After a year of development new stable branch of high performance HTTP server and multiprotocol proxy server , which has absorbed the changes accumulated within the 1.15.x main branch. In the future, all changes in the 1.16 stable branch will be related to the elimination of serious bugs and vulnerabilities. The main branch of nginx 1.17 will soon be formed, within which the development of new features will continue. For ordinary users who do not have the task of ensuring compatibility with third-party modules, use the main branch, on the basis of which releases of the commercial Nginx Plus product are formed every three months.
The most notable improvements added during the formation of the 1.15.x main branch:
- Added the ability to use variables in directives ''and'', which can be used to load certificates dynamically;
- Added the ability to load SSL certificates and secret keys from variables without using intermediate files;
- In the block "Β» new directive implemented Β«β, with which you can organize load balancing with a random selection of a server for connection forwarding;
- In the module variable implemented ,
which specifies the largest version of the SSL/TLS protocol that the client supports. Variable allows for access using various protocols with and without SSL through one network port when proxying traffic using the http and stream modules. For example, to organize access via SSH and HTTPS through one port 443, the default port can be forwarded to SSH, but if the SSL version is defined, forward to HTTPS. - A new variable has been added to the upstream module "β, which displays the number of bytes transferred to the group server;
- To the module added the ability to process multiple incoming UDP datagrams from a client within a single session;
- The "stream" directive has been added to the stream module.", which specifies the number of datagrams received from the client, after which the binding between the client and the existing UDP session is removed. After receiving the specified number of datagrams, the next datagram received from the same client starts a new session;
- The listen directive now has the ability to specify port ranges;
- Added directive "Β» to enable the mode when using TLSv1.3, which allows you to save previously negotiated TLS connection parameters and reduce the number of RTTs to 2 when resuming a previously established connection;
- New directives have been added to configure keepalive for outgoing connections (enable or disable the SO_KEEPALIVE option for sockets):
- Β«" - configures the "TCP keepalive" behavior for outgoing connections to the proxied server;
- Β«" - configures the "TCP keepalive" behavior for outgoing connections to the FastCGI server;
- Β«" - configures the "TCP keepalive" behavior for outgoing connections to the gRPC server;
- Β«' - configures the "TCP keepalive" behavior for outgoing connections to the memcached server;
- Β«" - configures the "TCP keepalive" behavior for outgoing connections to the SCGI server;
- Β«' - configures the 'TCP keepalive' behavior for outgoing connections to the uwsgi server.
- In the directive added a new "delay" parameter that sets the limit upon reaching which excessive requests are delayed;
- New "keepalive_timeout" and "keepalive_requests" directives have been added to the "upstream" block to set limits for Keepalive;
- The "ssl" directive has been deprecated, replaced by the "ssl" parameter in the "listen" directive. Missing SSL certificates are now detected at the configuration testing stage when using the "listen" directive with the "ssl" parameter in the settings;
- When using the reset_timedout_connection directive, when the timeout expires, the connections are now closed with the code 444;
- SSL errors "http request", "https proxy request", "unsupported protocol" and "version too low" are now displayed in the log with the level "info" instead of "crit";
- Added support for the poll method on Windows systems using Windows Vista and newer;
- Provided the ability to use when building with the BoringSSL library, and not just with OpenSSL.
Source: opennet.ru