After a year of development, a new stable branch of the high-performance HTTP server and multi-protocol proxy server nginx 1.20.0 is introduced, which incorporates the changes accumulated in the 1.19.x main branch. In the future, all changes in the 1.20 stable branch will be related to the elimination of serious bugs and vulnerabilities. The main branch of nginx 1.21 will soon be formed, in which the development of new features will continue. For ordinary users who do not have the task of ensuring compatibility with third-party modules, it is recommended to use the main branch, on the basis of which releases of the commercial Nginx Plus product are formed every three months.
According to Netcraft's March report, nginx is used by 20.15% of all active sites (19.56% a year ago, 20.73% two years ago), which corresponds to the second place in popularity in this category (Apache's share corresponds to 25.38% (27.64% a year ago), Google - 10.09%, Cloudflare - 8.51%.At the same time, when considering all sites, nginx retains its leadership and occupies 35.34% of the market (36.91% a year ago, 27.52% two years ago), while the share of Apache corresponds to 25.98%, OpenResty ( platform based on nginx and LuaJIT.) - 6.55%, Microsoft IIS - 5.96%.
Among the million most visited sites in the world, the share of nginx is 25.55% (25.54% a year ago, 26.22% two years ago). Currently, about 419 million sites are running nginx (459 million a year ago). According to W3Techs, nginx is used on 33.7% of sites out of the million most visited, in April last year this figure was 31.9%, the year before last - 41.8% (the decline is due to the transition to a separate account of the Cloudflare http server). The share of Apache dropped from 39.5% to 34% over the year, and the share of Microsoft IIS from 8.3% to 7%. The share of LiteSpeed ββgrew from 6.3% to 8.4%, and Node.js from 0.8% to 1.2%. In Russia, nginx is used by 79.1% of the most visited sites (a year ago - 78.9%).
The most notable improvements added during the formation of the 1.19.x main branch:
- Added the ability to verify client certificates with the involvement of external services based on the OCSP protocol (Online Certificate Status Protocol). The ssl_ocsp directive was proposed to enable verification, ssl_ocsp_cache to set the cache size, and ssl_ocsp_responder to override the URL of the OCSP handler specified in the certificate.
- The ngx_stream_set_module module is included, which allows you to assign a value to the server { listen 12345; set $true 1; }
- Added proxy_cookie_flags directive to specify cookie flags in proxied connections. For example, to add the "httponly" flag to the "one" Cookie, and "nosecure" and "samesite=strict" flags to all other Cookies, you can use the construction: proxy_cookie_flags one httponly; proxy_cookie_flags ~ nosecure samesite=strict;
A similar userid_flags directive for adding flags to Cookies is also implemented for the ngx_http_userid module.
- Added "ssl_conf_command", "proxy_ssl_conf_command", "grpc_ssl_conf_command" and "uwsgi_ssl_conf_command" directives, with which you can set arbitrary parameters for configuring OpenSSL. For example, to prioritize ChaCha ciphers and advanced configuration of TLSv1.3 ciphers, you can specify ssl_conf_command Options PrioritizeChaCha; ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
- Added "ssl_reject_handshake" directive to reject all attempts to negotiate SSL connections (for example, can be used to reject all hits with unknown hostnames in the SNI field). server { listen 443 ssl; ssl_reject_handshake on; } server { listen 443 ssl; server_name example.com; ssl_certificate example.com.crt ssl_certificate_key example.com.key; }
- The proxy_smtp_auth directive has been added to the mail proxy, which allows you to authenticate the user on the backend using the AUTH command and the PLAIN SASL mechanism.
- Added "keepalive_time" directive, which limits the total lifetime of each keep-alive connection, after which the connection will be closed (not to be confused with keepalive_timeout, which determines the inactivity time after which the keep-alive connection is closed).
- Added the $connection_time variable, through which you can get information about the duration of the connection in seconds with millisecond precision.
- The "min_free" parameter has been added to the "proxy_cache_path", "fastcgi_cache_path", "scgi_cache_path", and "uwsgi_cache_path" directives, which adjusts the cache size based on the determination of the minimum amount of free disk space.
- The "lingering_close", "lingering_time", and "lingering_timeout" directives have been adapted to work with HTTP/2.
- The connection handling code in HTTP/2 is close to the implementation of HTTP/1.x. Support for individual settings "http2_recv_timeout", "http2_idle_timeout" and "http2_max_requests" has been deprecated in favor of the general "keepalive_timeout" and "keepalive_requests" directives. Removed "http2_max_field_size" and "http2_max_header_size" settings, instead "large_client_header_buffers" should be used.
- Added a new command line option "-e", which allows you to specify an alternative file for writing the error log, which will be used instead of the log specified in the settings. Instead of a file name, you can specify the special value stderr.
Source: opennet.ru