nginx 1.30.0 Upstream Changes Explained
▼ Summary
– Keepalive connections to upstream servers are now enabled by default, establishing persistent backend connections without explicit configuration.
– nginx can now communicate with upstream servers using HTTP/2, a new capability alongside related fixes for caching and control frames.
– Support for Encrypted ClientHello (ECH) is added, which encrypts the TLS ClientHello to hide the server name indication from observers.
– The release introduces support for the 103 Early Hints status code, allowing nginx to send preliminary response headers to clients.
– New features include sticky session support for load balancing, Multipath TCP (MPTCP) support, and a new `max_headers` directive for request control.
The latest stable release of nginx 1.30.0 consolidates a significant set of features and improvements from the preceding mainline branch. This update delivers important enhancements across protocol support, security, and configuration, providing system administrators with new tools for performance, privacy, and resilience.
A major operational shift is the new default behavior for keepalive connections to upstream servers. Previously requiring explicit configuration, nginx now automatically enables persistent backend connections when using the proxy module, with the HTTP version set to 1.1. This change streamlines deployments and can reduce connection overhead.
For backend communication, nginx now supports HTTP/2 to upstream servers. This removes a previous limitation where upstream traffic was confined to HTTP/1.x protocols, regardless of the client-side connection. The release also addresses related behavior with caching and control frame handling during reinitialization.
Enhancing connection privacy, version 1.30.0 introduces support for Encrypted ClientHello (ECH). This feature encrypts the TLS ClientHello message, shielding the server name indication (SNI) from plaintext observation during the initial handshake. The implementation works with the ECH API provided by OpenSSL.
Performance for end-users gets a boost with official support for the 103 Early Hints status code. This allows nginx to send preliminary response headers to clients before receiving the complete payload from an upstream server, enabling browsers to start preloading resources sooner. Fixes ensure proper handling over HTTP/2 and for multiple early hint responses.
Load balancing capabilities are expanded with the addition of sticky session support. This long-requested feature enables nginx to direct subsequent requests from a client to the same backend server, which is crucial for maintaining state in applications not designed for distributed sessions.
Network resilience and throughput can improve with new Multipath TCP (MPTCP) support. MPTCP allows a single TCP connection to utilize multiple network paths concurrently, offering potential benefits in environments with several available interfaces.
Several updates focus on TLS and certificates. Builds using OpenSSL or BoringSSL now support TLS certificate compression. The release adds new SSL variables for inspecting signature algorithms, introduces SSL key loading via OSSL_STORE, and includes compatibility with OpenSSL 4.0 and AWS-LC. The OpenSSL 3.5 QUIC API is present but remains disabled by default.
A new max_headers directive provides administrators with a configurable limit on the number of request headers nginx will process. This offers a valuable control point for mitigating certain types of abusive or malformed requests aimed at upstream applications.
(Source: Help Net Security)
