diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index 3b3f783f4..03adf3887 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.12
+PLUGIN_VERSION=		1.13
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index d6acc75d7..1c7bb939b 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -8,6 +8,10 @@ reuse, SSL offload and HTTP media streaming.
 Plugin Changelog
 ================
 
+1.13
+
+* add support for 0-RTT (Early Data in TLS 1.3)
+
 1.12
 
 * add log to SYSLOG server support
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
index 140949cb7..2ec09b01c 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
@@ -104,6 +104,13 @@
     <advanced>true</advanced>
     <help><![CDATA[<ul><li>On: the certificate is requested and validated. Use this option to protect a service with TLS authentication.</li><li>Off: The certificate is not requested. Choose this option for a normal website.</li><li>Optional: The certificate is requested and validated if existing. Choose this option for websites, with TLS login support or mixed TLS protected API and web content.</li><li>Optional, don't verify: Do accept the certificate and let the application choose what to do. Choose this option, for the same reasons as optional but in this case, the request is passed to the backend without rejecting untrusted certificates.</li></ul>]]></help>
   </field>
+  <field>
+    <id>httpserver.zero_rtt</id>
+    <label>Zero RTT</label>
+    <type>checkbox</type>
+    <advanced>true</advanced>
+    <help><![CDATA[If you enable this feature, your website will may get vulnerable to replay attacks, but you gain a big performance boost. You can read <a href="https://tools.ietf.org/html/rfc8446#section-2.3" target="_blank">RFC 8446</a> for more information. The Backend will get a HTTP header "Early-Data" which can be used if a short handshake was used. If a response is too risky, answer with <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425" target="_blank">HTTP status code 425</a>.]]></help>
+  </field>
   <field>
     <id>httpserver.access_log_format</id>
     <label>Access Log Format</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index f57dda9a0..c4d108a23 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.8.0</version>
+  <version>1.13.0</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -749,6 +749,10 @@
         </OptionValues>
         <Required>N</Required>
       </satisfy>
+      <zero_rtt type="BooleanField">
+        <Required>Y</Required>
+        <default>0</default>
+      </zero_rtt>
     </http_server>
 
     <stream_server type="ArrayField">
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
index 16643d934..adc6213d0 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -93,6 +93,9 @@ server {
 {%     if server.ca is defined %}
     ssl_client_certificate /usr/local/etc/nginx/key/{{ single_servername }}_ca.pem;
     ssl_verify_client {{ server.verify_client }};
+{%     endif %}
+{%     if server.zero_rtt == '1' %}
+    ssl_early_data on;
 {%     endif %}
     ssl_certificate_key /usr/local/etc/nginx/key/{{ single_servername }}.key;
     ssl_certificate /usr/local/etc/nginx/key/{{ single_servername }}.pem;
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 3664795fa..4ed7e97cb 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -87,6 +87,9 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     fastcgi_param TLS-Protocol $ssl_protocol;
     fastcgi_param TLS-SNI-Host $ssl_server_name;
     fastcgi_param TLS-Client-Intercepted $tls_intercepted;
+{% if server.zero_rtt == '1' %}
+    fastcgi_param Early-Data $ssl_early_data;
+{% endif %}
     fastcgi_intercept_errors off;
 {% if location.upstream is not defined %}
     fastcgi_pass  unix:/var/run/php-www.socket;
@@ -134,6 +137,9 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
 {% endif %}
 {% if server.verify_client == 'optional_no_ca' %}
     proxy_set_header X-Client-Certificate $ssl_client_escaped_cert;
+{% endif %}
+{% if server.zero_rtt == '1' %}
+    proxy_set_header Early-Data $ssl_early_data;
 {% endif %}
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;