Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

The benefit from having keep-alive on is that a client will be able to request more than one entity from your server without having to create another TCP connection (3-way handshake with its round-trips included). The problem with this is that if, say, you have a connection limit in apache set to 300, if there's 300 active connections all the others will have to wait until the first 300 clients are done and/or the timeout expires.

Disabling keep-alive will force the clients to create 1 connection per request. When the socket is properly closed on both ends, it goes into the TIME_WAIT status, as you've noticed. This happens to ensure that the port used in that connection does not receive data from a previous connection for a while before being available (see this, but there's much more out there). In my linux system, /proc/sys/net/ipv4/tcp_fin_timeout is set to 60 seconds. You can try reducing that, but don't go too far down. How far? It depends on how many connections per second you are getting. For 100-200req/s, don't bother changing the default.