Changes with nginx 1.21.1
*) Change: now nginx always returns an error for the CONNECT method.
*) Change: now nginx always returns an error if both "Content-Length"
and "Transfer-Encoding" header lines are present in the request.
*) Change: now nginx always returns an error if spaces or control
characters are used in the request line.
*) Change: now nginx always returns an error if spaces or control
characters are used in a header name.
*) Change: now nginx always returns an error if spaces or control
characters are used in the "Host" request header line.
*) Change: optimization of configuration testing when using many
listening sockets.
*) Bugfix: nginx did not escape """, "<", ">", "\", "^", "`", "{", "|",
and "}" characters when proxying with changed URI.
*) Bugfix: SSL variables might be empty when used in logs; the bug had
appeared in 1.19.5.
*) Bugfix: keepalive connections with gRPC backends might not be closed
after receiving a GOAWAY frame.
*) Bugfix: reduced memory consumption for long-lived requests when
proxying with more than 64 buffers.
Changes with nginx 1.21.0
*) Security: 1-byte memory overwrite might occur during DNS server
response processing if the "resolver" directive was used, allowing an
attacker who is able to forge UDP packets from the DNS server to
cause worker process crash or, potentially, arbitrary code execution
(CVE-2021-23017).
*) Feature: variables support in the "proxy_ssl_certificate",
"proxy_ssl_certificate_key" "grpc_ssl_certificate",
"grpc_ssl_certificate_key", "uwsgi_ssl_certificate", and
"uwsgi_ssl_certificate_key" directives.
*) Feature: the "max_errors" directive in the mail proxy module.
*) Feature: the mail proxy module supports POP3 and IMAP pipelining.
*) Feature: the "fastopen" parameter of the "listen" directive in the
stream module.
Thanks to Anbang Wen.
*) Bugfix: special characters were not escaped during automatic redirect
with appended trailing slash.
*) Bugfix: connections with clients in the mail proxy module might be
closed unexpectedly when using SMTP pipelining.
Changes with nginx 1.19.10
*) Change: the default value of the "keepalive_requests" directive was
changed to 1000.
*) Feature: the "keepalive_time" directive.
*) Feature: the $connection_time variable.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
Changes with nginx 1.19.9 30 Mar 2021
*) Bugfix: nginx could not be built with the mail proxy module, but
without the ngx_mail_ssl_module; the bug had appeared in 1.19.8.
*) Bugfix: "upstream sent response body larger than indicated content
length" errors might occur when working with gRPC backends; the bug
had appeared in 1.19.1.
*) Bugfix: nginx might not close a connection till keepalive timeout
expiration if the connection was closed by the client while
discarding the request body.
*) Bugfix: nginx might not detect that a connection was already closed
by the client when waiting for auth_delay or limit_req delay, or when
working with backends.
*) Bugfix: in the eventport method.
Changes with nginx 1.19.8 09 Mar 2021
*) Feature: flags in the "proxy_cookie_flags" directive can now contain
variables.
*) Feature: the "proxy_protocol" parameter of the "listen" directive,
the "proxy_protocol" and "set_real_ip_from" directives in mail proxy.
*) Bugfix: HTTP/2 connections were immediately closed when using
"keepalive_timeout 0"; the bug had appeared in 1.19.7.
*) Bugfix: some errors were logged as unknown if nginx was built with
glibc 2.32.
*) Bugfix: in the eventport method.
Changes with nginx 1.19.7 16 Feb 2021
*) Change: connections handling in HTTP/2 has been changed to better
match HTTP/1.x; the "http2_recv_timeout", "http2_idle_timeout", and
"http2_max_requests" directives have been removed, the
"keepalive_timeout" and "keepalive_requests" directives should be
used instead.
*) Change: the "http2_max_field_size" and "http2_max_header_size"
directives have been removed, the "large_client_header_buffers"
directive should be used instead.
*) Feature: now, if free worker connections are exhausted, nginx starts
closing not only keepalive connections, but also connections in
lingering close.
*) Bugfix: "zero size buf in output" alerts might appear in logs if an
upstream server returned an incorrect response during unbuffered
proxying; the bug had appeared in 1.19.1.
*) Bugfix: HEAD requests were handled incorrectly if the "return"
directive was used with the "image_filter" or "xslt_stylesheet"
directives.
*) Bugfix: in the "add_trailer" directive.
Changes with nginx 1.19.6 15 Dec 2020
*) Bugfix: "no live upstreams" errors if a "server" inside "upstream"
block was marked as "down".
*) Bugfix: a segmentation fault might occur in a worker process if HTTPS
was used; the bug had appeared in 1.19.5.
*) Bugfix: nginx returned the 400 response on requests like
"GET http://example.com?args HTTP/1.0".
*) Bugfix: in the ngx_http_flv_module and ngx_http_mp4_module.
And while here, also update naxsi to 1.3.
Changes for naxsi 1.3:
*) Fixed regression on FILE_EXT confusion
*) Documented id 19 and 20 to rules
Changes with nginx 1.19.5 24 Nov 2020
*) Feature: the -e switch.
*) Feature: the same source files can now be specified in different
modules while building addon modules.
*) Bugfix: SSL shutdown did not work when lingering close was used.
*) Bugfix: "upstream sent frame for closed stream" errors might occur
when working with gRPC backends.
*) Bugfix: in request body filters internal API.
Changes with nginx 1.19.4 27 Oct 2020
*) Feature: the "ssl_conf_command", "proxy_ssl_conf_command",
"grpc_ssl_conf_command", and "uwsgi_ssl_conf_command" directives.
*) Feature: the "ssl_reject_handshake" directive.
*) Feature: the "proxy_smtp_auth" directive in mail proxy.
Changes with nginx 1.19.3 29 Sep 2020
*) Feature: the ngx_stream_set_module.
*) Feature: the "proxy_cookie_flags" directive.
*) Feature: the "userid_flags" directive.
*) Bugfix: the "stale-if-error" cache control extension was erroneously
applied if backend returned a response with status code 500, 502,
503, 504, 403, 404, or 429.
*) Bugfix: "[crit] cache file ... has too long header" messages might
appear in logs if caching was used and the backend returned responses
with the "Vary" header line.
*) Workaround: "[crit] SSL_write() failed" messages might appear in logs
when using OpenSSL 1.1.1.
*) Bugfix: "SSL_shutdown() failed (SSL: ... bad write retry)" messages
might appear in logs; the bug had appeared in 1.19.2.
*) Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2 if errors with code 400 were redirected to a proxied
location using the "error_page" directive.
*) Bugfix: socket leak when using HTTP/2 and subrequests in the njs
module.
Changes with nginx 1.19.2
*) Change: now nginx starts closing keepalive connections before all
free worker connections are exhausted, and logs a warning about this
to the error log.
*) Change: optimization of client request body reading when using
chunked transfer encoding.
*) Bugfix: memory leak if the "ssl_ocsp" directive was used.
*) Bugfix: "zero size buf in output" alerts might appear in logs if a
FastCGI server returned an incorrect response; the bug had appeared
in 1.19.1.
*) Bugfix: a segmentation fault might occur in a worker process if
different large_client_header_buffers sizes were used in different
virtual servers.
*) Bugfix: SSL shutdown might not work.
*) Bugfix: "SSL_shutdown() failed (SSL: ... bad write retry)" messages
might appear in logs.
*) Bugfix: in the ngx_http_slice_module.
*) Bugfix: in the ngx_http_xslt_filter_module.
Changes with nginx 1.19.1
*) Change: the "lingering_close", "lingering_time", and
"lingering_timeout" directives now work when using HTTP/2.
*) Change: now extra data sent by a backend are always discarded.
*) Change: now after receiving a too short response from a FastCGI
server nginx tries to send the available part of the response to the
client, and then closes the client connection.
*) Change: now after receiving a response with incorrect length from a
gRPC backend nginx stops response processing with an error.
*) Feature: the "min_free" parameter of the "proxy_cache_path",
"fastcgi_cache_path", "scgi_cache_path", and "uwsgi_cache_path"
directives.
Thanks to Adam Bambuch.
*) Bugfix: nginx did not delete unix domain listen sockets during
graceful shutdown on the SIGQUIT signal.
*) Bugfix: zero length UDP datagrams were not proxied.
*) Bugfix: proxying to uwsgi backends using SSL might not work.
Thanks to Guanzhong Chen.
*) Bugfix: in error handling when using the "ssl_ocsp" directive.
*) Bugfix: on XFS and NFS file systems disk cache size might be
calculated incorrectly.
*) Bugfix: "negative size buf in writer" alerts might appear in logs if
a memcached server returned a malformed response.
Changes with nginx 1.19.0
*) Feature: client certificate validation with OCSP.
*) Bugfix: "upstream sent frame for closed stream" errors might occur
when working with gRPC backends.
*) Bugfix: OCSP stapling might not work if the "resolver" directive was
not specified.
*) Bugfix: connections with incorrect HTTP/2 preface were not logged.
Changes with nginx 1.17.9
*) Change: now nginx does not allow several "Host" request header lines.
*) Bugfix: nginx ignored additional "Transfer-Encoding" request header
lines.
*) Bugfix: socket leak when using HTTP/2.
*) Bugfix: a segmentation fault might occur in a worker process if OCSP
stapling was used.
*) Bugfix: in the ngx_http_mp4_module.
*) Bugfix: nginx used status code 494 instead of 400 if errors with code
494 were redirected with the "error_page" directive.
*) Bugfix: socket leak when using subrequests in the njs module and the
"aio" directive.
Changes with nginx 1.17.8
*) Feature: variables support in the "grpc_pass" directive.
*) Bugfix: a timeout might occur while handling pipelined requests in an
SSL connection; the bug had appeared in 1.17.5.
*) Bugfix: in the "debug_points" directive when using HTTP/2.
Changes with nginx 1.17.7
*) Bugfix: a segmentation fault might occur on start or during
reconfiguration if the "rewrite" directive with an empty replacement
string was used in the configuration.
*) Bugfix: a segmentation fault might occur in a worker process if the
"break" directive was used with the "alias" directive or with the
"proxy_pass" directive with a URI.
*) Bugfix: the "Location" response header line might contain garbage if
the request URI was rewritten to the one containing a null character.
*) Bugfix: requests with bodies were handled incorrectly when returning
redirections with the "error_page" directive; the bug had appeared in
0.7.12.
*) Bugfix: socket leak when using HTTP/2.
*) Bugfix: a timeout might occur while handling pipelined requests in an
SSL connection; the bug had appeared in 1.17.5.
*) Bugfix: in the ngx_http_dav_module.
Changes with nginx 1.17.6:
*) Feature: the $proxy_protocol_server_addr and
$proxy_protocol_server_port variables.
*) Feature: the "limit_conn_dry_run" directive.
*) Feature: the $limit_req_status and $limit_conn_status variables.
Changes with nginx 1.17.5:
*) Feature: now nginx uses ioctl(FIONREAD), if available, to avoid
reading from a fast connection for a long time.
*) Bugfix: incomplete escaped characters at the end of the request URI
were ignored.
*) Bugfix: "/." and "/.." at the end of the request URI were not
normalized.
*) Bugfix: in the "merge_slashes" directive.
*) Bugfix: in the "ignore_invalid_headers" directive.
Thanks to Alan Kemp.
*) Bugfix: nginx could not be built with MinGW-w64 gcc 8.1 or newer.
Changes with nginx 1.17.4
*) Change: better detection of incorrect client behavior in HTTP/2.
*) Change: in handling of not fully read client request body when
returning errors in HTTP/2.
*) Bugfix: the "worker_shutdown_timeout" directive might not work when
using HTTP/2.
*) Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2 and the "proxy_request_buffering" directive.
*) Bugfix: the ECONNABORTED error log level was "crit" instead of
"error" on Windows when using SSL.
*) Bugfix: nginx ignored extra data when using chunked transfer
encoding.
*) Bugfix: nginx always returned the 500 error if the "return" directive
was used and an error occurred during reading client request body.
*) Bugfix: in memory allocation error handling.
Changes with nginx 1.17.3
*) Security: when using HTTP/2 a client might cause excessive memory
consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
CVE-2019-9516).
*) Bugfix: "zero size buf" alerts might appear in logs when using
gzipping; the bug had appeared in 1.17.2.
*) Bugfix: a segmentation fault might occur in a worker process if the
"resolver" directive was used in SMTP proxy.
Changes with nginx 1.17.2
*) Change: minimum supported zlib version is 1.2.0.4.
Thanks to Ilya Leoshkevich.
*) Change: the $r->internal_redirect() embedded perl method now expects
escaped URIs.
*) Feature: it is now possible to switch to a named location using the
$r->internal_redirect() embedded perl method.
*) Bugfix: in error handling in embedded perl.
*) Bugfix: a segmentation fault might occur on start or during
reconfiguration if hash bucket size larger than 64 kilobytes was used
in the configuration.
*) Bugfix: nginx might hog CPU during unbuffered proxying and when
proxying WebSocket connections if the select, poll, or /dev/poll
methods were used.
*) Bugfix: in the ngx_http_xslt_filter_module.
*) Bugfix: in the ngx_http_ssi_filter_module.
Changes with nginx 1.17.1
*) Feature: the "limit_req_dry_run" directive.
*) Feature: when using the "hash" directive inside the "upstream" block
an empty hash key now triggers round-robin balancing.
Thanks to Niklas Keller.
*) Bugfix: a segmentation fault might occur in a worker process if
caching was used along with the "image_filter" directive, and errors
with code 415 were redirected with the "error_page" directive; the
bug had appeared in 1.11.10.
*) Bugfix: a segmentation fault might occur in a worker process if
embedded perl was used; the bug had appeared in 1.7.3.
Changes with nginx 1.17.0:
*) Feature: variables support in the "limit_rate" and "limit_rate_after"
directives.
*) Feature: variables support in the "proxy_upload_rate" and
"proxy_download_rate" directives in the stream module.
*) Change: minimum supported OpenSSL version is 0.9.8.
*) Change: now the postpone filter is always built.
*) Bugfix: the "include" directive did not work inside the "if" and
"limit_except" blocks.
*) Bugfix: in byte ranges processing.
Changes with nginx 1.15.12:
*) Bugfix: a segmentation fault might occur in a worker process if
variables were used in the "ssl_certificate" or "ssl_certificate_key"
directives and OCSP stapling was enabled.
Changes with nginx 1.15.11:
*) Bugfix: in the "ssl_stapling_file" directive on Windows.
Changes with nginx 1.15.10:
*) Change: when using a hostname in the "listen" directive nginx now
creates listening sockets for all addresses the hostname resolves to
(previously, only the first address was used).
*) Feature: port ranges in the "listen" directive.
*) Feature: loading of SSL certificates and secret keys from variables.
*) Workaround: the $ssl_server_name variable might be empty when using
OpenSSL 1.1.1.
*) Bugfix: nginx/Windows could not be built with Visual Studio 2015 or
newer; the bug had appeared in 1.15.9.
nginx-nchan:
1.2.5:
fix: using multiplexed channels with Redis in backup mode may result in worker crash
fix: nchan_publisher_channel_id could not be set exclusively in a publisher location
fix: Google pagespeed module compatibility
fix: nchan prevents nginx from starting if no http {} block is configured
1.2.4:
fix: Redis cluster info with zero-length hostname may result in worker crash
fix: build problems with included hiredis lib in FreeBSD
feature: nchan_redis_namespace and nchan_redis_ping_interval now work in upstream blocks
fix: websocket publisher did not publishing channel events
fix: Redis namespace was limited to 8 bytes
Changelog:
Changes with nginx 1.15.9 26 Feb 2019
*) Feature: variables support in the "ssl_certificate" and
"ssl_certificate_key" directives.
*) Feature: the "poll" method is now available on Windows when using
Windows Vista or newer.
*) Bugfix: if the "select" method was used on Windows and an error
occurred while establishing a backend connection, nginx waited for
the connection establishment timeout to expire.
*) Bugfix: the "proxy_upload_rate" and "proxy_download_rate" directives
in the stream module worked incorrectly when proxying UDP datagrams.
Changes with nginx 1.15.8:
*) Feature: the $upstream_bytes_sent variable.
*) Feature: new directives in vim syntax highlighting scripts.
*) Bugfix: in the "proxy_cache_background_update" directive.
*) Bugfix: in the "geo" directive when using unix domain listen sockets.
*) Workaround: the "ignoring stale global SSL error ... bad length"
alerts might appear in logs when using the "ssl_early_data" directive
with OpenSSL.
*) Bugfix: in nginx/Windows.
*) Bugfix: in the ngx_http_autoindex_module on 32-bit platforms.
Changes with nginx 1.15.7:
*) Feature: the "proxy_requests" directive in the stream module.
*) Feature: the "delay" parameter of the "limit_req" directive.
*) Bugfix: memory leak on errors during reconfiguration.
*) Bugfix: in the $upstream_response_time, $upstream_connect_time, and
$upstream_header_time variables.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_mp4_module was used on 32-bit platforms.
Changes with nginx 1.15.6:
*) Security: when using HTTP/2 a client might cause excessive memory
consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).
*) Security: processing of a specially crafted mp4 file with the
ngx_http_mp4_module might result in worker process memory disclosure
(CVE-2018-16845).
*) Feature: the "proxy_socket_keepalive", "fastcgi_socket_keepalive",
"grpc_socket_keepalive", "memcached_socket_keepalive",
"scgi_socket_keepalive", and "uwsgi_socket_keepalive" directives.
*) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
1.1.1, the TLS 1.3 protocol was always enabled.
*) Bugfix: working with gRPC backends might result in excessive memory
consumption.
Changes with nginx 1.15.5:
*) Bugfix: a segmentation fault might occur in a worker process when
using OpenSSL 1.1.0h or newer; the bug had appeared in 1.15.4.
*) Bugfix: of minor potential bugs.
Changes with nginx 1.15.4:
*) Feature: now the "ssl_early_data" directive can be used with OpenSSL.
*) Bugfix: in the ngx_http_uwsgi_module.
Thanks to Chris Caputo.
*) Bugfix: connections with some gRPC backends might not be cached when
using the "keepalive" directive.
*) Bugfix: a socket leak might occur when using the "error_page"
directive to redirect early request processing errors, notably errors
with code 400.
*) Bugfix: the "return" directive did not change the response code when
returning errors if the request was redirected by the "error_page"
directive.
*) Bugfix: standard error pages and responses of the
ngx_http_autoindex_module module used the "bgcolor" attribute, and
might be displayed incorrectly when using custom color settings in
browsers.
Thanks to Nova DasSarma.
*) Change: the logging level of the "no suitable key share" and "no
suitable signature algorithm" SSL errors has been lowered from "crit"
to "info".
Changes with nginx 1.15.3:
*) Feature: now TLSv1.3 can be used with BoringSSL.
*) Feature: the "ssl_early_data" directive, currently available with
BoringSSL.
*) Feature: the "keepalive_timeout" and "keepalive_requests" directives
in the "upstream" block.
*) Bugfix: the ngx_http_dav_module did not truncate destination file
when copying a file over an existing one with the COPY method.
*) Bugfix: the ngx_http_dav_module used zero access rights on the
destination file and did not preserve file modification time when
moving a file between different file systems with the MOVE method.
*) Bugfix: the ngx_http_dav_module used default access rights when
copying a file with the COPY method.
*) Workaround: some clients might not work when using HTTP/2; the bug
had appeared in 1.13.5.
*) Bugfix: nginx could not be built with LibreSSL 2.8.0.
Changes with nginx 1.15.2:
*) Feature: the $ssl_preread_protocol variable in the
ngx_stream_ssl_preread_module.
*) Feature: now when using the "reset_timedout_connection" directive
nginx will reset connections being closed with the 444 code.
*) Change: a logging level of the "http request", "https proxy request",
"unsupported protocol", and "version too low" SSL errors has been
lowered from "crit" to "info".
*) Bugfix: DNS requests were not resent if initial sending of a request
failed.
*) Bugfix: the "reuseport" parameter of the "listen" directive was
ignored if the number of worker processes was specified after the
"listen" directive.
*) Bugfix: when using OpenSSL 1.1.0 or newer it was not possible to
switch off "ssl_prefer_server_ciphers" in a virtual server if it was
switched on in the default server.
*) Bugfix: SSL session reuse with upstream servers did not work with the
TLS 1.3 protocol.
Changes with nginx 1.15.1:
*) Feature: the "random" directive inside the "upstream" block.
*) Feature: improved performance when using the "hash" and "ip_hash"
directives with the "zone" directive.
*) Feature: the "reuseport" parameter of the "listen" directive now uses
SO_REUSEPORT_LB on FreeBSD 12.
*) Bugfix: HTTP/2 server push did not work if SSL was terminated by a
proxy server in front of nginx.
*) Bugfix: the "tcp_nopush" directive was always used on backend
connections.
*) Bugfix: sending a disk-buffered request body to a gRPC backend might
fail.
Changes with nginx 1.15.0:
*) Change: the "ssl" directive is deprecated; the "ssl" parameter of the
"listen" directive should be used instead.
*) Change: now nginx detects missing SSL certificates during
configuration testing when using the "ssl" parameter of the "listen"
directive.
*) Feature: now the stream module can handle multiple incoming UDP
datagrams from a client within a single session.
*) Bugfix: it was possible to specify an incorrect response code in the
"proxy_cache_valid" directive.
*) Bugfix: nginx could not be built by gcc 8.1.
*) Bugfix: logging to syslog stopped on local IP address changes.
*) Bugfix: nginx could not be built by clang with CUDA SDK installed;
the bug had appeared in 1.13.8.
*) Bugfix: "getsockopt(TCP_FASTOPEN) ... failed" messages might appear
in logs during binary upgrade when using unix domain listen sockets
on FreeBSD.
*) Bugfix: nginx could not be built on Fedora 28 Linux.
*) Bugfix: request processing rate might exceed configured rate when
using the "limit_req" directive.
*) Bugfix: in handling of client addresses when using unix domain listen
sockets to work with datagrams on Linux.
*) Bugfix: in memory allocation error handling.
Changes with nginx 1.13.12:
*) Bugfix: connections with gRPC backends might be closed unexpectedly
when returning a large response.
Changes with nginx 1.13.11:
*) Feature: the "proxy_protocol" parameter of the "listen" directive now
supports the PROXY protocol version 2.
*) Bugfix: nginx could not be built with OpenSSL 1.1.1 statically on
Linux.
*) Bugfix: in the "http_404", "http_500", etc. parameters of the
"proxy_next_upstream" directive.
1.13.10:
*) Feature: the "set" parameter of the "include" SSI directive now
allows writing arbitrary responses to a variable; the
"subrequest_output_buffer_size" directive defines maximum response
size.
*) Feature: now nginx uses clock_gettime(CLOCK_MONOTONIC) if available,
to avoid timeouts being incorrectly triggered on system time changes.
*) Feature: the "escape=none" parameter of the "log_format" directive.
Thanks to Johannes Baiter and Calin Don.
*) Feature: the $ssl_preread_alpn_protocols variable in the
ngx_stream_ssl_preread_module.
*) Feature: the ngx_http_grpc_module.
*) Bugfix: in memory allocation error handling in the "geo" directive.
*) Bugfix: when using variables in the "auth_basic_user_file" directive
a null character might appear in logs.
nginx 1.13.9:
*) Feature: HTTP/2 server push support; the "http2_push" and
"http2_push_preload" directives.
*) Bugfix: "header already sent" alerts might appear in logs when using
cache; the bug had appeared in 1.9.13.
*) Bugfix: a segmentation fault might occur in a worker process if the
"ssl_verify_client" directive was used and no SSL certificate was
specified in a virtual server.
*) Bugfix: in the ngx_http_v2_module.
*) Bugfix: in the ngx_http_dav_module.
Changes with nginx 1.13.8:
*) Feature: now nginx automatically preserves the CAP_NET_RAW capability
in worker processes when using the "transparent" parameter of the
"proxy_bind", "fastcgi_bind", "memcached_bind", "scgi_bind", and
"uwsgi_bind" directives.
*) Feature: improved CPU cache line size detection.
Thanks to Debayan Ghosh.
*) Feature: new directives in vim syntax highlighting scripts.
Thanks to Gena Makhomed.
*) Bugfix: binary upgrade refused to work if nginx was re-parented to a
process with PID different from 1 after its parent process has
finished.
*) Bugfix: the ngx_http_autoindex_module incorrectly handled requests
with bodies.
*) Bugfix: in the "proxy_limit_rate" directive when used with the
"keepalive" directive.
*) Bugfix: some parts of a response might be buffered when using
"proxy_buffering off" if the client connection used SSL.
Thanks to Patryk Lesiewicz.
*) Bugfix: in the "proxy_cache_background_update" directive.
*) Bugfix: it was not possible to start a parameter with a variable in
the "${name}" form with the name in curly brackets without enclosing
the parameter into single or double quotes.
Changes with nginx 1.13.7:
*) Bugfix: in the $upstream_status variable.
*) Bugfix: a segmentation fault might occur in a worker process if a
backend returned a "101 Switching Protocols" response to a
subrequest.
*) Bugfix: a segmentation fault occurred in a master process if a shared
memory zone size was changed during a reconfiguration and the
reconfiguration failed.
*) Bugfix: in the ngx_http_fastcgi_module.
*) Bugfix: nginx returned the 500 error if parameters without variables
were specified in the "xslt_stylesheet" directive.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using a zlib library variant from Intel.
*) Bugfix: the "worker_shutdown_timeout" directive did not work when
using mail proxy and when proxying WebSocket connections.
Changes with nginx 1.13.6 10 Oct 2017
*) Bugfix: switching to the next upstream server in the stream module
did not work when using the "ssl_preread" directive.
*) Bugfix: in the ngx_http_v2_module.
Thanks to Piotr Sikora.
*) Bugfix: nginx did not support dates after the year 2038 on 32-bit
platforms with 64-bit time_t.
*) Bugfix: in handling of dates prior to the year 1970 and after the
year 10000.
*) Bugfix: in the stream module timeouts waiting for UDP datagrams from
upstream servers were not logged or logged at the "info" level
instead of "error".
*) Bugfix: when using HTTP/2 nginx might return the 400 response without
logging the reason.
*) Bugfix: in processing of corrupted cache files.
*) Bugfix: cache control headers were ignored when caching errors
intercepted by error_page.
*) Bugfix: when using HTTP/2 client request body might be corrupted.
*) Bugfix: in handling of client addresses when using unix domain
sockets.
*) Bugfix: nginx hogged CPU when using the "hash ... consistent"
directive in the upstream block if large weights were used and all or
most of the servers were unavailable.
*) Security: a specially crafted request might result in an integer
overflow and incorrect processing of ranges in the range filter,
potentially resulting in sensitive information leak (CVE-2017-7529).
Changes with nginx 1.13.2:
*) Change: nginx now returns 200 instead of 416 when a range starting
with 0 is requested from an empty file.
*) Feature: the "add_trailer" directive.
*) Bugfix: nginx could not be built on Cygwin and NetBSD; the bug had
appeared in 1.13.0.
*) Bugfix: nginx could not be built under MSYS2 / MinGW 64-bit.
*) Bugfix: a segmentation fault might occur in a worker process when
using SSI with many includes and proxy_pass with variables.
*) Bugfix: in the ngx_http_v2_module.
Changes with nginx 1.13.1:
*) Feature: now a hostname can be used as the "set_real_ip_from"
directive parameter.
*) Feature: vim syntax highlighting scripts improvements.
*) Feature: the "worker_cpu_affinity" directive now works on DragonFly
BSD.
*) Bugfix: SSL renegotiation on backend connections did not work when
using OpenSSL before 1.1.0.
*) Workaround: nginx could not be built with Oracle Developer Studio
12.5.
*) Workaround: now cache manager ignores long locked cache entries when
cleaning cache based on the "max_size" parameter.
*) Bugfix: client SSL connections were immediately closed if deferred
accept and the "proxy_protocol" parameter of the "listen" directive
were used.
*) Bugfix: in the "proxy_cache_background_update" directive.
*) Workaround: now the "tcp_nodelay" directive sets the TCP_NODELAY
option before an SSL handshake.
* Update naxsi to 0.55.3
Changes with nginx 1.13.0 25 Apr 2017
- Change: SSL renegotiation is now allowed on backend connections.
- Feature: the "rcvbuf" and "sndbuf" parameters of the "listen"
directives of the mail proxy and stream modules.
- Feature: the "return" and "error_page" directives can now be used to
return 308 redirections.
Thanks to Simon Leblanc.
- Feature: the "TLSv1.3" parameter of the "ssl_protocols" directive.
- Feature: when logging signals nginx now logs PID of the process which
sent the signal.
- Bugfix: in memory allocation error handling.
- Bugfix: if a server in the stream module listened on a wildcard
address, the source address of a response UDP datagram could differ
from the original datagram destination address.
Changes with nginx 1.11.13 04 Apr 2017
- Feature: the "http_429" parameter of the "proxy_next_upstream",
"fastcgi_next_upstream", "scgi_next_upstream", and
"uwsgi_next_upstream" directives.
Thanks to Piotr Sikora.
- Bugfix: in memory allocation error handling.
- Bugfix: requests might hang when using the "sendfile" and
"timer_resolution" directives on Linux.
- Bugfix: requests might hang when using the "sendfile" and "aio_write"
directives with subrequests.
- Bugfix: in the ngx_http_v2_module.
Thanks to Piotr Sikora.
- Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2.
- Bugfix: requests might hang when using the "limit_rate",
"sendfile_max_chunk", "limit_req" directives, or the $r->sleep()
embedded perl method with subrequests.
- Bugfix: in the ngx_http_slice_module.
Changes with nginx 1.11.12 24 Mar 2017
- Bugfix: nginx might hog CPU; the bug had appeared in 1.11.11.
Changes with nginx 1.11.11 21 Mar 2017
- Feature: the "worker_shutdown_timeout" directive.
- Feature: vim syntax highlighting scripts improvements.
Thanks to Wei-Ko Kao.
- Bugfix: a segmentation fault might occur in a worker process if the
$limit_rate variable was set to an empty string.
- Bugfix: the "proxy_cache_background_update",
"fastcgi_cache_background_update", "scgi_cache_background_update",
and "uwsgi_cache_background_update" directives might work incorrectly
if the "if" directive was used.
- Bugfix: a segmentation fault might occur in a worker process if
number of large_client_header_buffers in a virtual server was
different from the one in the default server.
- Bugfix: in the mail proxy server.
Changes with nginx 1.11.10 14 Feb 2017
- Change: cache header format has been changed, previously cached
responses will be invalidated.
- Feature: support of "stale-while-revalidate" and "stale-if-error"
extensions in the "Cache-Control" backend response header line.
- Feature: the "proxy_cache_background_update",
"fastcgi_cache_background_update", "scgi_cache_background_update",
and "uwsgi_cache_background_update" directives.
- Feature: nginx is now able to cache responses with the "Vary" header
line up to 128 characters long (instead of 42 characters in previous
versions).
- Feature: the "build" parameter of the "server_tokens" directive.
Thanks to Tom Thorogood.
- Bugfix: "[crit] SSL_write() failed" messages might appear in logs
when handling requests with the "Expect: 100-continue" request header
line.
- Bugfix: the ngx_http_slice_module did not work in named locations.
- Bugfix: a segmentation fault might occur in a worker process when
using AIO after an "X-Accel-Redirect" redirection.
- Bugfix: reduced memory consumption for long-lived requests using
gzipping.
Changes with nginx 1.11.9 24 Jan 2017
*) Bugfix: nginx might hog CPU when using the stream module; the bug had
appeared in 1.11.5.
*) Bugfix: EXTERNAL authentication mechanism in mail proxy was accepted
even if it was not enabled in the configuration.
*) Bugfix: a segmentation fault might occur in a worker process if the
"ssl_verify_client" directive of the stream module was used.
*) Bugfix: the "ssl_verify_client" directive of the stream module might
not work.
*) Bugfix: closing keepalive connections due to no free worker
connections might be too aggressive.
Thanks to Joel Cunningham.
*) Bugfix: an incorrect response might be returned when using the
"sendfile" directive on FreeBSD and macOS; the bug had appeared in
1.7.8.
*) Bugfix: a truncated response might be stored in cache when using the
"aio_write" directive.
*) Bugfix: a socket leak might occur when using the "aio_write"
directive.
Changes with nginx 1.11.8 27 Dec 2016
*) Feature: the "absolute_redirect" directive.
*) Feature: the "escape" parameter of the "log_format" directive.
*) Feature: client SSL certificates verification in the stream module.
*) Feature: the "ssl_session_ticket_key" directive supports AES256
encryption of TLS session tickets when used with 80-byte keys.
*) Feature: vim-commentary support in vim scripts.
Thanks to Armin Grodon.
*) Bugfix: recursion when evaluating variables was not limited.
*) Bugfix: in the ngx_stream_ssl_preread_module.
*) Bugfix: if a server in an upstream in the stream module failed, it
was considered alive only when a test connection sent to it after
fail_timeout was closed; now a successfully established connection is
enough.
*) Bugfix: nginx/Windows could not be built with 64-bit Visual Studio.
*) Bugfix: nginx/Windows could not be built with OpenSSL 1.1.0.
Changes with nginx 1.11.7 13 Dec 2016
*) Change: now in case of a client certificate verification error the
$ssl_client_verify variable contains a string with the failure
reason, for example, "FAILED:certificate has expired".
*) Feature: the $ssl_ciphers, $ssl_curves, $ssl_client_v_start,
$ssl_client_v_end, and $ssl_client_v_remain variables.
*) Feature: the "volatile" parameter of the "map" directive.
*) Bugfix: dependencies specified for a module were ignored while
building dynamic modules.
*) Bugfix: when using HTTP/2 and the "limit_req" or "auth_request"
directives client request body might be corrupted; the bug had
appeared in 1.11.0.
*) Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2; the bug had appeared in 1.11.3.
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Congcong Hu.
*) Bugfix: in the ngx_http_perl_module.
Changes with nginx 1.11.6 15 Nov 2016
*) Change: format of the $ssl_client_s_dn and $ssl_client_i_dn variables
has been changed to follow RFC 2253 (RFC 4514); values in the old
format are available in the $ssl_client_s_dn_legacy and
$ssl_client_i_dn_legacy variables.
*) Change: when storing temporary files in a cache directory they will
be stored in the same subdirectories as corresponding cache files
instead of a separate subdirectory for temporary files.
*) Feature: EXTERNAL authentication mechanism support in mail proxy.
Thanks to Robert Norris.
*) Feature: WebP support in the ngx_http_image_filter_module.
*) Feature: variables support in the "proxy_method" directive.
Thanks to Dmitry Lazurkin.
*) Feature: the "http2_max_requests" directive in the
ngx_http_v2_module.
*) Feature: the "proxy_cache_max_range_offset",
"fastcgi_cache_max_range_offset", "scgi_cache_max_range_offset", and
"uwsgi_cache_max_range_offset" directives.
*) Bugfix: graceful shutdown of old worker processes might require
infinite time when using HTTP/2.
*) Bugfix: in the ngx_http_mp4_module.
*) Bugfix: "ignore long locked inactive cache entry" alerts might appear
in logs when proxying WebSocket connections with caching enabled.
*) Bugfix: nginx did not write anything to log and returned a response
with code 502 instead of 504 when a timeout occurred during an SSL
handshake to a backend.
Changes with nginx 1.11.5 11 Oct 2016
*) Change: the --with-ipv6 configure option was removed, now IPv6
support is configured automatically.
*) Change: now if there are no available servers in an upstream, nginx
will not reset number of failures of all servers as it previously
did, but will wait for fail_timeout to expire.
*) Feature: the ngx_stream_ssl_preread_module.
*) Feature: the "server" directive in the "upstream" context supports
the "max_conns" parameter.
*) Feature: the --with-compat configure option.
*) Feature: "manager_files", "manager_threshold", and "manager_sleep"
parameters of the "proxy_cache_path", "fastcgi_cache_path",
"scgi_cache_path", and "uwsgi_cache_path" directives.
*) Bugfix: flags passed by the --with-ld-opt configure option were not
used while building perl module.
*) Bugfix: in the "add_after_body" directive when used with the
"sub_filter" directive.
*) Bugfix: in the $realip_remote_addr variable.
*) Bugfix: the "dav_access", "proxy_store_access",
"fastcgi_store_access", "scgi_store_access", and "uwsgi_store_access"
directives ignored permissions specified for user.
*) Bugfix: unix domain listen sockets might not be inherited during
binary upgrade on Linux.
*) Bugfix: nginx returned the 400 response on requests with the "-"
character in the HTTP method.
Changes with nginx 1.11.4 13 Sep 2016
- Feature: the $upstream_bytes_received variable.
- Feature: the $bytes_received, $session_time, $protocol, $status,
$upstream_addr, $upstream_bytes_sent, $upstream_bytes_received,
$upstream_connect_time, $upstream_first_byte_time, and
$upstream_session_time variables in the stream module.
- Feature: the ngx_stream_log_module.
- Feature: the "proxy_protocol" parameter of the "listen" directive,
the $proxy_protocol_addr and $proxy_protocol_port variables in the
stream module.
- Feature: the ngx_stream_realip_module.
- Bugfix: nginx could not be built with the stream module and the
ngx_http_ssl_module, but without ngx_stream_ssl_module; the bug had
appeared in 1.11.3.
- Feature: the IP_BIND_ADDRESS_NO_PORT socket option was not used; the
bug had appeared in 1.11.2.
- Bugfix: in the "ranges" parameter of the "geo" directive.
- Bugfix: an incorrect response might be returned when using the "aio
threads" and "sendfile" directives; the bug had appeared in 1.9.13.
Changes with nginx 1.11.3 26 Jul 2016
- Change: now the "accept_mutex" directive is turned off by default.
- Feature: now nginx uses EPOLLEXCLUSIVE on Linux.
- Feature: the ngx_stream_geo_module.
- Feature: the ngx_stream_geoip_module.
- Feature: the ngx_stream_split_clients_module.
- Feature: variables support in the "proxy_pass" and "proxy_ssl_name"
directives in the stream module.
- Bugfix: socket leak when using HTTP/2.
- Bugfix: in configure tests.
Thanks to Piotr Sikora.
Changes with nginx 1.11.2 05 Jul 2016
- Change: now nginx always uses internal MD5 and SHA1 implementations;
the --with-md5 and --with-sha1 configure options were canceled.
- Feature: variables support in the stream module.
- Feature: the ngx_stream_map_module.
- Feature: the ngx_stream_return_module.
- Feature: a port can be specified in the "proxy_bind", "fastcgi_bind",
"memcached_bind", "scgi_bind", and "uwsgi_bind" directives.
- Feature: now nginx uses the IP_BIND_ADDRESS_NO_PORT socket option
when available.
- Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2 and the "proxy_request_buffering" directive.
- Bugfix: the "Content-Length" request header line was always added to
requests passed to backends, including requests without body, when
using HTTP/2.
- Bugfix: "http request count is zero" alerts might appear in logs when
using HTTP/2.
- Bugfix: unnecessary buffering might occur when using the "sub_filter"
directive; the issue had appeared in 1.9.4.
Changes with nginx 1.11.1
- Security: a segmentation fault might occur in a worker process
while writing a specially crafted request body to a temporary
file (CVE-2016-4450); the bug had appeared in 1.3.9.
Changes with nginx 1.11.0
- Feature: the "transparent" parameter of the "proxy_bind",
"fastcgi_bind", "memcached_bind", "scgi_bind", and "uwsgi_bind"
directives.
- Feature: the $request_id variable.
- Feature: the "map" directive supports combinations of multiple
variables as resulting values.
- Feature: now nginx checks if EPOLLRDHUP events are supported by
kernel, and optimizes connection handling accordingly if the
"epoll" method is used.
- Feature: the "ssl_certificate" and "ssl_certificate_key"
directives can be specified multiple times to load certificates
of different types (for example, RSA and ECDSA).
- Feature: the "ssl_ecdh_curve" directive now allows specifying a
list of curves when using OpenSSL 1.0.2 or newer; by default
a list built into OpenSSL is used.
- Change: to use DHE ciphers it is now required to specify
parameters using the "ssl_dhparam" directive.
- Feature: the $proxy_protocol_port variable.
- Feature: the $realip_remote_port variable in the
ngx_http_realip_module.
- Feature: the ngx_http_realip_module is now able to set the
client port in addition to the address.
- Change: the "421 Misdirected Request" response now used when
rejecting requests to a virtual server different from one
negotiated during an SSL handshake; this improves interoperability
with some HTTP/2 clients when using client certificates.
- Change: HTTP/2 clients can now start sending request body
immediately; the "http2_body_preread_size" directive controls
size of the buffer used before nginx will start reading client
request body.
- Bugfix: cached error responses were not updated when using the
"proxy_cache_bypass" directive.
Changes with nginx 1.9.15
- Bugfix: "recv() failed" errors might occur when using HHVM as a
FastCGI server.
- Bugfix: when using HTTP/2 and the "limit_req" or "auth_request"
directives a timeout or a "client violated flow control" error
might occur while reading client request body; the bug had appeared
in 1.9.14.
- Workaround: a response might not be shown by some browsers if
HTTP/2 was used and client request body was not fully read; the
bug had appeared in 1.9.14.
- Bugfix: connections might hang when using the "aio threads"
directive.
Thanks to Mindaugas Rasiukevicius.
Changes with nginx 1.9.14
- Feature: OpenSSL 1.1.0 compatibility.
- Feature: the "proxy_request_buffering",
"fastcgi_request_buffering",
"scgi_request_buffering", and "uwsgi_request_buffering"
directives now work with HTTP/2.
- Bugfix: "zero size buf in output" alerts might appear in logs
when using HTTP/2.
- Bugfix: the "client_max_body_size" directive might work
incorrectly when using HTTP/2.
- Bugfix: of minor bugs in logging.
Changes with nginx 1.9.13
- Change: non-idempotent requests (POST, LOCK, PATCH) are no
longer passed to the next server by default if a request has
been sent to a backend; the "non_idempotent" parameter of the
"proxy_next_upstream" directive explicitly allows retrying such
requests.
- Feature: the ngx_http_perl_module can be built dynamically.
- Feature: UDP support in the stream module.
- Feature: the "aio_write" directive.
- Feature: now cache manager monitors number of elements in caches
and tries to avoid cache keys zone overflows.
- Bugfix: "task already active" and "second aio post" alerts might
appear in logs when using the "sendfile" and "aio" directives
with subrequests.
- Bugfix: "zero size buf in output" alerts might appear in logs if
caching was used and a client closed a connection prematurely.
- Bugfix: connections with clients might be closed needlessly if
caching was used.
Thanks to Justin Li.
- Bugfix: nginx might hog CPU if the "sendfile" directive was used
on Linux or Solaris and a file being sent was changed during
sending.
- Bugfix: connections might hang when using the "sendfile" and
"aio threads" directives.
- Bugfix: in the "proxy_pass", "fastcgi_pass", "scgi_pass", and
"uwsgi_pass" directives when using variables.
Thanks to Piotr Sikora.
- Bugfix: in the ngx_http_sub_filter_module.
- Bugfix: if an error occurred in a cached backend connection, the
request was passed to the next server regardless of the
proxy_next_upstream directive.
- Bugfix: "CreateFile() failed" errors when creating temporary
files on Windows.
Changes with nginx 1.9.12
- Feature: Huffman encoding of response headers in HTTP/2.
Thanks to Vlad Krasnov.
- Feature: the "worker_cpu_affinity" directive now supports more
than 64 CPUs.
- Bugfix: compatibility with 3rd party C++ modules; the bug had
appeared in 1.9.11.
Thanks to Piotr Sikora.
- Bugfix: nginx could not be built statically with OpenSSL on
Linux; the bug had appeared in 1.9.11.
- Bugfix: the "add_header ... always" directive with an empty
value did not delete "Last-Modified" and "ETag" header lines
from error responses.
- Workaround: "called a function you should not call" and
"shutdown while in init" messages might appear in logs when
using OpenSSL 1.0.2f.
- Bugfix: invalid headers might be logged incorrectly.
- Bugfix: socket leak when using HTTP/2.
- Bugfix: in the ngx_http_v2_module.
Changes with nginx 1.9.11
- Feature: TCP support in resolver.
- Feature: dynamic modules.
- Bugfix: the $request_length variable did not include size of
request headers when using HTTP/2.
- Bugfix: in the ngx_http_v2_module.
