Sébastien,
Keepalive in an upstream defines a pool of connections attached to that
upstream.
The main purpose of the pool is to reduce the amount of new TCP
connections: the fewer new connections you open the less load you have.
Any specific recommendation will fail in some case. So the real
I figured it out. One of the servers that is listening on 443 uses
"ssl_reject_handshake on;" and thus I didn't define an ssl_certificate +
ssl_certificate_key + ssl_trusted_certificate as it is not (and should not
be) required. For some reason, this disabled TLS1.3 for all servers quite
unexpected