nginx: enable TCP Fast Open for HTTP(S)

This isn't used by end user machines in practice due to privacy and
compatibility reasons but it works well between servers. We're using it
for authoritative DNS per the RFC 9210 recommendation and might as well
have it available for HTTP and HTTPS since it does get used a bit in
practice.

The queue size determines how many pending fast open connections which
have not yet completed the handshake are allowed before the kernel will
fall back to waiting for the handshake.

TCP Fast Open key rotation and persistence has been handled as part of
our baseline server configuration.

Author: thestinger

nginx/nginx.conf

@@ -105,8 +105,8 @@ http {
     }
 
     server {
-        listen 80 default_server backlog=4096 rcvbuf=2048 sndbuf=2048;
-        listen [::]:80 default_server backlog=4096 rcvbuf=2048 sndbuf=2048;
+        listen 80 default_server backlog=4096 fastopen=4 rcvbuf=2048 sndbuf=2048;
+        listen [::]:80 default_server backlog=4096 fastopen=4 rcvbuf=2048 sndbuf=2048;
 
         # https://trac.nginx.org/nginx/ticket/2012
         location / {
@@ -129,8 +129,8 @@ http {
     }
 
     server {
-        listen 443 default_server ssl backlog=4096;
-        listen [::]:443 default_server ssl backlog=4096;
+        listen 443 default_server ssl backlog=4096 fastopen=16;
+        listen [::]:443 default_server ssl backlog=4096 fastopen=16;
         http2 on;
         ssl_reject_handshake on;