From 0afb8a4493d7b1e2ab6ff7ec8a740802c1ba07fa Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Sat, 29 Mar 2025 22:28:27 +0300
Subject: [PATCH] roles/nginx: update nginx ssl_buffer_size

The old default has not been changed in eight years and I see that
there have been some discussions over the years about this. I will
change this from the slightly extreme 1400 bytes to 4k (nginx def-
ault is still 16k so this is more "optimal" for HTML/CSS content).

See: https://github.com/igrigorik/istlsfastyet.com/issues/63
---
 roles/nginx/defaults/main.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 098d66f..1e87437 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -11,8 +11,7 @@ nginx_root_prefix: "{{ web_root_prefix }}"
 nginx_ssl_session_timeout: 1h
 # 10MB -> 40,000 sessions
 nginx_ssl_session_cache: shared:SSL:10m
-# 1400 bytes to fit in one MTU (default is 16k!)
-nginx_ssl_buffer_size: 1400
+nginx_ssl_buffer_size: 4k
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
 nginx_ssl_protocols: TLSv1.2 TLSv1.3