Change8

release-1.28.0

📦 nginxView on GitHub →
12 features🐛 23 fixes🔧 10 symbols

Summary

Nginx 1.28.0 stable introduces significant performance optimizations for complex SSL configurations and QUIC, alongside new features like automatic upstream hostname re-resolution and variable support in rate limiting directives. This version also disables TLSv1 and TLSv1.1 by default for improved security.

Migration Steps

  1. If you rely on TLSv1 or TLSv1.1, you must explicitly re-enable them as they are disabled by default in this release.
  2. Review usage of proxy_limit_rate, fastcgi_limit_rate, scgi_limit_rate, and uwsgi_limit_rate if you intend to use variables within them.

✨ New Features

  • Introduced memory usage and CPU usage optimizations in complex SSL configurations.
  • Implemented automatic re-resolution of hostnames in upstream groups.
  • Performance enhancements in QUIC, including CUBIC congestion control.
  • Added OCSP validation of client SSL certificates and OCSP stapling support in the stream module.
  • Variables support added to proxy_limit_rate, fastcgi_limit_rate, scgi_limit_rate, and uwsgi_limit_rate directives.
  • Introduced the proxy_pass_trailers directive.
  • Added SSL object cache functionality.
  • Disabled TLSv1 and TLSv1.1 by default for SSL.
  • Added support for re-resolvable servers in Upstream.
  • Added keepalive_min_timeout directive.
  • Added restriction for TLSv1.3 cross-SNI session resumption via SNI.
  • Added external groups support in $ssl_curve and $ssl_curves variables.

🐛 Bug Fixes

  • Fixed typo in bpf makefile debug option.
  • Fixed MSVC compilation after ebd18ec1812b for SSL.
  • Fixed default error message in SSL object caching API.
  • Fixed typo (missing double quote) related to issue #330.
  • Fixed Mp4 stsc atom issues.
  • Fixed TLS default protocol versions configuration.
  • Prevented BIO leak in QUIC in case of error.
  • Disallowed empty path in proxy_store and related directives in Upstream.
  • Fixed client request timeout in QUIC for 0-RTT scenarios.
  • Fixed version negotiation packet handling in QUIC.
  • Fixed accessing a released stream in QUIC.
  • Fixed compatibility with recent zlib-ng 2.2.x versions for Gzip.
  • Logged expected range on range failure.
  • Fixed Upstream build issue (NGX_COMPAT) without NGX_HTTP_SSL after commit 454ad0e.
  • Added missing casts in iov_base assignments for QUIC.
  • Fixed --with-libatomic=DIR configuration with recent libatomic_ops.
  • Fixed build without libcrypt.
  • Fixed MSVC compatibility with PCRE2 10.45.
  • Fixed request counting with subrequests in case of error.
  • Added workaround for saving big SSL sessions from upstream servers.
  • Improved memory allocation error handling in Slice filter.
  • Improved validation of charset_map with utf-8 in Charset filter.
  • Fixed passwords support for dynamic certificates in Upstream.

🔧 Affected Symbols

proxy_limit_ratefastcgi_limit_ratescgi_limit_rateuwsgi_limit_rateproxy_pass_trailersssl_client_certificatessl_verify_clientngx_stream_ssl_module$ssl_curve$ssl_curves