The main branch of nginx 1.25.3 has been released, within which the development of new features continues. The parallel-maintained stable branch 1.24.x contains only changes related to the elimination of serious bugs and vulnerabilities. In the future, based on the main branch 1.25.x, a stable branch 1.26 will be formed. The project code is written in C and distributed under the BSD license.
Among the changes:
- Protection against abnormal activity of HTTP/2 clients has been strengthened, and, in particular, against DoS attacks of the “Rapid Reset” class, in which a large number of immediately reset threads are created within a single HTTP/2 connection. In the default configuration, such attacks are limited by the limit on the number of requests per connection “keepalive_requests” (after every 1000 requests the connection will be reset) and the restrictions “limit_req”. To respond earlier to flooding with requests through a large number of threads, an additional limitation has been added that does not allow the creation of more than 256 (2 * max_concurrent_streams) new threads per event processing cycle by default. The new limit makes it possible to start blocking requests before the overall limit on the number of simultaneous threads is reached, for example when threads are being processed asynchronously or are being flushed. A similar change was also included in the release of angie 1.3.1 (nginx fork), published a week ago.
- Improved management of buffers used when automatically detecting HTTP/2 connections.
- The performance of launching configurations with a large number of “location” directives has been improved.
- Fixed a worker process crash that could occur when attempting to use HTTP/2 without SSL.
- Fixed incorrect processing of the “Status” header returned by the backend with empty explanatory text.
- Fixed a memory leak during reconfiguration that occurred when building with the PCRE2 library.
- A large portion of fixes and improvements related to support for the HTTP/3 protocol has been introduced.
At the same time, njs 0.8.2, a JavaScript interpreter for web server nginx. The njs interpreter implements ECMAScript standards and allows you to extend nginx's request processing capabilities using configuration scripts. Scripts can be used in the configuration file to define advanced request processing logic, generate configuration, dynamically generate responses, modify requests/responses, or quickly create stubs to resolve issues in web applications. The new version adds a console object, which provides the error(), info(), log(), time(), timeEnd(), and warn() methods. The fs.existsSync() method has been added to the fs module.
You can also note the publication of the NGINX Unit 1.31.1 application server, which provides a solution for running web applications in various programming languages (Python, PHP, Perl, Ruby, Go, JavaScript/Node.js and Java). NGINX Unit can simultaneously run multiple applications in different programming languages, the launch parameters of which can be changed dynamically without the need to edit configuration files and restart. In addition to bug fixes, the new version in the Wasm module allows loading data larger than 4 GB, and when responding, it is possible to set HTTP status codes.
Source: opennet.ru
