ProHoster > Blog > internet news > Release of nginx 1.28.0 and fork FreeNginx 1.28.0

Release of nginx 1.28.0 and fork FreeNginx 1.28.0

After a year of development, a new stable branch of the high-performance HTTP server and multi-protocol proxy server nginx 1.28.0 has been published, which incorporates the changes accumulated in the main branch 1.27.x. In the future, all changes in the stable branch 1.28 will be related to the elimination of serious errors and vulnerabilities. Soon the main branch of nginx 1.29 will be formed, in which the development of new features will continue. For ordinary users who do not have the task of ensuring compatibility with third-party modules, it is recommended to use the main branch, on the basis of which releases of the commercial product Nginx Plus are formed every three months.

According to the March report by Netcraft, there are about 245 million websites running under nginx (243 million a year ago, 289 million two years ago). Nginx is used by 17.89% of all active websites (18.15% a year ago, 18.94% two years ago), which corresponds to the first place in popularity in this category (Apache's share corresponds to 16.03% (20.09% a year ago, 20.52% two years ago), Cloudflare — 17.81% (14.12%, 11.32%), Google — 9.89% (10.41%, 9.89%).

When considering all sites, nginx maintains its leadership and occupies 20.48% of the market (a year ago 22.31%, two years ago - 25.94%), while Apache's share is 16.03% (20.17%, 20.58%), Cloudflare - 12.87% (11.24%, 10.17%), OpenResty (a platform based on nginx and LuaJIT) - 9.36% (7.93%, 7.94%).

Among the million most visited sites in the world, nginx ranks second with a share of 20.37% (a year ago 20.63%, two years ago 21.37%). Cloudflare holds first place - 22.32% (a year ago 22.59%, two years ago 21.62%). Apache httpd's share is 17.95% (20.09%, 21.18%).

According to W3Techs, nginx is used by 33.8% of the million most visited sites (in April last year, this figure was 34.3%, the year before — 34.5%). Apache's share has decreased from 30.1% to 26.3% over the year, and Microsoft IIS's share has decreased from 5% to 4%. Node.js's share has increased from 3.2% to 4.4%, and LiteSpeed's share from 12.9% to 14.6%.

The most notable improvements added during the formation of the 1.27.x main branch:

  • For connections using the QUIC protocol, support for the CUBIC network congestion control algorithm (RFC 9438) has been added. Its operation is reduced to a gradual increase in the congestion window size until packet loss occurs, after which the window size is rolled back to the value before the loss began. In the tests conducted, the use of CUBIC allowed to reduce the transfer time of a 500 MB file by 24% with delays of 40 ms and BDP 750K (Bandwidth Delay Product) and by 73% with delays of 100 ms and BDP 9M.
  • The stream module has been updated to support checking client certificate revocation using the OCSP (Online Certificate Status Protocol).
  • The stream module supports the OCSP Stapling certificate revocation checking technique, the essence of which is that when negotiating a TLS connection, an OCSP response certified by a certification authority is transmitted by the server servicing the site, without the need for a direct request to the certification authority).
  • Caching is implemented during startup and configuration updates. SSL certificates, keys and CRL (Certificate Revocation List).
  • Added capabilities to reduce resource consumption and CPU load when using TLS in configurations with a large number of server and location blocks. The added changes allow using the existing SSL context from the parent block instead of creating a separate SSL context (SSL_CTX in OpenSSL) for each configuration block.
  • The "ssl_client_certificate" directive provides support for certificates with additional information.
  • The "ssl_client_certificate" directive is no longer required to verify client SSL certificates.
  • The ngx_mail_proxy_module module has been updated to support SmarterMail-specific IMAP LOGIN mode with untagged CAPABILITY response.
  • The "proxy_pass_trailers" directive has been added to the ngx_http_proxy_module module, allowing the transmission of header fields at the end of the response from the proxied server to the client.
  • The "server" directive used in the "upstream" block has been updated to support the "resolve" parameter, which enables change tracking. IP addresses for the domain name used and automatic updating of the "upstream" block configuration without the need to restart nginx if the address changes.
  • Added the ability to use variables in the "proxy_limit_rate", "fastcgi_limit_rate", "scgi_limit_rate" and "uwsgi_limit_rate" directives.
  • In the "proxy_bind", "fastcgi_bind", "grpc_bind", "memcached_bind", "scgi_bind" and "uwsgi_bind" directives, as well as as a client address in the ngx_http_realip_module module, it is allowed to specify IPv6 addresses in square brackets without a port number.
  • Added the "keepalive_min_timeout" directive, which defines the timeout during which nginx will not close the keep-alive connection with the client.
  • By default, the TLSv1 and TLSv1.1 protocols are disabled.
  • Fixed issues with long loading of configuration files due to repeated parsing of the same set of TLS certificates, keys, and lists of certification authorities. Configuration reloading was sped up by reusing unchanged TLS objects, such as certificates, keys, and CRLs. The "ssl_object_cache_inheritable" directive was added to disable inheritance of objects when updating the configuration.
  • Added cache for certificates and keys loaded using variables in directives (e.g. "ssl_certificate /etc/ssl/$ssl_server_name.crt"). The following directives have been added to manage the cache: "ssl_certificate_cache", "proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache" and "uwsgi_ssl_certificate_cache". These directives can be used to configure the maximum cache size, the validity period of records, and the time to clean up unused records. For example: "ssl_certificate_cache max=1000 inactive=20s valid=1m;".
  • Reduced memory consumption when processing long-lived queries in configurations that use the "gzip", "gunzip", "ssi", "sub_filter", or "grpc_pass" directives.
  • The maximum size of SSL sessions cached in shared memory has been increased to 8192.
  • The assembly with the Musl C library has been established.
  • Work has been carried out to optimize performance and eliminate errors in the HTTP/3 implementation.

Additionally, it is worth noting the publication of the FreeNginx 1.28.0 project release, which develops the Nginx fork. The fork is being developed by Maxim Dunin, one of the key Nginx developers. FreeNginx is positioned as a non-commercial project that ensures the development of the Nginx code base without corporate interference. Among the specific changes in the FreeNginx 1.28 branch:

  • The "off" parameter in the "pid" directive disables the creation of a PID file.
  • Limiting the intensity of writing messages to the error log to prevent the log from filling up with typical messages.
  • Implementation of the multipath parameter in the listen directive to support Multipath TCP.
  • Support for the HTTP "Age" header to define the lifetime of cache entries.
  • Adding XOAUTH2 and OAUTHBEARER authentication methods to the mail_proxy module.

Source: opennet.ru

Add a comment