We’re happy to announce the availability of NGINX Plus Release 30 (R30). Based on NGINX Open Source, NGINX Plus is the only all-in-one software web server, load balancer, reverse proxy, content cache, and API gateway.
New and enhanced features in NGINX Plus R30 include:
- Native support for QUIC+HTTP/3 – NGINX Plus now has official support for HTTP/3. The implementation does not depend on third-party libraries to provide the missing OpenSSL TLS functionality required to deliver HTTP/3 support over QUIC protocol. It uses an OpenSSL Compatibility Layer developed by the NGINX team to circumvent the challenges with QUIC TLS interfaces that are not supported by OpenSSL.
- Per-worker connection telemetry – Monitoring connections at a per-worker level is now supported. This enables users to fine tune NGINX performance by regulating the number of worker processes and effectively distributing connections amongst workers for optimal performance.
- Diagnostic package – The NGINX diagnostic package collects all data required for troubleshooting issues in a single compressed file. This improves communication between NGINX Plus users and F5 Support, increasing efficiency and reducing the turnaround time for issue resolution.
Rounding out the release are new features and bug fixes inherited from NGINX Open Source and updates to the NGINX JavaScript module.
Important Changes in Behavior
Note: If you are upgrading from a release other than NGINX Plus R29, be sure to check the Important Changes in Behavior section in previous announcement blogs for all releases between your current version and this one.
Deprecation of listen … http2 directive
The listen … http2 directive has been deprecated in NGINX 1.25.1. NGINX configuration check using nginx -t gives a warning to that effect.
nginx -t
nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in etc/nginx/nginx.conf :15
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successfulAll existing users of this directive are strongly advised to upgrade NGINX and use the http2 directive, which enables HTTP/2 on a per-server basis.
Change this:
listen 443 ssl http2;To this:
listen 443 ssl;
http2 on;Nonavailability of GeoIP2 Module on Amazon Linux 2
Previous versions of NGINX Plus used the “libmaxminddb” library from the Amazon Linux 2 EPEL repository to build the GeoIP2 module. The EPEL repository no longer provides this library, nor is it accessible natively from the Amazon Linux 2 distribution. Therefore, the module is no longer available in NGINX Plus R30 as there is no feasible way to build it for Amazon Linux 2.
Changes to MQTT Directives
The mqtt_rewrite_buffer_size directive, which is used for specifying the size of buffer to construct MQTT messages, has been superseded by the mqtt_buffers directive. The new directive allows for specifying the number of buffers that can be allocated per connection, along with specifying the size of each buffer.
Updated API Version
The version number of the NGINX Plus API has been updated from 8 to 9 to reflect the addition of the per-worker metrics described in Per-Worker Connection Telemetry. Previous version numbers still work, but the output doesn’t include metrics added in later API versions.
Changes to Platform Support
New operating systems supported:
- Debian 12
- Alpine 3.18
Older operating systems removed:
- Alpine 3.14, which reached end-of-life (EOL) on May 1, 2023
- Ubuntu 18.04, which reached EOL on April 26, 2023
Older operating systems deprecated and scheduled for removal in NGINX Plus R31:
- Alpine 3.15, which will reach EOL in November 2023
New Features in Detail
Native Support for QUIC+HTTP/3
HTTP/3 over QUIC has been a highly anticipated feature requested by many of our enterprise customers, and we are delighted to officially introduce it in NGINX Plus R30. This is a new technology and implementation that we will continue to focus on in future releases. We advise NGINX Plus users to first try it out in a non-production environment and share any valuable feedback with us.
NGINX Plus relies on OpenSSL for secure communication and cryptographic functionality, making use of the SSL/TLS libraries that ship with operating systems. However, because QUIC’s TLS interfaces are not supported by OpenSSL at the time of this release, third-party libraries are needed to provide for the missing TLS functionality required by HTTP/3.
To address this concern, the NGINX team developed an OpenSSL Compatibility Layer, removing the need to build and ship third-party TLS libraries like quictls, BoringSSL, and LibreSSL. This helps manage the end-to-end QUIC+HTTP/3 experience in NGINX without the burden of a custom TLS implementation nor the dependency on schedules and roadmaps of third-party libraries. We plan to enhance the OpenSSL Compatibility Layer in future releases with more features and options, such as support for 0-RTT.
Here is the QUIC+HTTP/3 configuration:
http {
log_format quic '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$http3"';
access_log logs/access.log quic;
server {
# for better compatibility it's recommended
# to use the same port for quic and https
listen 8443 quic reuseport;
listen 8443 ssl;
ssl_certificate certs/example.com.crt;
ssl_certificate_key certs/example.com.key;
location / {
# required for browsers to direct them into quic port
add_header Alt-Svc 'h3=":8443"; ma=86400';
}
}
}The QUIC+HTTP/3 support in NGINX Plus R30 is available as a single binary – unlike the experimental HTTP/3 support introduced in NGINX Plus R29, which had a separate binary for nginx quic. This improvement makes it easier to deploy the functionality in your environment.
Note: With NGINX Plus R30, we’re ending support and updates for the standalone QUIC binary and plan to remove it as a download option later this year.
Per-Worker Connection Telemetry
NGINX Plus users are now able to monitor total connections per-worker process to adequately tune the worker_connections directive. This improvement gives users better visibility into how connections are distributed amongst workers. Being able to tune worker connections also helps you better assess your NGINX deployment.
The per-worker connection metrics are available over REST API. To retrieve per-worker connection metrics, use the …/api/9/workers endpoint.
To retrieve per-worker connection metrics for an individual worker, use the .../api/9/workers/<worker id> endpoint. The worker id has a 0-based index.
Here is a sample response:
{
{
"id": 0,
"pid": 2346,
"connections": {
"accepted": 1,
"dropped": 0,
"active": 1,
"idle": 0
},
"http": {
"requests": {
"total": 15,
"current": 1
}
}
},
{
"id": 1,
"pid": 1234,
"connections": {
"accepted": 3,
"dropped": 0,
"active": 1,
"idle": 0
},
"http": {
"requests": {
"total": 15,
"current": 1
}
}
},
...
}The per-worker connection metrics are available in the NGINX Plus Live Activity Monitoring Dashboard, as shown below. Access a live demo of this feature at demo.nginx.com.
The dashboard shows the information below about NGINX Plus connections and requests.
Connections:
- Accepted connections per worker
- Active connections per worker
- Idle connections per worker
- Dropped connections per worker
Requests:
- Current requests per worker
- Total requests per worker
- Requests/sec per worker
Diagnostic Package
To reduce turnaround time for issue resolution, the diagnostic package streamlines the process of collecting the data required to troubleshoot issues in your NGINX environment. The diagnostic package also helps avoid discrepancies and delays associated wi th the manual requesting and collecting of information needed to troubleshoot issues, making the interaction between NGINX Plus customers and F5 Support more efficient.
The diagnostic package collects:
- NGINX information – NGINX Plus version, configs, process information, third-party modules, logs, and API stats and endpoints
- System information – Host commands (
ps,lsof,vmstat, etc.) - Service information –
systemd, etc. - NGINX Agent – Logs and configs (if present)
- NGINX App Protect – Logs and configs (if present)
- Support package log – Log containing a list of all files collected
Our goal with the addition of the diagnostic package is to be transparent with users about what commands the script within the package runs and what data is being collected. Refer to the NGINX Plus Diagnostic Package page (link forthcoming, in the meantime you can download the script by clicking here.)
Note: The availability of the diagnostic package is being announced as part of the current NGINX Plus R30 release, however the diagnostic package is not actually release dependent. Going forward, we plan to update it based on feedback from you and F5 Support with the intent of improving the troubleshooting data collection process.
Other Enhancements in NGINX Plus R30
MQTT Optimizations
With memory consumption improvements made to the Message Queuing Telemetry Transport (MQTT) filter module, there is now a 4-5x increase in throughput.
The directive mqtt_rewrite_buffer_size has been removed. Instead, the new directive mqtt_buffers <num> <size> has been introduced to specify how many buffers the module may allocate per connection, along with the size of each buffer. The default number of buffers is 100 and the default size of each buffer is 1024 bytes, which makes the default value of the variable mqtt_buffers <100> <1024>.
DNS Reload Optimizations
NGINX Plus now preserves DNS name expiry times for dynamically resolved upstream hosts across reloads, removing the need for re-resolution on configuration reload. Before this update, DNS resolutions were triggered for all upstreams. With this update, NGINX preserves DNS resolutions and expiry times for all upstreams and triggers DNS resolutions only for new or changed upstreams on reload.
This optimization will be most impactful for NGINX environments containing a large number of upstream hosts. If you have 100 or more upstream hosts in your NGINX configuration, the optimizations would be most evident.
Changes Inherited from NGINX Open Source
NGINX Plus R30 is based on NGINX Open Source 1.25.1 and inherits functional changes, features, and bug fixes made since NGINX Plus R29 was released (in NGINX 1.25.0 and 1.25.1).
Changes
- HTTP/2 server push support has been removed. HTTP/2
server_pushhad minimal adoption and could only be used in very limited use cases. (As per IETF 102 reference documentation, it was used in just 0.04% of sessions. As per RFC 913 it was “difficult to be used effectively.”) HTTP/2 server push was disabled in Chrome version 106. As part of this change, thehttp2_push,http2_push_preload, andhttp2_max_concurrent_pushesdirectives have been made obsolete.
- The deprecated
ssldirective is no longer supported. Thessldirective was deprecated in NGINX 1.15.0 and replaced by thesslparameter of the listen directive. The deprecated ssl directive has now been removed.
- As mentioned above, the
listen … http2directive is deprecated. Users are advised to use thehttp2directive instead. - For SSL connections with OpenSSL v1.0.2h or higher, if the HTTP/2 protocol is enabled in the virtual server chosen by a Server Name Identification (SNI), it is automatically selected by the Application Layer Protocol Negotiation (ALPN) callback.
- For older versions of OpenSSL, the HTTP/2 protocol is enabled based on the default virtual server configuration.
- For plain TCP connections, HTTP/2 is now auto-detected by the HTTP/2 preface if it is enabled in the default virtual server. If the preface does not match, HTTP/0.9-1.1 is assumed.
- Support is added for HTTP/2 over Cleartext TCP (h2c) and HTTP/1.1 on the same listening socket. In the existing implementation, if a user configures a h2c listening socket (e.g.,
listen port_num http2) only HTTP/2 connections can be created. An h2 listening socket supports both HTTP/1.1 and HTTP/2 with negotiation of protocol via ALPN. However, in the existing implementation, HTTP/1.1 clients fail on the socket, preventing the use of HTTP Upgrade as a means of negotiating the protocol. This change allows simultaneous support of HTTP/1.1 and HTTP/2 on a plain TCP socket when using HTTP/2.
- Avoidance of possible buffer overrun with some
$sent_http_*is enabled. A defect in the logic for evaluating multi-header$sent_http_variables led to potential buffer overruns when certain elements were cleared but remained in the linked list. This issue manifested when third-party modules were used to override multi-header values. The update introduces refined boundary checks, ensuring safer handling and evaluation of these variables.
Features
- Full HTTP/3 support is added. NGINX 1.25.0 mainline version introduced support for HTTP/3, and this support has been merged into NGINX Plus R30. The NGINX Plus R30 implementation has the following changes when compared to the experimental packages delivered in NGINX Plus R29:
- Removed
quic_mtudirective - Removed
http3 parameter of listendirective - Removed QUIC support from the stream module
- Removed HTTP/3 server push
- Fixed building the OpenSSL Compatibility Layer with OpenSSL 3.2+
Bug Fix
- Fixed
segfaultif a regular expression (regex) studies list allocation fails.
For the full list of new changes, features, bug fixes, and workarounds inherited from recent releases, see the NGINX CHANGES file.
Changes to the NGINX JavaScript Module
NGINX Plus R30 incorporates changes from the NGINX JavaScript (njs) module version 0.8.0.
Features
- Introduced global NGINX properties:
ngx.build, ngx.conf_file_path, ngx.error_log_path, ngx.prefix, ngx.version, ngx.version_number, andngx.worker_id. - Introduced the
js_shared_dict_zonedirective for http and stream that allows declaring a dictionary shared between worker processes. - Added ES13-compliant Array methods:
Array.from(), Array.prototype.toSorted(), Array.prototype.toSpliced(), Array.prototype.toReversed(). - Added ES13-compliant TypedArray methods:
%TypedArray%.prototype.toSorted(), %TypedArray%.prototype.toSpliced(), %TypedArray%.prototype.toReversed(). - Added CryptoKey properties in WebCrypto API. These properties were added:
algorithm, extractable, type, usages.
Changes
- Removed special treatment of forbidden headers in the Fetch API introduced in 0.7.10.
- Removed
r.requestBody()from the http module, which was deprecated in version 0.5.0. Ther.requestBufferorr.requestTextproperty should be used instead. - Removed
r.responseBody()from the http module which was deprecated in version 0.5.0. Ther.responseBufferorr.responseTextproperty should be used instead. - Throwing an exception in
r.internalRedirect()while filtering in thehttpmodule. - Native methods are provided with
retvalargument. This change breaks compatibility with C extension for njs requiring the modification of the code. - Non-compliant deprecated String methods were removed. The following methods were removed:
String.bytesFrom(), String.prototype.fromBytes(), String.prototype.fromUTF8(), String.prototype.toBytes(), String.prototype.toUTF8(), String.prototype.toString(encoding). - Removed support for building with GNU readline.
Bug Fixes
- Fixed
r.statussetter when filtering inhttpmodule. - Fixed setting of
Locationheader inhttpmodule. - Fixed retval of
сrypto.getRandomValues(). - Fixed evaluation of computed property names with function expressions.
- Fixed implicit name for a function expression declared in arrays.
- Fixed parsing of for-in loops.
- Fixed
Date.parse()with ISO-8601 format and UTC time offset.
For a comprehensive list of all the features, changes, and bug fixes, see the njs Changes log.
Upgrade or Try NGINX Plus
If you’re running NGINX Plus, we strongly encourage you to upgrade to NGINX Plus R30 as soon as possible. In addition to all the great new features, you’ll also pick up several additional fixes and improvements, and being up to date will help NGINX to help you if you need to raise a support ticket.
If you haven’t tried NGINX Plus, we encourage you to check it out. You can use it for security, load balancing, and API gateway use cases, or as a fully supported web server with enhanced monitoring and management APIs. Get started today with a free 30-day trial.