SSL/TLS Session Cache Optimization for High-Traffic Sites

infoProactive Health

Optimizing SSL/TLS session caching to reduce handshake overhead and improve connection establishment latency.

Prompt: “My NGINX server handles a lot of HTTPS traffic and I want to optimize SSL/TLS performance. How should I configure ssl_session_cache and ssl_session_timeout based on my connection rate and memory constraints?”

Agent Playbook

When an agent encounters this scenario, Schema provides these diagnostic steps automatically.

When optimizing SSL/TLS session caching in NGINX, start by measuring your current session reuse rate to establish a baseline, then check for memory allocation failures that indicate undersized caches. Calculate the appropriate cache size based on your connection rate and desired timeout, and watch for handshake failures that might indicate protocol mismatches rather than cache issues.

1Measure current session reuse rate

Calculate the ratio of `nginx-ssl-session-reuses` to `nginx-ssl-handshakes` to establish your baseline. A healthy high-traffic site should see 60-80% session reuse — anything below 50% means you're doing expensive full handshakes too often and leaving performance on the table. This metric tells you immediately whether optimization will pay off.

nginx_ssl_session_reusesnginx_ssl_handshakes

2Check for session cache memory exhaustion

Look at `nginx-slab-slot-fails` — any non-zero value means NGINX is failing to allocate memory for new sessions, forcing full handshakes. Cross-reference with `nginx-slab-pages-used` to see how much of your configured cache is actually consumed. If you're hitting allocation failures, your cache is definitely too small for your traffic pattern.

nginx_slab_slot_failsnginx_slab_pages_used

3Calculate required cache size from connection rate

Use `nginx-net-backend-opened-per-s` to determine your connection rate, then multiply by your desired `ssl_session_timeout` (typically 5-10 minutes). Each session cache entry consumes roughly 256 bytes, so 1000 conn/sec × 300 sec timeout × 256 bytes ≈ 75MB. Add 20-30% overhead for safety. This gives you a data-driven cache size rather than guessing.

nginx_net_backend_opened_per_s

4Verify handshakes aren't failing for other reasons

Check `nginx-ssl-handshakes-failed` before blaming cache configuration. If you see elevated failure rates, especially with CloudFlare or other CDNs in front, you might be hitting the TLS version mismatch issue where the edge tries TLS 1.3 but your NGINX only supports up to 1.2. This won't be fixed by cache tuning — you need to either upgrade NGINX or disable TLS 1.3 at the CDN.

TLS version mismatch between CloudFlare and origin causes 520 errors nginx_ssl_handshakes_failed

5Monitor session reuse improvement after tuning

After adjusting `ssl_session_cache` size (e.g., from 'shared:SSL:10m' to 'shared:SSL:100m'), watch `nginx-ssl-session-reuses` trend upward over the next hour. The reuse rate should climb as the cache fills with valid sessions. Simultaneously confirm `nginx-slab-slot-fails` drops to zero and `nginx-slab-pages-used` stabilizes below your configured limit, proving you've sized it correctly without waste.

nginx_ssl_session_reusesnginx_slab_slot_failsnginx_slab_pages_used

Technologies

NGINX

Related Insights

TLS version mismatch between CloudFlare and origin causes 520 errors

critical

Relevant Metrics

nginx_ssl_handshakesnginx_ssl_handshakes_failednginx_ssl_session_reusesnginx_backend_acceptednginx_backend_currentnginx_net_backend_opened_per_snginx_slab_pages_usednginx_slab_slot_fails

Monitoring Interfaces

NGINX Datadog

NGINX OpenTelemetry