Nginx is the world's most popular web server, powering over 35% of all websites. Out of the box, Nginx is fast — but proper optimization can double or triple its performance, allowing you to serve more users with less hardware. This guide walks through a complete Nginx performance optimization for a Russia VPS, covering worker processes, keep-alive tuning, compression, fastcgi cache, HTTP/3, and security headers.
1. Worker Processes and Connections
The most fundamental Nginx tuning is the worker_processes and worker_connections directives. Set `worker_processes` to `auto` (Nginx will automatically use one worker per CPU core) or to the number of CPU cores on your VPS. Set `worker_connections` to 1024 for low-traffic sites, 4096 for medium-traffic, or 10240 for high-traffic. The maximum concurrent connections Nginx can handle is worker_processes × worker_connections — for a 4-vCore VPS with worker_connections 4096, that is 16,384 concurrent connections, sufficient for most sites. Add `multi_accept on;` to allow workers to accept multiple connections at once, and `use epoll;` on Linux for the most efficient event notification mechanism.
2. Keep-Alive Tuning
Keep-alive allows clients to reuse TCP connections for multiple HTTP requests, eliminating the latency of TCP handshake for subsequent requests. Set `keepalive_timeout 65;` (seconds) — 65 is the Nginx default and works well for most sites. Set `keepalive_requests 100;` — the number of HTTP requests a client can make over a single keep-alive connection. Increase to 1000 for API-heavy applications where clients make many requests. For backend connections (Nginx to PHP-FPM or upstream servers), set `upstream backend { server 127.0.0.1:9000; keepalive 32; }` and `proxy_http_version 1.1; proxy_set_header Connection "";` to enable keep-alive to upstreams, dramatically reducing backend connection overhead.
3. Gzip Compression
Gzip compression reduces the size of HTTP responses, improving load times for users on slow connections and reducing bandwidth costs. Enable gzip in the http block:
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 256;
gzip_types
text/plain text/css text/xml text/javascript
application/javascript application/json application/xml
application/rss+xml application/atom+xml image/svg+xml;
The `gzip_comp_level 6` provides good compression without excessive CPU usage. `gzip_min_length 256` skips compressing tiny responses where the overhead exceeds the savings. The `gzip_types` list covers all common compressible content types. Do not compress already-compressed formats (images, video, PDFs) — it wastes CPU without reducing size.
4. Brotli Compression
Brotli is a newer compression algorithm that achieves 15-20% better compression than gzip for text content, with similar CPU usage. Brotli is supported by all modern browsers (Chrome, Firefox, Safari, Edge). To enable Brotli, install the ngx_brotli module (most modern Nginx packages include it). Configure:
brotli on;
brotli_comp_level 6;
brotli_types
text/plain text/css text/xml text/javascript
application/javascript application/json application/xml
application/rss+xml application/atom+xml image/svg+xml;
Enable both gzip and brotli — Nginx will negotiate the best algorithm with each client. Brotli for modern browsers, gzip as fallback for older clients.
5. FastCGI Cache for PHP
For PHP applications (WordPress, Laravel, Drupal), FastCGI cache is the single most impactful optimization. It caches the full HTTP response from PHP-FPM, serving subsequent requests directly from Nginx without invoking PHP at all. Configure in the http block:
fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=WORDPRESS:100m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
fastcgi_cache_lock on;
Then in your PHP location block:
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_cache WORDPRESS;
fastcgi_cache_valid 200 301 302 10m;
fastcgi_cache_valid 404 1m;
add_header X-Cache-Status $upstream_cache_status;
}
This caches successful responses for 10 minutes and 404s for 1 minute. The X-Cache-Status header shows whether each request was served from cache (HIT), retrieved from backend (MISS), or served stale (STALE). For dynamic content that should not be cached (user-specific pages, cart, checkout), add `fastcgi_cache_bypass $http_cookie $arg_nocache;` with appropriate cookie matching.
6. Proxy Cache for Upstream Servers
For applications running on Node.js, Python, Ruby, or other backend servers, use proxy_cache instead of fastcgi_cache. The configuration is similar:
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=BACKEND:100m inactive=60m;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_cache_use_stale error timeout invalid_header updating http_500 http_503;
proxy_cache_lock on;
Then in your location block: `proxy_cache BACKEND; proxy_cache_valid 200 10m; proxy_cache_valid 404 1m;`. The proxy cache provides the same benefits as fastcgi cache — full response caching at the Nginx layer, dramatically reducing backend load.
7. Static File Caching
Static files (images, CSS, JavaScript, fonts) should be served with long cache expiration headers to allow browsers to cache them locally. Configure:
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
access_log off;
}
The `expires 1y` sets a 1-year cache expiration. `Cache-Control "public, immutable"` tells browsers and CDNs the file will never change — they can cache it indefinitely without revalidation. The `immutable` flag is important — it tells browsers they do not need to send a conditional request (If-Modified-Since) when the file is in cache. Use cache-busting filenames (e.g., app.abc123.css) so you can update files without waiting for cache expiration.
8. HTTP/2 and HTTP/3
HTTP/2 allows multiplexing multiple requests over a single TCP connection, eliminating head-of-line blocking and significantly improving page load times for modern browsers. Enable HTTP/2 by adding `http2` to your listen directive: `listen 443 ssl http2;`. HTTP/2 requires HTTPS — it does not work over plain HTTP. HTTP/3 goes further by using QUIC (UDP-based) instead of TCP, eliminating head-of-line blocking at the transport layer. Enable HTTP/3 (available in Nginx 1.25+) with `listen 443 quic reuseport; http3 on;`. Most modern browsers support HTTP/3, but it requires UDP port 443 to be open on your firewall — verify with your VPS provider.
9. SSL/TLS Optimization
SSL/TLS termination adds CPU overhead and latency. Optimize with: (1) session resumption — `ssl_session_cache shared:SSL:50m; ssl_session_tickets on; ssl_session_timeout 1d;`, (2) OCSP stapling — `ssl_stapling on; ssl_stapling_verify on;`, (3) modern cipher suite — `ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off;` (let the client choose, TLS 1.3 has better client-side ciphers), (4) HTTP Strict Transport Security — `add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;`. These settings reduce TLS handshake overhead by 50-80% for returning visitors and improve security.
10. Security Headers
Security headers protect your users from XSS, clickjacking, and other browser-based attacks. Add to your server block:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:;" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
These headers do not directly improve performance but are essential for a production-grade site. Test your headers at securityheaders.com — aim for an A or A+ rating.
11. Rate Limiting
Rate limiting protects your server from abuse (scraping, brute force, DDoS) and ensures fair resource allocation among users. Configure in the http block:
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
limit_conn_zone $binary_remote_addr zone=conn:10m;
Then in your server block:
location / { limit_req zone=general burst=20 nodelay; limit_conn conn 10; }
location /login { limit_req zone=login burst=5 nodelay; }
This limits each IP to 10 requests/second (burst 20) for general traffic and 1 request/second for the login page. Excess requests return 503. Tune the rates based on your legitimate traffic patterns.
12. PHP-FPM Tuning
If you run PHP-FPM behind Nginx, tune the PHP-FPM pool settings. In `/etc/php/8.x/fpm/pool.d/www.conf`: set `pm = dynamic`, `pm.max_children = 50` (or higher for high-traffic sites), `pm.start_servers = 5`, `pm.min_spare_servers = 5`, `pm.max_spare_servers = 35`. The `pm.max_children` should be sized based on your VPS RAM: each PHP-FPM child uses ~50-100MB RAM, so a 4GB VPS can run 30-40 children. Too few children cause 502 errors under load; too many cause OOM kills. Monitor with `pm.status_path = /status` and adjust based on observed usage.
13. Connection Upgrades
For WebSocket applications, configure Nginx to upgrade HTTP connections to WebSocket. In your location block: `proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400;`. The `proxy_read_timeout 86400` keeps WebSocket connections open for up to 24 hours (default is 60 seconds, which causes WebSocket disconnects). For Server-Sent Events (SSE), disable proxy buffering: `proxy_buffering off;` — otherwise Nginx will buffer events and deliver them in batches, breaking real-time updates.
14. Monitoring and Benchmarking
Verify your Nginx optimization with monitoring and benchmarking. Enable Nginx status: `location /nginx_status { stub_status on; allow 127.0.0.1; deny all; }` — view active connections, accepted/handled requests, and reading/writing/waiting counts. Use `ab` (Apache Bench) or `wrk` to benchmark: `wrk -t12 -c400 -d30s https://yourdomain.com/`. Compare results before and after optimization — a well-optimized Nginx can handle 10,000+ requests per second on a 4-vCore VPS. Monitor with Netdata (real-time dashboards) or Prometheus + Grafana (long-term metrics) to detect performance regressions.
Conclusion
Optimizing Nginx for maximum performance on a Russia VPS takes 2-4 hours and can double or triple your request handling capacity. The most impactful changes are: enable fastcgi/proxy cache for dynamic content, enable gzip and brotli compression, set long cache expiration on static files, enable HTTP/2 and HTTP/3, optimize SSL/TLS, and add security headers. Monitor with Nginx stub_status and benchmark with wrk or ab to verify the improvements. A well-optimized Nginx on a 4-vCore Russia VPS can serve thousands of concurrent users with sub-100ms response times — competitive with much more expensive dedicated servers.