in a single TCP segment for lo and 3 segments for hi:\n1369 = 1500 - 40 (IP) - 20 (TCP) - 10 (Time) - 61 (Max TLS overhead)\n\n#### ssl_dyn_rec_size_hi\n* **syntax**: `ssl_dyn_rec_size_hi number`\n* **default**: `4229`\n* **context**: `http`, `server`\n\n4229 = (1500 - 40 - 20 - 10) * 3  - 61\n\n#### ssl_dyn_rec_threshold\n* **syntax**: `ssl_dyn_rec_threshold number`\n* **default**: `40`\n* **context**: `http`, `server`\n\n### License\n\n* [Cloudflare](https://github.com/cloudflare), [Vlad Krasnov](https://github.com/vkrasnov)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnginx-modules%2Fngx_http_tls_dyn_size","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnginx-modules%2Fngx_http_tls_dyn_size","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnginx-modules%2Fngx_http_tls_dyn_size/lists"}