

Optimizing Nginx TLS Time To First Byte - igrigorik
http://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/

======
nodesocket
SSL stapling can reduce the overhead as well, simple nginx config:

    
    
      http {
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
        resolver 8.8.4.4 8.8.8.8 valid=300s;
        resolver_timeout 15s;
      }
    

We [https://commando.io](https://commando.io) use GoDaddy SSL (sigh, face-
palm), so the contents of stapling.trusted.crt is:

    
    
       http://pastebin.com/0H0i09Pn

~~~
baudehlo
You really should use a local caching resolver, even if you set your upstream
to google's resolvers.

Just install pdns-recursor and you're good to go.

~~~
ars_technician
If nginx caches for 300s and that's the only reason you are installing pdns-
recursor, that's unnecessary technical debt in your production pipeline.

~~~
nodesocket
Agree, won't DNS do this caching automatically with valid=300s?

~~~
sneak
I believe that nginx will do the caching with valid=300s.

"DNS" does not let the client set the record TTL, and "DNS" in this case would
be a round-trip request to the Google DNS servers listed in the config snippet
- precisely what it was suggested be avoided.

------
jevinskie
I like TLS False Start and other, similar speculative algorithms. Speculative
execution is especially interesting in circuit design!

