Enable Keepalive connections in Nginx Upstream proxy configurations

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, October 27, 2015

Follow me on Twitter as @mattiasgeniar

A very common setup to see nowadays is to have an Nginx SSL proxy in front of a Varnish configuration, that handles all the SSL configurations while Varnish still maintains the caching abilities.

It’s one of my “2015 server stack predictions” that held up pretty accurately so far. Although, honestly, this wasn’t a hard one to predict.

An Nginx configuration however, by default, only talks HTTP/1 to the upstream (in this exampple a Varnish). Keepalive connections are only supported as of HTTP/1.1, an upgrade to the HTTP protocol. We have to explicitly enable this setting in Nginx so it does keepalive connections to the upstream it’s connecting to.

This can greatly reduce the number of new TCP connections in an Nginx SSL setup, as Nginx can now reuse its existing connections (keepalive) per upstream.

To enable Keepalive in Nginx upstream configurations, add the following to your configs. First, modify your upstream definition and add the keepalive parameter.

upstream your_upstream {
  # The keepalive parameter sets the maximum number of idle keepalive connections
  # to upstream servers that are preserved in the cache of each worker process. When
  # this number is exceeded, the least recently used connections are closed.
  keepalive 100;


Next, enable the HTTP/1.1 protocol in all upstream requests.

location / {
  proxy_pass             http://your_upstream;
  proxy_read_timeout     300;
  proxy_connect_timeout  300;

  # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
  proxy_http_version 1.1;

  # Remove the Connection header if the client sends it,
  # it could be "close" to close a keepalive connection
  proxy_set_header Connection "";

If your upstream server supports keepalive in its config, Nginx will now reuse existing TCP connections without creating new ones. This can greatly reduce the number of TIME_WAIT TCP connections on a busy SSL server.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.