Softpedia >Windows >Internet >Servers >WEB Servers >Nginx >  Changelog

Nginx Changelog

What's new in Nginx 1.25.5 Mainline

Apr 24, 2024
  • Feature: virtual servers in the stream module.
  • Feature: the ngx_stream_pass_module.
  • Feature: the "deferred", "accept_filter", and "setfib" parameters of
  • the "listen" directive in the stream module.
  • Feature: cache line size detection for some architectures.
  • Feature: support for Homebrew on Apple Silicon.
  • Bugfix: Windows cross-compilation bugfixes and improvements.
  • Bugfix: unexpected connection closure while using 0-RTT in QUIC.

New in Nginx 1.25.4 Mainline (Feb 14, 2024)

  • Security: when using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session (CVE-2024-24989, CVE-2024-24990.
  • Bugfix: connections with pending AIO operations might be closed prematurely during graceful shutdown of old worker processes.
  • Bugfix: socket leak alerts no longer logged when fast shutdown was requested after graceful shutdown of old worker processes.
  • Bugfix: a socket descriptor error, a socket leak, or a segmentation fault in a worker process (for SSL proxying might occur if AIO was used in a subrequest.
  • Bugfix: a segmentation fault might occur in a worker process if SSL proxying was used along with the "image_filter" directive and errors with code 415 were redirected with the "error_page" directive.
  • Bugfixes and improvements in HTTP/3.

New in Nginx 1.25.3 Mainline (Oct 24, 2023)

  • Change: improved detection of misbehaving clients when using HTTP/2.
  • Feature: startup speedup when using a large number of locations. Thanks to Yusuke Nojima.
  • Bugfix: a segmentation fault might occur in a worker process when using HTTP/2 without SSL; the bug had appeared in 1.25.1.
  • Bugfix: the "Status" backend response header line with an empty reason phrase was handled incorrectly.
  • Bugfix: memory leak during reconfiguration when using the PCRE2 library. Thanks to ZhenZhong Wu.
  • Bugfixes and improvements in HTTP/3.

New in Nginx 1.25.2 Mainline (Aug 15, 2023)

  • Feature: path MTU discovery when using HTTP/3.
  • Feature: TLS_AES_128_CCM_SHA256 cipher suite support when using
  • HTTP/3.
  • Change: now nginx uses appname "nginx" when loading OpenSSL
  • configuration.
  • Change: now nginx does not try to load OpenSSL configuration if the
  • --with-openssl option was used to built OpenSSL and the OPENSSL_CONF
  • environment variable is not set.
  • Bugfix: in the $body_bytes_sent variable when using HTTP/3.
  • Bugfix: in HTTP/3.

New in Nginx 1.25.0 Mainline (May 23, 2023)

  • Nginx-1.25.0 mainline version has been released, featuring experimental HTTP/3 support.

New in Nginx 1.24.0 (May 23, 2023)

  • Stable version has been released, incorporating new features and bug fixes from the 1.23.x mainline branch — including improved handling of multiple header lines with identical names, memory usage optimization in configurations with SSL proxying, better sanity checking of the listen directive protocol parameters, TLSv1.3 protocol enabled by default, automatic rotation of TLS session tickets encryption keys when using shared memory in the ssl_session_cache directive, and more.

New in Nginx 1.23.4 Mainline (Mar 28, 2023)

  • Change: now TLSv1.3 protocol is enabled by default.
  • Change: now nginx issues a warning if protocol parameters of a
  • listening socket are redefined.
  • Change: now nginx closes connections with lingering if pipelining was
  • used by the client.
  • Feature: byte ranges support in the ngx_http_gzip_static_module.
  • Bugfix: port ranges in the "listen" directive did not work; the bug
  • had appeared in 1.23.3.
  • Thanks to Valentin Bartenev.
  • Bugfix: incorrect location might be chosen to process a request if a
  • prefix location longer than 255 characters was used in the
  • configuration.
  • Bugfix: non-ASCII characters in file names on Windows were not
  • supported by the ngx_http_autoindex_module, the ngx_http_dav_module,
  • and the "include" directive.
  • Change: the logging level of the "data length too long", "length too
  • short", "bad legacy version", "no shared signature algorithms", "bad
  • digest length", "missing sigalgs extension", "encrypted length too
  • long", "bad length", "bad key update", "mixed handshake and non
  • handshake data", "ccs received early", "data between ccs and
  • finished", "packet length too long", "too many warn alerts", "record
  • too small", and "got a fin before a ccs" SSL errors has been lowered
  • from "crit" to "info".
  • *) Bugfix: a socket leak might occur when using HTTP/2 and the
  • "error_page" directive to redirect errors with code 400.
  • *) Bugfix: messages about logging to syslog errors did not contain
  • information that the errors happened while logging to syslog.
  • Thanks to Safar Safarly.
  • *) Workaround: "gzip filter failed to use preallocated memory" alerts
  • appeared in logs when using zlib-ng.
  • *) Bugfix: in the mail proxy server.

New in Nginx 1.23.3 Mainline (Dec 14, 2022)

  • Bugfix: an error might occur when reading PROXY protocol version 2 header with large number of TLVs.
  • Bugfix: a segmentation fault might occur in a worker process if SSI was used to process subrequests created by other modules.
  • Workaround: when a hostname used in the "listen" directive resolves to multiple addresses, nginx now ignores duplicates within these addresses.
  • Bugfix: nginx might hog CPU during unbuffered proxying if SSL connections to backends were used.

New in Nginx 1.23.1 Mainline (Jul 19, 2022)

  • Feature: memory usage optimization in configurations with SSL
  • proxying.
  • Feature: looking up of IPv4 addresses while resolving now can be
  • disabled with the "ipv4=off" parameter of the "resolver" directive.
  • Change: the logging level of the "bad key share", "bad extension",
  • "bad cipher", and "bad ecpoint" SSL errors has been lowered from
  • "crit" to "info".
  • Bugfix: while returning byte ranges nginx did not remove the
  • "Content-Range" header line if it was present in the original backend
  • response.
  • Bugfix: a proxied response might be truncated during reconfiguration
  • on Linux; the bug had appeared in 1.17.5.

New in Nginx 1.23.0 (Jun 21, 2022)

  • Change in internal API: now header lines are represented as linked
  • lists.
  • Change: now nginx combines arbitrary header lines with identical
  • names when sending to FastCGI, SCGI, and uwsgi backends, in the
  • $r->header_in() method of the ngx_http_perl_module, and during lookup
  • of the "$http_...", "$sent_http_...", "$sent_trailer_...",
  • "$upstream_http_...", and "$upstream_trailer_..." variables.
  • Bugfix: if there were multiple "Vary" header lines in the backend
  • response, nginx only used the last of them when caching.
  • Bugfix: if there were multiple "WWW-Authenticate" header lines in the
  • backend response and errors with code 401 were intercepted or the
  • "auth_request" directive was used, nginx only sent the first of the
  • header lines to the client.
  • Change: the logging level of the "application data after close
  • notify" SSL errors has been lowered from "crit" to "info".
  • Bugfix: connections might hang if nginx was built on Linux 2.6.17 or
  • newer, but was used on systems without EPOLLRDHUP support, notably
  • with epoll emulation layers; the bug had appeared in 1.17.5.
  • Thanks to Marcus Ball.
  • Bugfix: nginx did not cache the response if the "Expires" response
  • header line disabled caching, but following "Cache-Control" header
  • line enabled caching.

New in Nginx 1.22.0 (May 24, 2022)

  • 1.22.x stable branch.

New in Nginx 1.21.6 (Jan 25, 2022)

  • Bugfix: when using EPOLLEXCLUSIVE on Linux client connections were unevenly distributed among worker processes.
  • Bugfix: nginx returned the "Connection: keep-alive" header line in responses during graceful shutdown of old worker processes.
  • Bugfix: in the "ssl_session_ticket_key" when using TLSv1.3.

New in Nginx 1.21.5 (Dec 28, 2021)

  • Change: now nginx is built with the PCRE2 library by default.
  • Change: now nginx always uses sendfile(SF_NODISKIO) on FreeBSD.
  • Feature: support for sendfile(SF_NOCACHE) on FreeBSD.
  • Feature: the $ssl_curve variable.
  • Bugfix: connections might hang when using HTTP/2 without SSL with the "sendfile" and "aio" directives.

New in Nginx 1.21.4 (Nov 2, 2021)

  • Change:
  • Support for NPN instead of ALPN to establish HTTP/2 connections has been removed.
  • Now nginx rejects SSL connections if ALPN is used by the client, but no supported protocols can be negotiated.
  • The default value of the "sendfile_max_chunk" directive was changed to 2 megabytes.
  • Feature:
  • The "proxy_half_close" directive in the stream module.
  • The "ssl_alpn" directive in the stream module.
  • The $ssl_alpn_protocol variable.
  • Support for SSL_sendfile() when using OpenSSL 3.0.
  • The "mp4_start_key_frame" directive in thengx_http_mp4_module.
  • Bugfix:
  • In the $content_length variable when using chunked transfer encoding.
  • After receiving a response with incorrect length from a
  • Proxied backend nginx might nevertheless cache the connection.invalid headers from backends were logged at the "info" level instead of "error"; the bug had appeared in 1.21.1.
  • Requests might hang when using HTTP/2 and the "aio_write" directive.

New in Nginx 1.21.3 (Sep 7, 2021)

  • Change: optimization of client request body reading when using
  • HTTP/2.
  • *) Bugfix: in request body filters internal API when using HTTP/2 and
  • Buffering of the data being processed.

New in Nginx 1.21.2 (Sep 1, 2021)

  • Change: now nginx rejects HTTP/1.0 requests with the "Transfer-Encoding" header line.
  • Change: export ciphers are no longer supported.
  • Feature: OpenSSL 3.0 compatibility.
  • Feature: the "Auth-SSL-Protocol" and "Auth-SSL-Cipher" header lines are now passed to the mail proxy authentication server. Thanks to Rob Mueller.
  • Feature: request body filters API now permits buffering of the data being processed.
  • Bugfix: backend SSL connections in the stream module might hang after an SSL handshake.
  • Bugfix: the security level, which is available in OpenSSL 1.1.0 or newer, did not affect loading of the server certificates when set with "@SECLEVEL=N" in the "ssl_ciphers" directive.
  • Bugfix: SSL connections with gRPC backends might hang if select, poll, or /dev/poll methods were used.
  • Bugfix: when using HTTP/2 client request body was always written to disk if the "Content-Length" header line was not present in the request.

New in Nginx 1.21.1 (Jul 6, 2021)

  • Change: now nginx always returns an error for the CONNECT method.
  • Change: now nginx always returns an error if both "Content-Length" and "Transfer-Encoding" header lines are present in the request.
  • Change: now nginx always returns an error if spaces or control characters are used in the request line.
  • Change: now nginx always returns an error if spaces or control characters are used in a header name.
  • Change: now nginx always returns an error if spaces or control characters are used in the "Host" request header line.
  • Change: optimization of configuration testing when using many listening sockets.
  • Bugfix: nginx did not escape """, "<", ">", "", "^", "`", "{", "|", and "}" characters when proxying with changed URI.
  • Bugfix: SSL variables might be empty when used in logs; the bug had appeared in 1.19.5.
  • Bugfix: keepalive connections with gRPC backends might not be closed after receiving a GOAWAY frame.
  • Bugfix: reduced memory consumption for long-lived requests when proxying with more than 64 buffers.

New in Nginx 1.21.0 (May 26, 2021)

  • Security: 1-byte memory overwrite might occur during DNS server response processing if the "resolver" directive was used, allowing an attacker who is able to forge UDP packets from the DNS server to cause worker process crash or, potentially, arbitrary code execution (CVE-2021-23017.
  • Feature: variables support in the "proxy_ssl_certificate", "proxy_ssl_certificate_key" "grpc_ssl_certificate", "grpc_ssl_certificate_key", "uwsgi_ssl_certificate", and "uwsgi_ssl_certificate_key" directives.
  • Feature: the "max_errors" directive in the mail proxy module.
  • Feature: the mail proxy module supports POP3 and IMAP pipelining.
  • Feature: the "fastopen" parameter of the "listen" directive in the stream module. Thanks to Anbang Wen.
  • Bugfix: special characters were not escaped during automatic redirect with appended trailing slash.
  • Bugfix: connections with clients in the mail proxy module might be closed unexpectedly when using SMTP pipelining.

New in Nginx 1.20.0 (Apr 20, 2021)

  • 1.20.x stable branch.

New in Nginx 1.19.10 (Apr 13, 2021)

  • Change: the default value of the "keepalive_requests" directive was
  • changed to 1000.
  • Feature: the "keepalive_time" directive.
  • Feature: the $connection_time variable.
  • Workaround: "gzip filter failed to use preallocated memory" alerts
  • appeared in logs when using zlib-ng.

New in Nginx 1.19.9 (Mar 31, 2021)

  • Bugfix: nginx could not be built with the mail proxy module, but without the ngx_mail_ssl_module; the bug had appeared in 1.19.8.
  • Bugfix: "upstream sent response body larger than indicated content length" errors might occur when working with gRPC backends; the bug had appeared in 1.19.1.
  • Bugfix: nginx might not close a connection till keepalive timeout expiration if the connection was closed by the client while discarding the request body.
  • Bugfix: nginx might not detect that a connection was already closed by the client when waiting for auth_delay or limit_req delay, or when working with backends.
  • Bugfix: in the eventport method.

New in Nginx 1.19.8 (Mar 9, 2021)

  • Features:
  • Flags in the "proxy_cookie_flags" directive can now contain variables.
  • The "proxy_protocol" parameter of the "listen" directive the "proxy_protocol" and "set_real_ip_from" directives in mail proxy.
  • Bugfix:
  • HTTP/2 connections were immediately closed when using "keepalive_timeout 0"; the bug had appeared in 1.19.7.
  • Some errors were logged as unknown if nginx was built with glibc 2.32.
  • In the eventport method.

New in Nginx 1.19.7 (Feb 16, 2021)

  • Change: connections handling in HTTP/2 has been changed to better
  • match HTTP/1.x; the "http2_recv_timeout", "http2_idle_timeout", and
  • "http2_max_requests" directives have been removed, the
  • "keepalive_timeout" and "keepalive_requests" directives should be
  • used instead.
  • Change: the "http2_max_field_size" and "http2_max_header_size"
  • directives have been removed, the "large_client_header_buffers"
  • directive should be used instead.
  • Feature: now, if free worker connections are exhausted, nginx starts
  • closing not only keepalive connections, but also connections in
  • lingering close.
  • Bugfix: "zero size buf in output" alerts might appear in logs if an
  • upstream server returned an incorrect response during unbuffered
  • proxying; the bug had appeared in 1.19.1.
  • Bugfix: HEAD requests were handled incorrectly if the "return"
  • directive was used with the "image_filter" or "xslt_stylesheet"
  • directives.
  • Bugfix: in the "add_trailer" directive.

New in Nginx 1.19.6 (Dec 15, 2020)

  • Security: when using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).

New in Nginx 1.19.5 (Nov 24, 2020)

  • Feature: the -e switch.
  • Feature: the same source files can now be specified in different modules while building addon modules.
  • Bugfix: SSL shutdown did not work when lingering close was used.
  • Bugfix: "upstream sent frame for closed stream" errors might occur when working with gRPC backends.
  • Bugfix: in request body filters internal API.

New in Nginx 1.19.4 (Oct 27, 2020)

  • Feature: the "ssl_conf_command", "proxy_ssl_conf_command", "grpc_ssl_conf_command", and "uwsgi_ssl_conf_command" directives.
  • Feature: the "ssl_reject_handshake" directive.
  • Feature: the "proxy_smtp_auth" directive in mail proxy.

New in Nginx 1.19.3 (Sep 29, 2020)

  • Feature: the ngx_stream_set_module.
  • Feature: the "proxy_cookie_flags" directive.
  • Feature: the "userid_flags" directive.
  • Bugfix: the "stale-if-error" cache control extension was erroneously applied if backend returned a response with status code 500, 502, 503, 504, 403, 404, or 429.
  • Bugfix: "[crit] cache file ... has too long header" messages might appear in logs if caching was used and the backend returned responses with the "Vary" header line.
  • Workaround: "[crit] SSL_write() failed" messages might appear in logs when using OpenSSL 1.1.1.
  • Bugfix: "SSL_shutdown() failed (SSL: ... bad write retry)" messages might appear in logs; the bug had appeared in 1.19.2.
  • Bugfix: a segmentation fault might occur in a worker process when using HTTP/2 if errors with code 400 were redirected to a proxied location using the "error_page" directive.
  • Bugfix: socket leak when using HTTP/2 and subrequests in the njs module.

New in Nginx 1.19.2 (Aug 11, 2020)

  • Change: now nginx starts closing keepalive connections before all
  • free worker connections are exhausted, and logs a warning about this
  • to the error log.
  • Change: optimization of client request body reading when using
  • chunked transfer encoding.
  • Bugfix: memory leak if the "ssl_ocsp" directive was used.
  • Bugfix: "zero size buf in output" alerts might appear in logs if a
  • FastCGI server returned an incorrect response; the bug had appeared
  • in 1.19.1.
  • Bugfix: a segmentation fault might occur in a worker process if
  • different large_client_header_buffers sizes were used in different
  • virtual servers.
  • Bugfix: SSL shutdown might not work.
  • Bugfix: "SSL_shutdown() failed (SSL: ... bad write retry)" messages
  • might appear in logs.
  • Bugfix: in the ngx_http_slice_module.
  • Bugfix: in the ngx_http_xslt_filter_module.

New in Nginx 1.19.1 (Jul 7, 2020)

  • Change: the "lingering_close", "lingering_time", and "lingering_timeout" directives now work when using HTTP/2
  • Change: now extra data sent by a backend are always discarded
  • Change: now after receiving a too short response from a FastCGI server nginx tries to send the available part of the response to the client, and then closes the client connection
  • Change: now after receiving a response with incorrect length from a gRPC backend nginx stops response processing with an error
  • Feature: the "min_free" parameter of the "proxy_cache_path" "fastcgi_cache_path", "scgi_cache_path", and "uwsgi_cache_path" directives
  • Bugfix: nginx did not delete unix domain listen sockets during graceful shutdown on the SIGQUIT signal
  • Bugfix: zero length UDP datagrams were not proxied
  • Bugfix: proxying to uwsgi backends using SSL might not work
  • Bugfix: in error handling when using the "ssl_ocsp" directive
  • Bugfix: on XFS and NFS file systems disk cache size might be calculated incorrectly
  • Bugfix: "negative size buf in writer" alerts might appear in logs if a memcached server returned a malformed response

New in Nginx 1.18.0 (Apr 21, 2020)

  • 1.18.x stable branch.

New in Nginx 1.17.10 (Apr 14, 2020)

  • Feature: the "auth_delay" directive.

New in Nginx 1.17.9 (Mar 3, 2020)

  • Change: now nginx does not allow several "Host" request header lines.
  • Bugfix: nginx ignored additional "Transfer-Encoding" request header lines.
  • Bugfix: socket leak when using HTTP/2.
  • Bugfix: a segmentation fault might occur in a worker process if OCSP stapling was used.
  • Bugfix: in the ngx_http_mp4_module.
  • Bugfix: nginx used status code 494 instead of 400 if errors with code 494 were redirected with the "error_page" directive.
  • Bugfix: socket leak when using subrequests in the njs module and the "aio" directive.

New in Nginx 1.17.7 (Dec 24, 2019)

  • Bugfix: a segmentation fault might occur on start or during reconfiguration if the "rewrite" directive with an empty replacement string was used in the configuration.
  • Bugfix: a segmentation fault might occur in a worker process if the"break" directive was used with the "alias" directive or with the "proxy_pass" directive with a URI.
  • Bugfix: the "Location" response header line might contain garbage if the request URI was rewritten to the one containing a null character.
  • Bugfix: requests with bodies were handled incorrectly when returning redirections with the "error_page" directive; the bug had appeared in 0.7.12.
  • Bugfix: socket leak when using HTTP/2.
  • Bugfix: a timeout might occur while handling pipelined requests in an SSL connection; the bug had appeared in 1.17.5.
  • Bugfix: in the ngx_http_dav_module.

New in Nginx 1.17.6 (Nov 19, 2019)

  • Feature: the $proxy_protocol_server_addr and $proxy_protocol_server_port variables.
  • Feature: the "limit_conn_dry_run" directive.
  • Feature: the $limit_req_status and $limit_conn_status variables.

New in Nginx 1.17.5 (Oct 22, 2019)

  • Feature: now nginx uses ioctl(FIONREAD), if available, to avoid reading from a fast connection for a long time.
  • Bugfix: incomplete escaped characters at the end of the request URI were ignored.
  • Bugfix: "/." and "/.." at the end of the request URI were not normalized.
  • Bugfix: in the "merge_slashes" directive.
  • Bugfix: in the "ignore_invalid_headers" directive.
  • Bugfix: nginx could not be built with MinGW-w64 gcc 8.1 or newer.

New in Nginx 1.17.4 (Sep 24, 2019)

  • Change: better detection of incorrect client behavior in HTTP/2.
  • Change: in handling of not fully read client request body when returning errors in HTTP/2.
  • Bugfix: the "worker_shutdown_timeout" directive might not work when using HTTP/2.
  • Bugfix: a segmentation fault might occur in a worker process when using HTTP/2 and the "proxy_request_buffering" directive.
  • Bugfix: the ECONNABORTED error log level was "crit" instead of "error" on Windows when using SSL.
  • Bugfix: nginx ignored extra data when using chunked transfer encoding.
  • Bugfix: nginx always returned the 500 error if the "return" directive as used and an error occurred during reading client request body.
  • Bugfix: in memory allocation error handling.

New in Nginx 1.17.3 (Aug 13, 2019)

  • Security: when using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).
  • Bugfix: "zero size buf" alerts might appear in logs when using gzipping; the bug had appeared in 1.17.2.
  • Bugfix: a segmentation fault might occur in a worker process if the "resolver" directive was used in SMTP proxy.

New in Nginx 1.15.12 (Apr 23, 2019)

  • Bugfix: a segmentation fault might occur in a worker process if variables were used in the "ssl_certificate" or "ssl_certificate_key" directives and OCSP stapling was enabled.

New in Nginx 1.15.10 (Mar 26, 2019)

  • Change: when using a hostname in the "listen" directive nginx now creates listening sockets for all addresses the host name solves to (previously, only the first address was used).
  • Feature: port ranges in the "listen" directive.
  • Feature: loading of SSL certificates and secret keys from variables.
  • Workaround: the $ssl_server_name variable might be empty when using OpenSSL 1.1.1.
  • Bugfix: nginx/Windows could not be built with Visual Studio 2015 or newer; the bug had appeared in 1.15.9.

New in Nginx 1.15.9 (Feb 26, 2019)

  • Feature: variables support in the "ssl_certificate" and
  • "ssl_certificate_key" directives.
  • Feature: the "poll" method is now available on Windows when using
  • Windows Vista or newer.
  • Bugfix: if the "select" method was used on Windows and an error
  • occurred while establishing a backend connection, nginx waited for
  • the connection establishment timeout to expire.
  • Bugfix: the "proxy_upload_rate" and "proxy_download_rate" directives
  • in the stream module worked incorrectly when proxying UDP datagrams.

New in Nginx 1.15.8 (Dec 25, 2018)

  • *) Feature: the $upstream_bytes_sent variable.
  • Thanks to Piotr Sikora.
  • *) Feature: new directives in vim syntax highlighting scripts.
  • Thanks to Gena Makhomed.
  • *) Bugfix: in the "proxy_cache_background_update" directive.
  • *) Bugfix: in the "geo" directive when using unix domain listen sockets.
  • *) Workaround: the "ignoring stale global SSL error ... bad length"
  • alerts might appear in logs when using the "ssl_early_data" directive
  • with OpenSSL.
  • *) Bugfix: in nginx/Windows.
  • *) Bugfix: in the ngx_http_autoindex_module on 32-bit platforms.

New in Nginx 1.15.6 (Nov 7, 2018)

  • 1.14.1 Mainline

New in Nginx 1.15.6 (Nov 7, 2018)

  • Security: when using HTTP/2 a client might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).
  • Security: processing of a specially crafted mp4 file with the ngx_http_mp4_module might result in worker process memory disclosure (CVE-2018-16845).
  • Feature: the "proxy_socket_keepalive", "fastcgi_socket_keepalive", "grpc_socket_keepalive", "memcached_socket_keepalive", "scgi_socket_keepalive", and "uwsgi_socket_keepalive" directives.
  • Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL 1.1.1, the TLS 1.3 protocol was always enabled.
  • Bugfix: working with gRPC backends might result in excessive memory consumption.

New in Nginx 1.15.5 (Oct 3, 2018)

  • Bugfix: a segmentation fault might occur in a worker process when
  • using OpenSSL 1.1.0h or newer; the bug had appeared in 1.15.4.
  • Bugfix: of minor potential bugs.

New in Nginx 1.15.4 (Sep 26, 2018)

  • Feature: now the "ssl_early_data" directive can be used with OpenSSL.
  • Bugfix: in the ngx_http_uwsgi_module.
  • Thanks to Chris Caputo.
  • Bugfix: connections with some gRPC backends might not be cached when
  • using the "keepalive" directive.
  • Bugfix: a socket leak might occur when using the "error_page"
  • directive to redirect early request processing errors, notably errors
  • with code 400.
  • Bugfix: the "return" directive did not change the response code when
  • returning errors if the request was redirected by the "error_page"
  • directive.
  • Bugfix: standard error pages and responses of the
  • ngx_http_autoindex_module module used the "bgcolor" attribute, and
  • might be displayed incorrectly when using custom color settings in
  • browsers.
  • Thanks to Nova DasSarma.
  • Change: the logging level of the "no suitable key share" and "no
  • suitable signature algorithm" SSL errors has been lowered from "crit"
  • to "info".

New in Nginx 1.15.3 (Aug 29, 2018)

  • Mainline version has been released.

New in Nginx 1.15.2 (Jul 24, 2018)

  • Feature: the $ssl_preread_protocol variable in the ngx_stream_ssl_preread_module.
  • Feature: now when using the "reset_timedout_connection" directive nginx will reset connections being closed with the 444 code.
  • Change: a logging level of the "http request", "https proxy request", "unsupported protocol", and "version too low" SSL errors has been lowered from "crit" to "info".
  • Bugfix: DNS requests were not resent if initial sending of a request failed.
  • Bugfix: the "reuseport" parameter of the "listen" directive was ignored if the number of worker processes was specified after the "listen" directive.
  • Bugfix: when using OpenSSL 1.1.0 or newer it was not possible to switch off "ssl_prefer_server_ciphers" in a virtual server if it was switched on in the default server.
  • Bugfix: SSL session reuse with upstream servers did not work with the TLS 1.3 protocol.

New in Nginx 1.15.1 (Jul 4, 2018)

  • Nginx-1.15.1 mainline version has been released, featuring random load balancing method.

New in Nginx 1.15.0 (Jun 5, 2018)

  • Change: the "ssl" directive is deprecated; the "ssl" parameter of the "listen" directive should be used instead.
  • Change: now nginx detects missing SSL certificates during configuration testing when using the "ssl" parameter of the "listen" directive.
  • Feature: now the stream module can handle multiple incoming UDP datagrams from a client within a single session.
  • Bugfix: it was possible to specify an incorrect response code in the "proxy_cache_valid" directive.
  • Bugfix: nginx could not be built by gcc 8.1.
  • Bugfix: logging to syslog stopped on local IP address changes.
  • Bugfix: nginx could not be built by clang with CUDA SDK installed; the bug had appeared in 1.13.8.
  • Bugfix: "getsockopt(TCP_FASTOPEN... failed" messages might appear in logs during binary upgrade when using unix domain listen sockets on FreeBSD.
  • Bugfix: nginx could not be built on Fedora 28 Linux.
  • Bugfix: request processing rate might exceed configured rate when using the "limit_req" directive.
  • Bugfix: in handling of client addresses when using unix domain listen sockets to work with datagrams on Linux.
  • Bugfix: in memory allocation error handling.

New in Nginx 1.14.0 (Apr 17, 2018)

  • incorporates new features and bug fixes from the 1.13.x mainline branch - including the mirror module, HTTP/2 push, the gRPC proxy module, and more.

New in Nginx 1.13.12 Mainline (Apr 10, 2018)

  • Bugfix: client SSL connections were immediately closed if deferred accept and the "proxy_protocol" parameter of the "listen" directive were used.
  • Bugfix: client connections might be dropped during configuration testing when using the "reuseport" parameter of the "listen" directive on Linux.
  • Bugfix: incorrect response length was returned on 32-bit platforms when requesting more than 4 gigabytes with multiple ranges.
  • Bugfix: switching to the next upstream server in the stream module did not work when using the "ssl_preread" directive.
  • Bugfix: when using HTTP/2 client request body might be corrupted.
  • Bugfix: in handling of client addresses when using unix domain sockets.

New in Nginx 1.13.11 Mainline (Apr 3, 2018)

  • Feature: the "proxy_protocol" parameter of the "listen" directive now supports the PROXY protocol version 2.
  • Bugfix: in the "http_404", "http_500", etc. parameters of the "proxy_next_upstream" directive.

New in Nginx 1.13.10 Mainline (Mar 20, 2018)

  • Feature: the "set" parameter of the "include" SSI directive now
  • allows writing arbitrary responses to a variable; the
  • "subrequest_output_buffer_size" directive defines maximum response
  • size.
  • Feature: now nginx uses clock_gettime(CLOCK_MONOTONIC) if available,
  • to avoid timeouts being incorrectly triggered on system time changes.
  • Feature: the "escape=none" parameter of the "log_format" directive.
  • Thanks to Johannes Baiter and Calin Don.
  • Feature: the $ssl_preread_alpn_protocols variable in the
  • ngx_stream_ssl_preread_module.
  • Feature: the ngx_http_grpc_module.
  • Bugfix: in memory allocation error handling in the "geo" directive.
  • Bugfix: when using variables in the "auth_basic_user_file" directive
  • a null character might appear in logs.
  • Thanks to Vadim Filimonov.

New in Nginx 1.13.9 Mainline (Feb 20, 2018)

  • Feature: HTTP/2 server push support; the "http2_push" an "http2_push_preload" directives.
  • Bugfix: "header already sent" alerts might appear in logs when using cache; the bug had appeared in 1.9.13.
  • Bugfix: a segmentation fault might occur in a worker process if the "ssl_verify_client" directive was used and no SSL certificate was specified in a virtual server.
  • Bugfix: in the ngx_http_v2_module.
  • Bugfix: in the ngx_http_dav_module.

New in Nginx 1.13.7 Mainline (Nov 22, 2017)

  • Bugfix: in the $upstream_status variable.
  • Bugfix: a segmentation fault might occur in a worker process if a backend returned a "101 Switching Protocols" response to a subrequest.
  • Bugfix: a segmentation fault occurred in a master process if a shared memory zone size was changed during a reconfiguration and the reconfiguration failed.
  • Bugfix: in the ngx_http_fastcgi_module.
  • Bugfix: nginx returned the 500 error if parameters without variables were specified in the "xslt_stylesheet" directive.
  • Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using a zlib library variant from Intel.
  • Bugfix: the "worker_shutdown_timeout" directive did not work when using mail proxy and when proxying WebSocket connections.

New in Nginx 1.12.2 (Oct 18, 2017)

  • Bugfix: client SSL connections were immediately closed if deferred accept and the "proxy_protocol" parameter of the "listen" directive were used.
  • Bugfix: client connections might be dropped during configuration testing when using the "reuseport" parameter of the "listen" directive on Linux.
  • Bugfix: incorrect response length was returned on 32-bit platforms when requesting more than 4 gigabytes with multiple ranges.
  • Bugfix: switching to the next upstream server in the stream module did not work when using the "ssl_preread" directive.
  • Bugfix: when using HTTP/2 client request body might be corrupted.
  • Bugfix: in handling of client addresses when using unix domain sockets.

New in Nginx 1.13.6 Mainline (Oct 11, 2017)

  • Bugfix: switching to the next upstream server in the stream module did not work when using the "ssl_preread" directive.
  • Bugfix: in the ngx_http_v2_module.
  • Bugfix: nginx did not support dates after the year 2038 on 32-bit platforms with 64-bit time_t.
  • Bugfix: in handling of dates prior to the year 1970 and after the year 10000.
  • Bugfix: in the stream module timeouts waiting for UDP datagrams from upstream servers were not logged or logged at the "info" level instead of "error".
  • Bugfix: when using HTTP/2 nginx might return the 400 response without logging the reason.
  • Bugfix: in processing of corrupted cache files.
  • Bugfix: cache control headers were ignored when caching errors intercepted by error_page.
  • Bugfix: when using HTTP/2 client request body might be corrupted.
  • Bugfix: in handling of client addresses when using unix domain sockets.
  • Bugfix: nginx hogged CPU when using the "hash ... consistent" directive in the upstream block if large weights were used and all or most of the servers were unavailable.

New in Nginx 1.13.5 Mainline (Sep 6, 2017)

  • Feature: the $ssl_client_escaped_cert variable.
  • Bugfix: the "ssl_session_ticket_key" directive and the "include" parameter of the "geo" directive did not work on Windows.
  • Bugfix: incorrect response length was returned on 32-bit platforms when requesting more than 4 gigabytes with multiple ranges.
  • Bugfix: the "expires modified" directive and processing of the "If-Range" request header line did not use the response last modification time if proxying without caching was used.

New in Nginx 1.13.4 Mainline (Aug 9, 2017)

  • Mainline version has been released, featuring the mirror module.

New in Nginx 1.12.1 (Jul 12, 2017)

  • Security: a specially crafted request might result in an integer overflow and incorrect processing of ranges in the range filter, potentially resulting in sensitive information leak

New in Nginx 1.13.2 (Jun 28, 2017)

  • Change: nginx now returns 200 instead of 416 when a range starting with 0 is requested from an empty file.
  • Feature: the "add_trailer" directive. Thanks to Piotr Sikora.
  • Bugfix: nginx could not be built on Cygwin and NetBSD; the bug had appeared in 1.13.0.
  • Bugfix: nginx could not be built under MSYS2 / MinGW 64-bit. Thanks to Orgad Shaneh.
  • Bugfix: a segmentation fault might occur in a worker process when using SSI with many includes and proxy_pass with variables.
  • Bugfix: in the ngx_http_v2_module. Thanks to Piotr Sikora.

New in Nginx 1.13.1 (May 31, 2017)

  • Feature: now a hostname can be used as the "set_real_ip_from" directive parameter.
  • Feature: vim syntax highlighting scripts improvements.
  • Feature: the "worker_cpu_affinity" directive now works on DragonFly BSD.
  • Thanks to Sepherosa Ziehau.
  • Bugfix: SSL renegotiation on backend connections did not work when using OpenSSL before 1.1.0.
  • Workaround: nginx could not be built with Oracle Developer Studio
  • Workaround: now cache manager ignores long locked cache entries when cleaning cache based on the "max_size" parameter.
  • Bugfix: client SSL connections were immediately closed if deferred accept and the "proxy_protocol" parameter of the "listen" directive were used.
  • Bugfix: in the "proxy_cache_background_update" directive.
  • Workaround: now the "tcp_nodelay" directive sets the TCP_NODELAY option before an SSL handshake.

New in Nginx 1.13.0 (Apr 26, 2017)

  • Change: SSL renegotiation is now allowed on backend connections.
  • Feature: the "rcvbuf" and "sndbuf" parameters of the "listen" directives of the mail proxy and stream modules.
  • Feature: the "return" and "error_page" directives can now be used to return 308 redirections.
  • Feature: the "TLSv1.3" parameter of the "ssl_protocols" directive.
  • Feature: when logging signals nginx now logs PID of the process which sent the signal.
  • Bugfix: in memory allocation error handling.
  • Bugfix: if a server in the stream module listened on a wildcard address, the source address of a response UDP datagram could differ from the original datagram destination address.

New in Nginx 1.12.0 (Apr 13, 2017)

  • stable version has been released, incorporating new features and bug fixes from the 1.11.x mainline branch - including variables support and other improvements in the stream module, HTTP/2 fixes, support for multiple SSL certificates of different types, improved dynamic modules support, and more.

New in Nginx 1.11.13 Mainline (Apr 5, 2017)

  • Feature: the "http_429" parameter of the "proxy_next_upstream", "fastcgi_next_upstream", "scgi_next_upstream", and "uwsgi_next_upstream" directives.
  • Bugfix: in memory allocation error handling.
  • Bugfix: requests might hang when using the "sendfile" and "timer_resolution" directives on Linux.
  • Bugfix: requests might hang when using the "sendfile" and "aio_write" directives with subrequests.
  • Bugfix: in the ngx_http_v2_module.
  • Bugfix: a segmentation fault might occur in a worker process when using HTTP/2.
  • Bugfix: requests might hang when using the "limit_rate", "sendfile_max_chunk", "limit_req" directives, or the $r->sleep() embedded perl method with subrequests.
  • Bugfix: in the ngx_http_slice_module.

New in Nginx 1.11.12 Mainline (Mar 26, 2017)

  • Bugfix: nginx might hog CPU; the bug had appeared in 1.11.11.

New in Nginx 1.11.11 Mainline (Mar 22, 2017)

  • Feature: the "worker_shutdown_timeout" directive.
  • Feature: vim syntax highlighting scripts improvements. Thanks to Wei-Ko Kao.
  • Bugfix: a segmentation fault might occur in a worker process if the $limit_rate variable was set to an empty string.
  • Bugfix: the "proxy_cache_background_update", "fastcgi_cache_background_update", "scgi_cache_background_update", and "uwsgi_cache_background_update" directives might work incorrectly if the "if" directive was used.
  • Bugfix: a segmentation fault might occur in a worker process if number of large_client_header_buffers in a virtual server was different from the one in the default server.
  • Bugfix: in the mail proxy server.

New in Nginx 1.11.10 Mainline (Feb 15, 2017)

  • Change: cache header format has been changed, previously cached responses will be invalidated.
  • Feature: support of "stale-while-revalidate" and "stale-if-error" extensions in the "Cache-Control" backend response header line.
  • Feature: the "proxy_cache_background_update", "fastcgi_cache_background_update", "scgi_cache_background_update", and "uwsgi_cache_background_update" directives.
  • Feature: nginx is now able to cache responses with the "Vary" header line up to 128 characters long (instead of 42 characters in previous versions).
  • Feature: the "build" parameter of the "server_tokens" directive. Thanks to Tom Thorogood.
  • Bugfix: "[crit] SSL_write() failed" messages might appear in logs when handling requests with the "Expect: 100-continue" request header line.
  • Bugfix: the ngx_http_slice_module did not work in named locations.
  • Bugfix: a segmentation fault might occur in a worker process when using AIO after an "X-Accel-Redirect" redirection.
  • Bugfix: reduced memory consumption for long-lived requests using gzipping.

New in Nginx 1.10.3 (Feb 1, 2017)

  • Bugfix: in the "add_after_body" directive when used with the "sub_filter" directive.
  • Bugfix: unix domain listen sockets might not be inherited during binary upgrade on Linux.
  • Bugfix: graceful shutdown of old worker processes might require infinite time when using HTTP/2.
  • Bugfix: when using HTTP/2 and the "limit_req" or "auth_request" directives client request body might be corrupted; the bug had appeared in 1.10.2.
  • Bugfix: a segmentation fault might occur in a worker process when using HTTP/2; the bug had appeared in 1.10.2.
  • Bugfix: an incorrect response might be returned when using the "sendfile" directive on FreeBSD and macOS; the bug had appeared in .7.8.
  • Bugfix: a truncated response might be stored in cache when using the "aio_write" directive.
  • Bugfix: a socket leak might occur when using the "aio_write" directive.

New in Nginx 1.11.9 Mainline (Jan 25, 2017)

  • Bugfix: nginx might hog CPU when using the stream module; the bug had appeared in 1.11.5.
  • Bugfix: EXTERNAL authentication mechanism in mail proxy was accepted even if it was not enabled in the configuration.
  • Bugfix: a segmentation fault might occur in a worker process if the ssl_verify_client" directive of the stream module was used.
  • Bugfix: the "ssl_verify_client" directive of the stream module might not work.
  • Bugfix: closing keepalive connections due to no free worker connections might be too aggressive.
  • Bugfix: an incorrect response might be returned when using the "sendfile" directive on FreeBSD and macOS; the bug had appeared in 1.7.8.
  • Bugfix: a truncated response might be stored in cache when using the "aio_write" directive.
  • Bugfix: a socket leak might occur when using the "aio_write" directive.

New in Nginx 1.10.2 (Oct 24, 2016)

  • Change: the "421 Misdirected Request" response now used when rejecting requests to a virtual server different from one negotiated during an SSL handshake; this improves interoperability with some HTTP/2 clients when using client certificates.
  • Change: HTTP/2 clients can now start sending request body immediately; the "http2_body_preread_size" directive controls size of the buffer used before nginx will start reading client request body.
  • Bugfix: a segmentation fault might occur in a worker process when using HTTP/2 and the "proxy_request_buffering" directive.
  • Bugfix: the "Content-Length" request header line was always added to requests passed to backends, including requests without body, when using HTTP/2.
  • Bugfix: "http request count is zero" alerts might appear in logs when using HTTP/2.
  • Bugfix: unnecessary buffering might occur when using the "sub_filter" directive; the issue had appeared in 1.9.4.
  • Bugfix: socket leak when using HTTP/2.
  • Bugfix: an incorrect response might be returned when using the "aio threads" and "sendfile" directives; the bug had appeared in 1.9.13.
  • Workaround: OpenSSL 1.1.0 compatibility.

New in Nginx 1.11.5 Mainline (Oct 24, 2016)

  • Change: the --with-ipv6 configure option was removed, now support is configured automatically.
  • Change: now if there are no available servers in an upstream, nginx will not reset number of failures of all servers as it previously did, but will wait for fail_timeout to expire.
  • Feature: the ngx_stream_ssl_preread_module.
  • Feature: the "server" directive in the "upstream" context supports the "max_conns" parameter.
  • Feature: the --with-compat configure option.
  • Feature: "manager_files", "manager_threshold", and "manager_sleep" parameters of the "proxy_cache_path", "fastcgi_cache_path", "scgi_cache_path", and "uwsgi_cache_path" directives.
  • Bugfix: flags passed by the --with-ld-opt configure option were not used while building perl module.
  • Bugfix: in the "add_after_body" directive when used with the "sub_filter" directive.
  • Bugfix: in the $realip_remote_addr variable.
  • Bugfix: the "dav_access", "proxy_store_access", "fastcgi_store_access", "scgi_store_access", and "uwsgi_store_access" directives ignored permissions specified for user.
  • Bugfix: unix domain listen sockets might not be inherited during binary upgrade on Linux.
  • Bugfix: nginx returned the 400 response on requests with the "-" character in the HTTP method.

New in Nginx 1.11.4 (Sep 14, 2016)

  • Feature: the $upstream_bytes_received variable.
  • Feature: the $bytes_received, $session_time, $protocol, $status, $upstream_addr, $upstream_bytes_sent, $upstream_bytes_received, $upstream_connect_time, $upstream_first_byte_time, and $upstream_session_time variables in the stream module.
  • Feature: the ngx_stream_log_module.
  • Feature: the "proxy_protocol" parameter of the "listen" directive, the $proxy_protocol_addr and $proxy_protocol_port variables in the stream module.
  • Feature: the ngx_stream_realip_module.
  • Bugfix: nginx could not be built with the stream module and the ngx_http_ssl_module, but without ngx_stream_ssl_module; the bug had appeared in 1.11.3.
  • Feature: the IP_BIND_ADDRESS_NO_PORT socket option was not used; the bug had appeared in 1.11.2.
  • Bugfix: in the "ranges" parameter of the "geo" directive.
  • Bugfix: an incorrect response might be returned when using the "aio threads" and "sendfile" directives; the bug had appeared in 1.9.13.

New in Nginx 1.11.3 (Jul 27, 2016)

  • Change: now the "accept_mutex" directive is turned off by default.
  • Feature: now nginx uses EPOLLEXCLUSIVE on Linux.
  • Feature: the ngx_stream_geo_module.
  • Feature: the ngx_stream_geoip_module.
  • Feature: the ngx_stream_split_clients_module.
  • Feature: variables support in the "proxy_pass" and "proxy_ssl_name"
  • directives in the stream module.
  • Bugfix: socket leak when using HTTP/2.
  • Bugfix: in configure tests.

New in Nginx 1.11.2 (Jul 6, 2016)

  • Change: now nginx always uses internal MD5 and SHA1 implementations;
  • the --with-md5 and --with-sha1 configure options were canceled.
  • Feature: variables support in the stream module.
  • Feature: the ngx_stream_map_module.
  • Feature: the ngx_stream_return_module.
  • Feature: a port can be specified in the "proxy_bind", "fastcgi_bind",
  • "memcached_bind", "scgi_bind", and "uwsgi_bind" directives.
  • Feature: now nginx uses the IP_BIND_ADDRESS_NO_PORT socket option
  • when available.
  • Bugfix: a segmentation fault might occur in a worker process when
  • using HTTP/2 and the "proxy_request_buffering" directive.
  • Bugfix: the "Content-Length" request header line was always added to
  • requests passed to backends, including requests without body, when
  • using HTTP/2.
  • Bugfix: "http request count is zero" alerts might appear in logs when
  • using HTTP/2.
  • Bugfix: unnecessary buffering might occur when using the "sub_filter"
  • directive; the issue had appeared in 1.9.4.

New in Nginx 1.11.1 (Jun 1, 2016)

  • Security: a segmentation fault might occur in a worker process while writing a specially crafted request body to a temporary file (CVE-2016-4450); the bug had appeared in 1.3.9.

New in Nginx 1.11.0 (May 25, 2016)

  • Feature: the "transparent" parameter of the "proxy_bind", "fastcgi_bind", "memcached_bind", "scgi_bind", and "uwsgi_bind" directives.
  • Feature: the $request_id variable.
  • Feature: the "map" directive supports combinations of multiple variables as resulting values.
  • Feature: now nginx checks if EPOLLRDHUP events are supported by kernel, and optimizes connection handling accordingly if the "epoll" method is used.
  • Feature: the "ssl_certificate" and "ssl_certificate_key" directives can be specified multiple times to load certificates of different types (for example, RSA and ECDSA).
  • Feature: the "ssl_ecdh_curve" directive now allows specifying a list of curves when using OpenSSL 1.0.2 or newer; by default a list built into OpenSSL is used.
  • Change: to use DHE ciphers it is now required to specify parameters using the "ssl_dhparam" directive.
  • Feature: the $proxy_protocol_port variable.
  • Feature: the $realip_remote_port variable in the ngx_http_realip_module.
  • Feature: the ngx_http_realip_module is now able to set the client port in addition to the address.
  • Change: the "421 Misdirected Request" response now used when rejecting requests to a virtual server different from one negotiated during an SSL handshake; this improves interoperability with some HTTP/2 clients when using client certificates.
  • Change: HTTP/2 clients can now start sending request body immediately; the "http2_body_preread_size" directive controls size of the buffer used before nginx will start reading client request body.
  • Bugfix: cached error responses were not updated when using the "proxy_cache_bypass" directive.

New in Nginx 1.10.0 (Apr 28, 2016)

  • Incorporates new features from the 1.9.x mainline branch - including the stream module, HTTP/2, dynamic modules support and more.

New in Nginx 1.9.15 Development (Apr 20, 2016)

  • Bugfix: "recv() failed" errors might occur when using HHVM as a FastCGI server.
  • Bugfix: when using HTTP/2 and the "limit_req" or "auth_request" directives a timeout or a "client violated flow control" error might occur while reading client request body; the bug had appeared in 1.9.14. Workaround: a response might not be shown by some browsers if HTTP/2 was used and client request body was not fully read; the bug had appeared in 1.9.14.
  • Bugfix:Connections might hang when using the "aio threads" directive. Thanks to Mindaugas Rasiukevicius.

New in Nginx 1.9.14 Development (Apr 6, 2016)

  • Feature: OpenSSL 1.1.0 compatibility.
  • Feature: the "proxy_request_buffering", "fastcgi_request_buffering", scgi_request_buffering", and "uwsgi_request_buffering" directives now work with HTTP/2.
  • Bugfix: "zero size buf in output" alerts might appear in logs when using HTTP/2.
  • Bugfix: the "client_max_body_size" directive might work incorrectly when using HTTP/2.
  • Bugfix: of minor bugs in logging.

New in Nginx 1.9.13 Development (Mar 31, 2016)

  • Change: non-idempotent requests (POST, LOCK, PATCH) are no longer passed to the next server by default if a request has been sent to a backend; the "non_idempotent" parameter of the "proxy_next_upstream" directive explicitly allows retrying such requests.
  • Feature: the ngx_http_perl_module can be built dynamically.
  • Feature: UDP support in the stream module.
  • Feature: the "aio_write" directive.
  • Feature: now cache manager monitors number of elements in caches and tries to avoid cache keys zone overflows.
  • Bugfix: "task already active" and "second aio post" alerts might appear in logs when using the "sendfile" and "aio" directives with subrequests.
  • Bugfix: "zero size buf in output" alerts might appear in logs if caching was used and a client closed a connection prematurely.
  • Bugfix: connections with clients might be closed needlessly if caching was used. Thanks to Justin Li.
  • Bugfix: nginx might hog CPU if the "sendfile" directive was used on Linux or Solaris and a file being sent was changed during sending.
  • Bugfix: connections might hang when using the "sendfile" and "aio threads" directives.
  • Bugfix: in the "proxy_pass", "fastcgi_pass", "scgi_pass", and "uwsgi_pass" directives when using variables. Thanks to Piotr Sikora.
  • Bugfix: in the ngx_http_sub_filter_module.
  • Bugfix: if an error occurred in a cached backend connection, the request was passed to the next server regardless of the proxy_next_upstream directive.
  • Bugfix: "CreateFile() failed" errors when creating temporary files on Windows.

New in Nginx 1.9.12 Development (Feb 25, 2016)

  • Feature: Huffman encoding of response headers in HTTP/2.
  • Feature: the "worker_cpu_affinity" directive now supports more than 64 CPUs.
  • Bugfix: compatibility with 3rd party C++ modules; the bug had appeared in 1.9.11.
  • Bugfix: nginx could not be built statically with OpenSSL on Linux; the bug had appeared in 1.9.11.
  • Bugfix: the "add_header ... always" directive with an empty value did not delete "Last-Modified" and "ETag" header lines from error responses.
  • Workaround: "called a function you should not call" and "shutdown while in init" messages might appear in logs when using OpenSSL 1.0.2f.
  • Bugfix: invalid headers might be logged incorrectly.
  • Bugfix: socket leak when using HTTP/2.
  • Bugfix: in the ngx_http_v2_module.

New in Nginx 1.9.11 Development (Feb 25, 2016)

  • Security: invalid pointer dereference might occur during DNS server response processing if the "resolver" directive was used, allowing an attacker who is able to forge UDP packets from the DNS server to cause segmentation fault in a worker process (CVE-2016-0742).
  • Security: use-after-free condition might occur during CNAME response processing if the "resolver" directive was used, allowing an attacker who is able to trigger name resolution to cause segmentation fault in a worker process, or might have potential other impact (CVE-2016-0746).
  • Security: CNAME resolution was insufficiently limited if the "resolver" directive was used, allowing an attacker who is able to trigger arbitrary name resolution to cause excessive resource consumption in worker processes (CVE-2016-0747).
  • Feature: the "auto" parameter of the "worker_cpu_affinity" directive.
  • Bugfix: the "proxy_protocol" parameter of the "listen" directive did not work with IPv6 listen sockets.
  • Bugfix: connections to upstream servers might be cached incorrectly when using the "keepalive" directive.
  • Bugfix: proxying used the HTTP method of the original request after an "X-Accel-Redirect" redirection.

New in Nginx 1.9.10 Development (Feb 25, 2016)

  • Bugfix: proxying to unix domain sockets did not work when using variables; the bug had appeared in 1.9.8.

New in Nginx 1.8.1 (Jan 27, 2016)

  • Security: invalid pointer dereference might occur during DNS server response processing if the "resolver" directive was used, allowing an attacker who is able to forge UDP packets from the DNS server to cause segmentation fault in a worker process (CVE-2016-0742).
  • Security: use-after-free condition might occur during CNAME response processing if the "resolver" directive was used, allowing an attacker who is able to trigger name resolution to cause segmentation fault in a worker process, or might have potential other impact (CVE-2016-0746).
  • Security: CNAME resolution was insufficiently limited if the "resolver" directive was used, allowing an attacker who is able to trigger arbitrary name resolution to cause excessive resource consumption in worker processes (CVE-2016-0747).
  • Bugfix: the "proxy_protocol" parameter of the "listen" directive did not work if not specified in the first "listen" directive for a listen socket.
  • Bugfix: nginx might fail to start on some old Linux variants; the bug had appeared in 1.7.11.
  • Bugfix: a segmentation fault might occur in a worker process if the "try_files" and "alias" directives were used inside a location given by a regular expression; the bug had appeared in 1.7.1.
  • Bugfix: the "try_files" directive inside a nested location given by a regular expression worked incorrectly if the "alias" directive was used in the outer location.
  • Bugfix: "header already sent" alerts might appear in logs when using cache; the bug had appeared in 1.7.5.
  • Bugfix: a segmentation fault might occur in a worker process if different ssl_session_cache settings were used in different virtual servers.
  • Bugfix: the "expires" directive might not work when using variables.
  • Bugfix: if nginx was built with the ngx_http_spdy_module it was possible to use the SPDY protocol even if the "spdy" parameter of the "listen" directive was not specified.

New in Nginx 1.9.9 Development (Dec 10, 2015)

  • Bugfix: proxying to unix domain sockets did not work when using variables; the bug had appeared in 1.9.8.

New in Nginx 1.9.8 Development (Dec 9, 2015)

  • Feature: pwritev() support.
  • Feature: the "include" directive inside the "upstream" block.
  • Feature: the ngx_http_slice_module.
  • Bugfix: a segmentation fault might occur in a worker process when using LibreSSL; the bug had appeared in 1.9.6.
  • Bugfix: nginx could not be built on OS X in some cases.

New in Nginx 1.9.7 Development (Nov 18, 2015)

  • Feature: the "nohostname" parameter of logging to syslog.
  • Feature: the "proxy_cache_convert_head" directive.
  • Feature: the $realip_remote_addr variable in the ngx_http_realip_module.
  • Bugfix: the "expires" directive might not work when using variables.
  • Bugfix: a segmentation fault might occur in a worker process when using HTTP/2; the bug had appeared in 1.9.6.
  • Bugfix: if nginx was built with the ngx_http_v2_module it was possible to use the HTTP/2 protocol even if the "http2" parameter of the "listen" directive was not specified.
  • Bugfix: in the ngx_http_v2_module.

New in Nginx 1.9.6 Development (Oct 31, 2015)

  • Bugfix: a segmentation fault might occur in a worker process when using HTTP/2.
  • Bugfix: the $server_protocol variable was empty when using HTTP/2.
  • Bugfix: backend SSL connections in the stream module might be timed out unexpectedly.
  • Bugfix: a segmentation fault might occur in a worker process if different ssl_session_cache settings were used in different virtual servers.
  • Bugfix: nginx/Windows could not be built with MinGW gcc; the bug had appeared in 1.9.4.
  • Bugfix: time was not updated when the timer_resolution directive was used on Windows.
  • Miscellaneous minor fixes and improvements.

New in Nginx 1.9.5 Development (Sep 23, 2015)

  • mainline version has been released, featuring experimental HTTP/2 module.

New in Nginx 1.9.4 Development (Aug 20, 2015)

  • Change: the "proxy_downstream_buffer" and "proxy_upstream_buffer"directives of the stream module are replaced with the "proxy_buffer_size" directive.
  • Feature: the "tcp_nodelay" directive in the stream module.
  • Feature: multiple "sub_filter" directives can be used simultaneously.
  • Feature: variables support in the search string of the "sub_filter" directive.
  • Workaround: configuration testing might fail under Linux OpenVZ
  • Bugfix: old worker processes might hog CPU after reconfiguration with a large number of worker_connections.
  • Bugfix: a segmentation fault might occur in a worker process if the "try_files" and "alias" directives were used inside a location given by a regular expression; the bug had appeared in 1.7.1.
  • Bugfix: the "try_files" directive inside a nested location given by a regular expression worked incorrectly if the "alias" directive was used in the outer location.
  • Bugfix: in hash table initialization error handling.
  • Bugfix: nginx could not be built with Visual Studio 2015.

New in Nginx 1.9.3 Development (Aug 20, 2015)

  • Change: duplicate "http", "mail", and "stream" blocks are now disallowed.
  • Feature: connection limiting in the stream module.
  • Feature: data rate limiting in the stream module.
  • Bugfix: the "zone" directive inside the "upstream" block did not work on Windows.
  • Bugfix: compatibility with LibreSSL in the stream module.
  • Bugfix: in the "--builddir" configure parameter.
  • Bugfix: the "ssl_stapling_file" directive did not work; the bug had appeared in 1.9.2.
  • Bugfix: a segmentation fault might occur in a worker process if the "ssl_stapling" directive was used; the bug had appeared in 1.9.2.

New in Nginx 1.9.2 Development (Aug 20, 2015)

  • Feature: the "backlog" parameter of the "listen" directives of the mail proxy and stream modules.
  • Feature: the "allow" and "deny" directives in the stream module.
  • Feature: the "proxy_bind" directive in the stream module.
  • Feature: the "proxy_protocol" directive in the stream module.
  • Feature: the -T switch.
  • Feature: the REQUEST_SCHEME parameter added to the fastcgi.conf, fastcgi_params, scgi_params, and uwsgi_params standard configuration files.
  • Bugfix: the "reuseport" parameter of the "listen" directive of the stream module did not work.
  • Bugfix: OCSP stapling might return an expired OCSP response in some cases.

New in Nginx 1.9.1 Development (Aug 20, 2015)

  • Change: now SSLv3 protocol is disabled by default.
  • Change: some long deprecated directives are not supported anymore.
  • Feature: the "reuseport" parameter of the "listen" directive.
  • Thanks to Yingqi Lu at Intel and Sepherosa Ziehau.
  • Feature: the $upstream_connect_time variable.
  • Bugfix: in the "hash" directive on big-endian platforms.
  • Bugfix: nginx might fail to start on some old Linux variants; the bug had appeared in 1.7.11.
  • Bugfix: in IP address parsing.

New in Nginx 1.9.0 Development (Apr 29, 2015)

  • Change: obsolete aio and rtsig event methods have been removed.
  • Feature: the "zone" directive inside the "upstream" block.
  • Feature: the stream module.
  • Feature: byte ranges support in the ngx_http_memcached_module.
  • Feature: shared memory can now be used on Windows versions with address space layout randomization.
  • Feature: the "error_log" directive can now be used on mail and server levels in mail proxy.
  • Bugfix: the "proxy_protocol" parameter of the "listen" directive did not work if not specified in the first "listen" directive for a listen socket.

New in Nginx 1.8.0 (Apr 22, 2015)

  • incorporates many new features from the 1.7.x mainline branch
  • includes hash load balancing method
  • backend SSL certificate verification
  • experimental thread pools support
  • proxy_request_buffering and more.

New in Nginx 1.7.12 Development (Apr 8, 2015)

  • Feature: now the "tcp_nodelay" directive works with backend SSL connections.
  • Feature: now thread pools can be used to read cache file headers.
  • Bugfix: in the "proxy_request_buffering" directive.
  • Bugfix: a segmentation fault might occur in a worker process when using thread pools on Linux.
  • Bugfix: in error handling when using the "ssl_stapling" directive.
  • Bugfix: in the ngx_http_spdy_module.

New in Nginx 1.6.3 (Apr 8, 2015)

  • Feature: now the "tcp_nodelay" directive works with SPDY connections.
  • Bugfix: in error handling.
  • Bugfix: alerts "header already sent" appeared in logs if the "post_action" directive was used; the bug had appeared in 1.5.4.
  • Bugfix: alerts "sem_post() failed" might appear in logs.
  • Bugfix: in hash table handling.
  • Bugfix: in integer overflow handling.

New in Nginx 1.7.11 Development (Mar 25, 2015)

  • experimental thread pools support, proxy_request_buffering and other features.

New in Nginx 1.7.10 Development (Feb 11, 2015)

  • eature: the "use_temp_path" parameter of the "proxy_cache_path", "fastcgi_cache_path", "scgi_cache_path", and "uwsgi_cache_path" directives.
  • Feature: the $upstream_header_time variable.
  • Workaround: now on disk overflow nginx tries to write error logs once a second only.
  • Bugfix: the "try_files" directive did not ignore normal files while testing directories.
  • Bugfix: alerts "sendfile() failed" if the "sendfile" directive was used on OS X; the bug had appeared in 1.7.8.
  • Bugfix: alerts "sem_post() failed" might appear in logs.
  • Bugfix: nginx could not be built with musl libc.
  • Bugfix: nginx could not be built on Tru64 UNIX.

New in Nginx 1.7.9 Development (Dec 27, 2014)

  • Feature: variables support in the "proxy_cache", "fastcgi_cache", "scgi_cache", and "uwsgi_cache" directives.
  • Feature: variables support in the "expires" directive.
  • Feature: loading of secret keys from hardware tokens with OpenSSL engines.
  • Feature: the "autoindex_format" directive.
  • Bugfix: cache revalidation is now only used for responses with 200 and 206 status codes.
  • Bugfix: the "TE" client request header line was passed to backends while proxying.
  • Bugfix: the "proxy_pass", "fastcgi_pass", "scgi_pass", and "uwsgi_pass" directives might not work correctly inside the "if" and "limit_except" blocks.
  • Bugfix: the "proxy_store" directive with the "on" parameter was ignored if the "proxy_store" directive with an explicitly specified file path was used on a previous level.
  • Bugfix: nginx could not be built with BoringSSL.

New in Nginx 1.7.8 Development (Dec 2, 2014)

  • Change: now the "If-Modified-Since", "If-Range", etc. client request header lines are passed to a backend while caching if nginx knows in advance that the response will not be cached (e.g., when using proxy_cache_min_uses).
  • Change: now after proxy_cache_lock_timeout nginx sends a request to a backend with caching disabled; the new directives "proxy_cache_lock_age", "fastcgi_cache_lock_age", "scgi_cache_lock_age", and "uwsgi_cache_lock_age" specify a time after which the lock will be released and another attempt to cache a response will be made.
  • Change: the "log_format" directive can now be used only at http level.
  • Feature: the "proxy_ssl_certificate", "proxy_ssl_certificate_key", "proxy_ssl_password_file", "uwsgi_ssl_certificate", "uwsgi_ssl_certificate_key", and "uwsgi_ssl_password_file" directives.
  • Feature: it is now possible to switch to a named location using "X-Accel-Redirect".
  • Feature: now the "tcp_nodelay" directive works with SPDY connections.
  • Feature: new directives in vim syntax highliting scripts.
  • Bugfix: nginx ignored the "s-maxage" value in the "Cache-Control" backend response header line.
  • Bugfix: in the ngx_http_spdy_module.
  • Bugfix: in the "ssl_password_file" directive when using OpenSSL 0.9.8zc, 1.0.0o, 1.0.1j.
  • Bugfix: alerts "header already sent" appeared in logs if the "post_action" directive was used; the bug had appeared in 1.5.4.
  • Bugfix: alerts "the http output chain is empty" might appear in logs if the "postpone_output 0" directive was used with SSI includes.
  • Bugfix: in the "proxy_cache_lock" directive with SSI subrequests.

New in Nginx 1.6.2 (Oct 28, 2014)

  • Security: it was possible to reuse SSL sessions in unrelated contexts if a shared SSL session cache or the same TLS session ticket key was used for multiple "server" blocks (CVE-2014-3616).
  • Bugfix: requests might hang if resolver was used and a DNS server returned a malformed response; the bug had appeared in 1.5.8.
  • Bugfix: requests might hang if resolver was used and a timeout occurred during a DNS request.

New in Nginx 1.7.7 Development (Oct 28, 2014)

  • Change: now nginx takes into account the "Vary" header line in a backend response while caching.
  • Feature: the "proxy_force_ranges", "fastcgi_force_ranges", "scgi_force_ranges", and "uwsgi_force_ranges" directives.
  • Feature: the "proxy_limit_rate", "fastcgi_limit_rate", "scgi_limit_rate", and "uwsgi_limit_rate" directives.
  • Feature: the "Vary" parameter of the "proxy_ignore_headers", "fastcgi_ignore_headers", "scgi_ignore_headers", and "uwsgi_ignore_headers" directives.
  • Bugfix: the last part of a response received from a backend with unbufferred proxy might not be sent to a client if "gzip" or "gunzip" directives were used.
  • Bugfix: in the "proxy_cache_revalidate" directive.
  • Bugfix: in error handling.
  • Bugfix: in the "proxy_next_upstream_tries" and "proxy_next_upstream_timeout" directives.
  • Bugfix: nginx/Windows could not be built with MinGW-w64 gcc.

New in Nginx 1.7.6 Development (Sep 30, 2014)

  • Change: the deprecated "limit_zone" directive is not supported anymore.
  • Feature: the "limit_conn_zone" and "limit_req_zone" directives now can be used with combinations of multiple variables.
  • Bugfix: request body might be transmitted incorrectly when retrying a FastCGI request to the next upstream server.
  • Bugfix: in logging to syslog.

New in Nginx 1.7.5 Development (Sep 30, 2014)

  • Security: it was possible to reuse SSL sessions in unrelated contexts if a shared SSL session cache or the same TLS session ticket key was used for multiple "server" blocks (CVE-2014-3616).
  • Change: now the "stub_status" directive does not require a parameter.
  • Feature: the "always" parameter of the "add_header" directive.
  • Feature: the "proxy_next_upstream_tries", "proxy_next_upstream_timeout", "fastcgi_next_upstream_tries", "fastcgi_next_upstream_timeout", "memcached_next_upstream_tries", "memcached_next_upstream_timeout", "scgi_next_upstream_tries", "scgi_next_upstream_timeout", "uwsgi_next_upstream_tries", and "uwsgi_next_upstream_timeout" directives.
  • Bugfix: in the "if" parameter of the "access_log" directive.
  • Bugfix: in the ngx_http_perl_module.
  • Bugfix: the "listen" directive of the mail proxy module did not allow to specify more than two parameters.
  • Bugfix: the "sub_filter" directive did not work with a string to replace consisting of a single character.
  • Bugfix: requests might hang if resolver was used and a timeout occurred during a DNS request.
  • Bugfix: in the ngx_http_spdy_module when using with AIO.
  • Bugfix: a segmentation fault might occur in a worker process if the "set" directive was used to change the "$http_...", "$sent_http_...", or "$upstream_http_..." variables.
  • Bugfix: in memory allocation error handling.

New in Nginx 1.7.4 Development (Aug 14, 2014)

  • ) Security: pipelined commands were not discarded after STARTTLS command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6.
  • Change: URI escaping now uses uppercase hexadecimal digits.
  • Feature: now nginx can be build with BoringSSL and LibreSSL.
  • Bugfix: requests might hang if resolver was used and a DNS server returned a malformed response; the bug had appeared in 1.5.8.
  • Bugfix: in the ngx_http_spdy_module.
  • Bugfix: the $uri variable might contain garbage when returning errors with code 400.
  • Bugfix: in error handling in the "proxy_store" directive and the ngx_http_dav_module.
  • Bugfix: a segmentation fault might occur if logging of errors to syslog was used; the bug had appeared in 1.7.1.
  • Bugfix: the $geoip_latitude, $geoip_longitude, $geoip_dma_code, and $geoip_area_code variables might not work.
  • Bugfix: in memory allocation error handling.

New in Nginx 1.6.1 (Aug 14, 2014)

  • Security: pipelined commands were not discarded after STARTTLS command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6.
  • Bugfix: the $uri variable might contain garbage when returning errors with code 400.
  • Bugfix: in the "none" parameter in the "smtp_auth" directive; the bug had appeared in 1.5.6.

New in Nginx 1.7.3 Development (Jul 9, 2014)

  • Feature: weak entity tags are now preserved on response modifications, and strong ones are changed to weak.
  • Feature: cache revalidation now uses If-None-Match header if possible.
  • Feature: the "ssl_password_file" directive.
  • Bugfix: the If-None-Match request header line was ignored if there was no Last-Modified header in a response returned from cache.
  • Bugfix: "peer closed connection in SSL handshake" messages were logged at "info" level instead of "error" while connecting to backends.
  • Bugfix: in the ngx_http_dav_module module in nginx/Windows.
  • Bugfix: SPDY connections might be closed prematurely if caching was used.

New in Nginx 1.7.2 Development (Jun 17, 2014)

  • Feature: the "hash" directive inside the "upstream" block.
  • Feature: defragmentation of free shared memory blocks.
  • Bugfix: a segmentation fault might occur in a worker process if the default value of the "access_log" directive was used; the bug had appeared in 1.7.0.
  • Bugfix: trailing slash was mistakenly removed from the last parameter of the "try_files" directive.
  • Bugfix: in the ngx_http_spdy_module.

New in Nginx 1.7.1 Development (May 27, 2014)

  • Feature: the "$upstream_cookie_..." variables.
  • Feature: the $ssl_client_fingerprint variable.
  • Feature: the "error_log" and "access_log" directives now support logging to syslog.
  • Feature: the mail proxy now logs client port on connect.
  • Bugfix: memory leak if the "ssl_stapling" directive was used
  • Bugfix: the "alias" directive used inside a location given by a regular expression worked incorrectly if the "if" or "limit_except" directives were used.
  • Bugfix: the "charset" directive did not set a charset to encoded backend responses.
  • Bugfix: a "proxy_pass" directive without URI part might use original request after the $args variable was set.
  • Bugfix: in the "none" parameter in the "smtp_auth" directive; the bug had appeared in 1.5.6
  • Bugfix: if sub_filter and SSI were used together, then responses might be transferred incorrectly.

New in Nginx 1.7.0 Development (May 27, 2014)

  • Feature: backend SSL certificate verification.
  • Feature: support for SNI while working with SSL backends.
  • Feature: the $ssl_server_name variable.
  • Feature: the "if" parameter of the "access_log" directive.

New in Nginx 1.5.13 Development (Apr 16, 2014)

  • Change: improved hash table handling; the default values of the "variables_hash_max_size" and "types_hash_bucket_size" were changed to 1024 and 64 respectively.
  • Feature: the ngx_http_mp4_module now supports the "end" argument.
  • Feature: byte ranges support in the ngx_http_mp4_module and while saving responses to cache.
  • Bugfix: alerts "ngx_slab_alloc() failed: no memory" no longer logged when using shared memory in the "ssl_session_cache" directive and in the ngx_http_limit_req_module.
  • Bugfix: the "underscores_in_headers" directive did not allow underscore as a first character of a header.
  • Bugfix: cache manager might hog CPU on exit in nginx/Windows.
  • Bugfix: nginx/Windows terminated abnormally if the "ssl_session_cache" directive was used with the "shared" parameter.
  • Bugfix: in the ngx_http_spdy_module.

New in Nginx 1.5.12 Development (Apr 16, 2014)

  • Security: a heap memory buffer overflow might occur in a worker process while handling a specially crafted request by ngx_http_spdy_module, potentially resulting in arbitrary code execution (CVE-2014-0133).
  • Feature: the "proxy_protocol" parameters of the "listen" and "real_ip_header" directives, the $proxy_protocol_addr variable.
  • Bugfix: in the "fastcgi_next_upstream" directive.

New in Nginx 1.4.7 (Apr 16, 2014)

  • Security: a heap memory buffer overflow might occur in a worker process while handling a specially crafted request by ngx_http_spdy_module, potentially resulting in arbitrary code execution (CVE-2014-0133).
  • Bugfix: in the "fastcgi_next_upstream" directive.

New in Nginx 1.5.11 Development (Apr 16, 2014)

  • Security: memory corruption might occur in a worker process on 32-bit platforms while handling a specially crafted request by ngx_http_spdy_module, potentially resulting in arbitrary code execution (CVE-2014-0088); the bug had appeared in 1.5.10.
  • Feature: the $ssl_session_reused variable.
  • Bugfix: the "client_max_body_size" directive might not work when reading a request body using chunked transfer encoding; the bug had appeared in 1.3.9.
  • Bugfix: a segmentation fault might occur in a worker process when proxying WebSocket connections.
  • Bugfix: a segmentation fault might occur in a worker process if the ngx_http_spdy_module was used on 32-bit platforms; the bug had appeared in 1.5.10.
  • Bugfix: the $upstream_status variable might contain wrong data if the "proxy_cache_use_stale" or "proxy_cache_revalidate" directives were used.
  • Bugfix: a segmentation fault might occur in a worker process if errors with code 400 were redirected to a named location using the "error_page" directive.
  • Bugfix: nginx/Windows could not be built with Visual Studio 2013.

New in Nginx 1.4.6 (Apr 16, 2014)

  • Bugfix: the "client_max_body_size" directive might not work when reading a request body using chunked transfer encoding; the bug had appeared in 1.3.9.
  • Bugfix: a segmentation fault might occur in a worker process when proxying WebSocket connections.

New in Nginx 1.4.5 (Apr 16, 2014)

  • Bugfix: the $ssl_session_id variable contained full session serialized instead of just a session id.
  • Bugfix: client connections might be immediately closed if deferred accept was used; the bug had appeared in 1.3.15.
  • Bugfix: alerts "zero size buf in output" might appear in logs while proxying; the bug had appeared in 1.3.9.
  • Bugfix: a segmentation fault might occur in a worker process if the ngx_http_spdy_module was used.
  • Bugfix: proxied WebSocket connections might hang right after handshake if the select, poll, or /dev/poll methods were used.
  • Bugfix: a timeout might occur while reading client request body in an SSL connection using chunked transfer encoding.
  • Bugfix: memory leak in nginx/Windows.

New in Nginx 1.5.10 Development (Apr 16, 2014)

  • Feature: the ngx_http_spdy_module now uses SPDY 3.1 protocol.
  • Feature: the ngx_http_mp4_module now skips tracks too short for a seek requested.
  • Bugfix: a segmentation fault might occur in a worker process if the $ssl_session_id variable was used in logs; the bug had appeared in 1.5.9.
  • Bugfix: the $date_local and $date_gmt variables used wrong format outside of the ngx_http_ssi_filter_module.
  • Bugfix: client connections might be immediately closed if deferred accept was used; the bug had appeared in 1.3.15.
  • Bugfix: alerts "getsockopt(TCP_FASTOPEN) ... failed" appeared in logs during binary upgrade on Linux; the bug had appeared in 1.5.8.

New in Nginx 1.5.9 Development (Apr 16, 2014)

  • Change: now nginx expects escaped URIs in "X-Accel-Redirect" headers.
  • Feature: the "ssl_buffer_size" directive.
  • Feature: the "limit_rate" directive can now be used to rate limit responses sent in SPDY connections.
  • Feature: the "spdy_chunk_size" directive.
  • Feature: the "ssl_session_tickets" directive.
  • Bugfix: the $ssl_session_id variable contained full session serialized instead of just a session id.
  • Bugfix: nginx incorrectly handled escaped "?" character in the "include" SSI command.
  • Bugfix: the ngx_http_dav_module did not unescape destination URI of the COPY and MOVE methods.
  • Bugfix: resolver did not understand domain names with a trailing dot.
  • Bugfix: alerts "zero size buf in output" might appear in logs while proxying; the bug had appeared in 1.3.9.
  • Bugfix: a segmentation fault might occur in a worker process if the ngx_http_spdy_module was used.
  • Bugfix: proxied WebSocket connections might hang right after handshake if the select, poll, or /dev/poll methods were used.
  • Bugfix: the "xclient" directive of the mail proxy module incorrectly handled IPv6 client addresses.

New in Nginx 1.4.4 (Apr 16, 2014)

  • Security: a character following an unescaped space in a request line was handled incorrectly (CVE-2013-4547); the bug had appeared in 0.8.41.

New in Nginx 1.4.3 (Apr 16, 2014)

  • Bugfix: a segmentation fault might occur in a worker process if the ngx_http_spdy_module was used with the "client_body_in_file_only" directive.
  • Bugfix: a segmentation fault might occur on start or during reconfiguration if the "try_files" directive was used with an empty parameter.
  • Bugfix: the $request_time variable did not work in nginx/Windows.
  • Bugfix: in the ngx_http_auth_basic_module when using "$apr1$" password encryption method.
  • Bugfix: in the ngx_http_autoindex_module.
  • Bugfix: in the mail proxy server.

New in Nginx 1.4.2 (Apr 16, 2014)

  • Bugfix: the $r->header_in() embedded perl method did not return value of the "Cookie" and "X-Forwarded-For" request header lines; the bug had appeared in 1.3.14.
  • Bugfix: nginx could not be built with the ngx_mail_ssl_module, but without ngx_http_ssl_module; the bug had appeared in 1.3.14.
  • Bugfix: in the "proxy_set_body" directive.
  • Bugfix: the "fail_timeout" parameter of the "server" directive in the "upstream" context might not work if "max_fails" parameter was used; the bug had appeared in 1.3.0.
  • Bugfix: a segmentation fault might occur in a worker process if the "ssl_stapling" directive was used.
  • Bugfix: nginx/Windows might stop accepting connections if several worker processes were used.

New in Nginx 1.5.1 Development (Jun 8, 2013)

  • Feature: the "ssi_last_modified", "sub_filter_last_modified", and "xslt_last_modified" directives.
  • Feature: the "http_403" parameter of the "proxy_next_upstream", "fastcgi_next_upstream", "scgi_next_upstream", and "uwsgi_next_upstream" directives.
  • Feature: the "allow" and "deny" directives now support unix domain sockets.
  • Bugfix: nginx could not be built with the ngx_mail_ssl_module, but without ngx_http_ssl_module; the bug had appeared in 1.3.14.
  • Bugfix: in the "proxy_set_body" directive.
  • Bugfix: in the "lingering_time" directive.
  • Bugfix: the "fail_timeout" parameter of the "server" directive in the "upstream" context might not work if "max_fails" parameter was used; the bug had appeared in 1.3.0.
  • Bugfix: a segmentation fault might occur in a worker process if "ssl_stapling" directive was used.
  • Bugfix: in the mail proxy server.
  • Bugfix: nginx/Windows might stop accepting connections if several worker processes were used.

New in Nginx 1.4.1 (Jun 8, 2013)

  • Security: a stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028); the bug had appeared in 1.3.9.

New in Nginx 1.3.15 Development (Mar 27, 2013)

  • Change: opening and closing a connection without sending any data in it is no longer logged to access_log with 400 error code.
  • Feature: the ngx_http_spdy_module.
  • Feature: the "limit_req_status" and "limit_conn_status" directives.
  • Feature: the "image_filter_interlace" directive.
  • Feature: $connections_waiting variable in the ngx_http_stub_status_module.
  • Feature: the mail proxy module now supports IPv6 backends.
  • Bugfix: request body might be transmitted incorrectly when retrying a request to a next upstream server; the bug had appeared in 1.3.9.
  • Bugfix: in the "client_body_in_file_only" directive; the bug had appeared in 1.3.9.
  • Bugfix: responses might hang if subrequests were used and a DNS error happened during subrequest processing.
  • Bugfix: in backend usage accounting.

New in Nginx 1.3.13 Development (Feb 20, 2013)

  • Change: a compiler with name "cc" is now used by default.
  • Feature: support for proxying of WebSocket connections.
  • Feature: the "auth_basic_user_file" directive supports "{SHA}" password encryption method.

New in Nginx 1.2.7 (Feb 20, 2013)

  • Change: now if the "include" directive with mask is used on Unix systems, included files are sorted in alphabetical order.
  • Change: the "add_header" directive adds headers to 201 responses.
  • Feature: the "geo" directive now supports IPv6 addresses in CIDR notation.
  • Feature: the "flush" and "gzip" parameters of the "access_log" directive.
  • Feature: variables support in the "auth_basic" directive.
  • Feature: the $pipe, $request_length, $time_iso8601, and $time_local variables can now be used not only in the "log_format" directive.
  • Feature: IPv6 support in the ngx_http_geoip_module.
  • Bugfix: nginx could not be built with the ngx_http_perl_module in some cases.
  • Bugfix: a segmentation fault might occur in a worker process if the ngx_http_xslt_module was used.
  • Bugfix: nginx could not be built on MacOSX in some cases.
  • Bugfix: the "limit_rate" directive with high rates might result in truncated responses on 32-bit platforms.
  • Bugfix: a segmentation fault might occur in a worker process if the "if" directive was used.
  • Bugfix: a "100 Continue" response was issued with "413 Request Entity Too Large" responses.
  • Bugfix: the "image_filter", "image_filter_jpeg_quality" and "image_filter_sharpen" directives might be inherited incorrectly.
  • Bugfix: "crypt_r() failed" errors might appear if the "auth_basic" directive was used on Linux.
  • Bugfix: in backup servers handling.
  • Bugfix: proxied HEAD requests might return incorrect response if the "gzip" directive was used.
  • Bugfix: a segmentation fault occurred on start or during reconfiguration if the "keepalive" directive was specified more than once in a single upstream block.
  • Bugfix: in the "proxy_method" directive.
  • Bugfix: a segmentation fault might occur in a worker process if resolver was used with the poll method.
  • Bugfix: nginx might hog CPU during SSL handshake with a backend if the select, poll, or /dev/poll methods were used.
  • Bugfix: the "[crit] SSL_write() failed (SSL:)" error.
  • Bugfix: in the "fastcgi_keep_conn" directive.

New in Nginx 1.3.8 Development (Oct 30, 2012)

  • Feature: the "optional_no_ca" parameter of the "ssl_verify_client" directive.
  • Feature: the $bytes_sent, $connection, and $connection_requests variables can now be used not only in the "log_format" directive.
  • Feature: the "auto" parameter of the "worker_processes" directive.
  • Bugfix: "cache file ... has md5 collision" alert.
  • Bugfix: in the ngx_http_gunzip_filter_module.
  • Bugfix: in the "ssl_stapling" directive.

New in Nginx 1.2.4 (Oct 30, 2012)

  • Bugfix: in the "limit_req" directive; the bug had appeared in 1.1.14.
  • Bugfix: nginx could not be built by gcc 4.7 with -O2 optimization if the --with-ipv6 option was used.
  • Bugfix: a segmentation fault might occur in a worker process if the "map" directive was used with variables as values.
  • Bugfix: a segmentation fault might occur in a worker process if the "geo" directive was used with the "ranges" parameter but without the "default" parameter; the bug had appeared in 0.8.43.
  • Bugfix: in the -p command-line parameter handling.
  • Bugfix: in the mail proxy server.
  • Bugfix: of minor potential bugs.
  • Bugfix: nginx/Windows could not be built with Visual Studio 2005 Express.

New in Nginx 0.8.42 Dev (Jun 22, 2010)

  • Change: now nginx tests locations given by regular expressions, if request was matched exactly by a location given by a prefix string. The previous behavior has been introduced in 0.7.1.
  • Feature: the ngx_http_scgi_module. Thanks to Manlio Perillo.
  • Feature: a text answer may be added to a "return" directive.