Announcing NGINX Plus R30

We’re happy to announce the availability of NGINX Plus Release 30 (R30). Based on NGINX Open Source, NGINX Plus is the only all-in-one software web server, load balancer, reverse proxy, content cache, and API gateway.

New and enhanced features in NGINX Plus R30 include:

• Native support for QUIC+HTTP/3 – NGINX Plus now has official support for HTTP/3. The implementation does not depend on third-party libraries to provide the missing OpenSSL TLS functionality required to deliver HTTP/3 support over QUIC protocol. It uses an OpenSSL Compatibility Layer developed by the NGINX team to circumvent the challenges with QUIC TLS interfaces that are not supported by OpenSSL.
• Per-worker connection telemetry – Monitoring connections at a per-worker level is now supported. This enables users to fine tune NGINX performance by regulating the number of worker processes and effectively distributing connections amongst workers for optimal performance.
• Diagnostic package – The NGINX diagnostic package collects all data required for troubleshooting issues in a single compressed file. This improves communication between NGINX Plus users and F5 Support, increasing efficiency and reducing the turnaround time for issue resolution.

Rounding out the release are new features and bug fixes inherited from NGINX Open Source and updates to the NGINX JavaScript module.

Important Changes in Behavior

Note: If you are upgrading from a release other than NGINX Plus R29, be sure to check the Important Changes in Behavior section in previous announcement blogs for all releases between your current version and this one.

Deprecation of listen … http2 directive

The listen … http2 directive has been deprecated in NGINX 1.25.1. NGINX configuration check using nginx -t gives a warning to that effect.  

nginx -t

nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in etc/nginx/nginx.conf :15

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

All existing users of this directive are strongly advised to upgrade NGINX and use the http2 directive, which enables HTTP/2 on a per-server basis.

Change this:

listen 443 ssl http2;

To this:

listen 443 ssl;
http2 on;

Nonavailability of GeoIP2 Module on Amazon Linux 2

Previous versions of NGINX Plus used the “libmaxminddb” library from the Amazon Linux 2 EPEL repository to build the GeoIP2 module. The EPEL repository no longer provides this library, nor is it accessible natively from the Amazon Linux 2 distribution. Therefore, the module is no longer available in NGINX Plus R30 as there is no feasible way to build it for Amazon Linux 2.

Changes to MQTT Directives

The mqtt_rewrite_buffer_size directive, which is used for specifying the size of buffer to construct MQTT messages, has been superseded by the mqtt_buffers directive. The new directive allows for specifying the number of buffers that can be allocated per connection, along with specifying the size of each buffer.

Updated API Version

The version number of the NGINX Plus API has been updated from 8 to 9 to reflect the addition of the per-worker metrics described in Per-Worker Connection Telemetry. Previous version numbers still work, but the output doesn’t include metrics added in later API versions.

Changes to Platform Support

New operating systems supported:

• Debian 12
• Alpine 3.18

Older operating systems removed:

• Alpine 3.14, which reached end-of-life (EOL) on May 1, 2023
• Ubuntu 18.04, which reached EOL on April 26, 2023

Older operating systems deprecated and scheduled for removal in NGINX Plus R31:

• Alpine 3.15, which will reach EOL in November 2023

New Features in Detail

Native Support for QUIC+HTTP/3

HTTP/3 over QUIC has been a highly anticipated feature requested by many of our enterprise customers, and we are delighted to officially introduce it in NGINX Plus R30. This is a new technology and implementation that we will continue to focus on in future releases. We advise NGINX Plus users to first try it out in a non-production environment and share any valuable feedback with us.

NGINX Plus relies on OpenSSL for secure communication and cryptographic functionality, making use of the SSL/TLS libraries that ship with operating systems. However, because QUIC’s TLS interfaces are not supported by OpenSSL at the time of this release, third-party libraries are needed to provide for the missing TLS functionality required by HTTP/3.

To address this concern, the NGINX team developed an OpenSSL Compatibility Layer, removing the need to build and ship third-party TLS libraries like quictls, BoringSSL, and LibreSSL. This helps manage the end-to-end QUIC+HTTP/3 experience in NGINX without the burden of a custom TLS implementation nor the dependency on schedules and roadmaps of third-party libraries. We plan to enhance the OpenSSL Compatibility Layer in future releases with more features and options, such as support for 0-RTT.

Here is the QUIC+HTTP/3 configuration:
   

http {
        log_format quic '$remote_addr - $remote_user [$time_local] '
                        '"$request" $status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent" "$http3"';
        access_log logs/access.log quic;

        server {
              # for better compatibility it's recommended
              # to use the same port for quic and https
              listen 8443 quic reuseport;
              listen 8443 ssl;

              ssl_certificate     certs/example.com.crt;
              ssl_certificate_key certs/example.com.key;

              location / {
                  # required for browsers to direct them into quic port
                  add_header Alt-Svc 'h3=":8443"; ma=86400';
              }
          }
      }

The QUIC+HTTP/3 support in NGINX Plus R30 is available as a single binary – unlike the experimental HTTP/3 support introduced in NGINX Plus R29, which had a separate binary for nginx quic. This improvement makes it easier to deploy the functionality in your environment.

Note: With NGINX Plus R30, we’re ending support and updates for the standalone QUIC binary and plan to remove it as a download option later this year.

Per-Worker Connection Telemetry

NGINX Plus users are now able to monitor total connections per-worker process to adequately tune the worker_connections directive. This improvement gives users better visibility into how connections are distributed amongst workers. Being able to tune worker connections also helps you better assess your NGINX deployment.

The per-worker connection metrics are available over REST API. To retrieve per-worker connection metrics, use the …/api/9/workers endpoint.

To retrieve per-worker connection metrics for an individual worker, use the .../api/9/workers/<worker id> endpoint. The worker id has a 0-based index.

Here is a sample response:

{
      {
          "id": 0,
          "pid": 2346,
          "connections": {
              "accepted": 1,
              "dropped": 0,
              "active": 1,
              "idle": 0
          },
          "http": {
              "requests": {
                  "total": 15,
                  "current": 1
              }
          }
      },
      {
          "id": 1,
          "pid": 1234,
          "connections": {
              "accepted": 3,
              "dropped": 0,
              "active": 1,
              "idle": 0
          },
          "http": {
              "requests": {
                  "total": 15,
                  "current": 1
              }
          }
      },

      ...

  }

The per-worker connection metrics are available in the NGINX Plus Live Activity Monitoring Dashboard, as shown below. Access a live demo of this feature at demo.nginx.com.

The dashboard shows the information below about NGINX Plus connections and requests.

Connections:

• Accepted connections per worker
• Active connections per worker
• Idle connections per worker
• Dropped connections per worker

Requests:

• Current requests per worker
• Total requests per worker
• Requests/sec per worker

Diagnostic Package

To reduce turnaround time for issue resolution, the diagnostic package streamlines the process of collecting the data required to troubleshoot issues in your NGINX environment. The diagnostic package also helps avoid discrepancies and delays associated with the manual requesting and collecting of information needed to troubleshoot issues, making the interaction between NGINX Plus customers and F5 Support more efficient.

The diagnostic package collects:

• NGINX information – NGINX Plus version, configs, process information, third-party modules, logs, and API stats and endpoints
• System information – Host commands (ps, lsof, vmstat, etc.)
• Service information – systemd, etc.
• NGINX Agent – Logs and configs (if present)
• NGINX App Protect – Logs and configs (if present)
• Support package log – Log containing a list of all files collected

Our goal with the addition of the diagnostic package is to be transparent with users about what commands the script within the package runs and what data is being collected. Refer to the NGINX Plus Diagnostic Package page for more information.

Note: The availability of the diagnostic package is being announced as part of the current NGINX Plus R30 release, however the diagnostic package is not actually release dependent. Going forward, we plan to update it based on feedback from you and F5 Support with the intent of improving the troubleshooting data collection process.

Other Enhancements in NGINX Plus R30

MQTT Optimizations

With memory consumption improvements made to the Message Queuing Telemetry Transport (MQTT) filter module, there is now a 4-5x increase in throughput.

The directive mqtt_rewrite_buffer_size has been removed. Instead, the new directive mqtt_buffers <num> <size> has been introduced to specify how many buffers the module may allocate per connection, along with the size of each buffer. The default number of buffers is 100 and the default size of each buffer is 1024 bytes, which makes the default value of the variable mqtt_buffers <100> <1024>.

DNS Reload Optimizations

NGINX Plus now preserves DNS name expiry times for dynamically resolved upstream hosts across reloads, removing the need for re-resolution on configuration reload. Before this update, DNS resolutions were triggered for all upstreams. With this update, NGINX preserves DNS resolutions and expiry times for all upstreams and triggers DNS resolutions only for new or changed upstreams on reload.

This optimization will be most impactful for NGINX environments containing a large number of upstream hosts. If you have 100 or more upstream hosts in your NGINX configuration, the optimizations would be most evident.

Changes Inherited from NGINX Open Source

NGINX Plus R30 is based on NGINX Open Source 1.25.1 and inherits functional changes, features, and bug fixes made since NGINX Plus R29 was released (in NGINX 1.25.0 and 1.25.1).

Changes

• HTTP/2 server push support has been removed. HTTP/2 server_push had minimal adoption and could only be used in very limited use cases. (As per IETF 102 reference documentation, it was used in just 0.04% of sessions. As per RFC 913 it was “difficult to be used effectively.”) HTTP/2 server push was disabled in Chrome version 106. As part of this change, the http2_push, http2_push_preload, and http2_max_concurrent_pushes directives have been made obsolete.

• The deprecated ssl directive is no longer supported. The ssl directive was deprecated in NGINX 1.15.0 and replaced by the ssl parameter of the listen directive. The deprecated ssl directive has now been removed.

• As mentioned above, the listen … http2 directive is deprecated. Users are advised to use the http2 directive instead.
• For SSL connections with OpenSSL v1.0.2h or higher, if the HTTP/2 protocol is enabled in the virtual server chosen by a Server Name Identification (SNI), it is automatically selected by the Application Layer Protocol Negotiation (ALPN) callback.
• For older versions of OpenSSL, the HTTP/2 protocol is enabled based on the default virtual server configuration.
• For plain TCP connections, HTTP/2 is now auto-detected by the HTTP/2 preface if it is enabled in the default virtual server. If the preface does not match, HTTP/0.9-1.1 is assumed.

• Support is added for HTTP/2 over Cleartext TCP (h2c) and HTTP/1.1 on the same listening socket. In the existing implementation, if a user configures a h2c listening socket (e.g., listen port_num http2) only HTTP/2 connections can be created. An h2 listening socket supports both HTTP/1.1 and HTTP/2 with negotiation of protocol via ALPN. However, in the existing implementation, HTTP/1.1 clients fail on the socket, preventing the use of HTTP Upgrade as a means of negotiating the protocol. This change allows simultaneous support of HTTP/1.1 and HTTP/2 on a plain TCP socket when using HTTP/2.

• Avoidance of possible buffer overrun with some $sent_http_* is enabled. A defect in the logic for evaluating multi-header $sent_http_ variables led to potential buffer overruns when certain elements were cleared but remained in the linked list. This issue manifested when third-party modules were used to override multi-header values. The update introduces refined boundary checks, ensuring safer handling and evaluation of these variables.

Features

• Full HTTP/3 support is added. NGINX 1.25.0 mainline version introduced support for HTTP/3, and this support has been merged into NGINX Plus R30. The NGINX Plus R30 implementation has the following changes when compared to the experimental packages delivered in NGINX Plus R29:

• Removed quic_mtu directive
• Removed http3 parameter of listen directive
• Removed QUIC support from the stream module
• Removed HTTP/3 server push
• Fixed building the OpenSSL Compatibility Layer with OpenSSL 3.2+

Bug Fix

• Fixed segfault if a regular expression (regex) studies list allocation fails.

For the full list of new changes, features, bug fixes, and workarounds inherited from recent releases, see the NGINX CHANGES file.

Changes to the NGINX JavaScript Module

NGINX Plus R30 incorporates changes from the NGINX JavaScript (njs) module version 0.8.0.

Features

• Introduced global NGINX properties:
  ngx.build, ngx.conf_file_path, ngx.error_log_path, ngx.prefix, ngx.version, ngx.version_number, and ngx.worker_id.
• Introduced the js_shared_dict_zone directive for http and stream that allows declaring a dictionary shared between worker processes.
• Added ES13-compliant Array methods: Array.from(), Array.prototype.toSorted(), Array.prototype.toSpliced(), Array.prototype.toReversed().
• Added ES13-compliant TypedArray methods: %TypedArray%.prototype.toSorted(), %TypedArray%.prototype.toSpliced(), %TypedArray%.prototype.toReversed().
• Added CryptoKey properties in WebCrypto API. These properties were added: algorithm, extractable, type, usages.

Changes

• Removed special treatment of forbidden headers in the Fetch API introduced in 0.7.10.
• Removed r.requestBody() from the http module, which was deprecated in version 0.5.0. The r.requestBuffer or r.requestText property should be used instead.
• Removed r.responseBody() from the http module which was deprecated in version 0.5.0. The r.responseBuffer or r.responseText property should be used instead.
• Throwing an exception in r.internalRedirect() while filtering in the http module.
• Native methods are provided with retval argument. This change breaks compatibility with C extension for njs requiring the modification of the code.
• Non-compliant deprecated String methods were removed. The following methods were removed: String.bytesFrom(), String.prototype.fromBytes(), String.prototype.fromUTF8(), String.prototype.toBytes(), String.prototype.toUTF8(), String.prototype.toString(encoding).
• Removed support for building with GNU readline.

Bug Fixes

• Fixed r.status setter when filtering in http module.
• Fixed setting of Location header in http module.
• Fixed retval of сrypto.getRandomValues().
• Fixed evaluation of computed property names with function expressions.
• Fixed implicit name for a function expression declared in arrays.
• Fixed parsing of for-in loops.
• Fixed Date.parse() with ISO-8601 format and UTC time offset.

For a comprehensive list of all the features, changes, and bug fixes, see the njs Changes log.

Upgrade or Try NGINX Plus

If you’re running NGINX Plus, we strongly encourage you to upgrade to NGINX Plus R30 as soon as possible. In addition to all the great new features, you’ll also pick up several additional fixes and improvements, and being up to date will help NGINX to help you if you need to raise a support ticket.

If you haven’t tried NGINX Plus, we encourage you to check it out. You can use it for security, load balancing, and API gateway use cases, or as a fully supported web server with enhanced monitoring and management APIs. Get started today with a free 30-day trial.