Modern Linux kernels support offloading TLS to the kernel, and now NGINX-MOD does too! NGINX-MOD introduces support for kTLS when serving static files with SSL_sendfile(), which can hugely improve performance.
General Requirements
All you need to do is install the latest NGINX-MOD on any of the listed operating systems.
Operating systems:
- RHEL 8+, including AlmaLinux, Rocky Linux, etc.
- Fedora Linux
Enabling kTLS in NGINX
Run the following command to enable the tls module in the kernel:
modprobe tls
Configuring NGINX
To enable kTLS, include the ssl_conf_command directive with the Options KTLS parameter in the http {} context in order to enable kLTS for all the websites:
worker_processes auto;
error_log /var/log/nginx/error.log debug;
events {}
http {
sendfile on;
ssl_conf_command Options KTLS;
ssl_protocols TLSv1.3;
...
}
Now kTLS will greatly improve performance when serving static files with SSL_sendfile(). Our testing shows that performance improves by between 8% and 29%, depending on the operating system.