NGINX.COM
Web Server Load Balancing with NGINX Plus

Today we issued the third release in the 1.9 mainline series of NGINX. This brings with it a few new features as well as bug fixes. The main focus of this release was improving the Stream module, initially added in NGINX 1.9.0 for generic TCP proxying and load balancing. Most notably:

  • Bug fix for SO_REUSEPORT socket option with TCP – The reuseport parameter to the listen directive now works correctly for TCP connections.
  • Configurable queue length for pending TCP and mail connections – The backlog parameter to the listen directive is now available in the stream and mail modules.
  • Access control based on IP address for TCP connections – With the new Stream Access module, you can restrict access to a TCP stream to specified IP addresses or address ranges.

    The module goes through the list of IP addresses and ranges until a match is found and acts on it. For example, the following snippet allows TCP connection from any IP address in the 192.168.1.x range except 192.168.1.1, and blocks connections from any other IP address range:

    stream {
        server {
            # ...
            deny 192.168.1.1;
            allow 192.168.1.0/24;
            deny all;
        }
    }

In addition to those changes, the following new features have been added:

  • PROXY protocol support for TCP – The new proxy_protocol directive enables a header to be sent to the upstream server with details about the client connection.
  • Specify source IP address for connections to proxied servers – The new proxy_bind directive for TCP works like the existing HTTP directive: it makes connections to a proxied server originate from a specified local IP address.
  • REQUEST_SCHEME parameter – Support for the REQUEST_SCHEME parameter is added to the (HTTP) fastcgi_param directive and fastcgi.conf.
  • Configuration dumping – The new -T argument to the nginx command not only tests the configuration but gives much more verbose output including an entire dump of every configuration file parsed.
  • Bug fix for OCSP Stapling – Expired cached SSL handshake responses are no longer sent when the ssl_stapling on directive is configured. Thanks to Andrew Ayer for contributing a fix for this.

TCP load balancing is also available in NGINX Plus R6 with even more great features.

Updating NGINX

You can check your current NGINX version using nginx -v:

# nginx -v
nginx version: nginx/1.9.1

Updates for NGINX 1.9.x are available from nginx.org (sources and prebuilt binary packages). If you’ve subscribed to NGINX through another channel (such as your operating system distributor), you can expect it to sync with the 1.9.2 update shortly.

[Editor – The features described in this post are also available in NGINX Plus Release 7 and later.

Hero image
Free O'Reilly eBook: The Complete NGINX Cookbook

Updated for 2022 – Your Guide to Everything NGINX

About The Author

Andrew Hutchings

Andrew Hutchings

Senior Software Engineer

Andrew is a Developer Advocate and Systems Software Engineer specializing in open source Linux-based software. He’s worked on many popular open source projects in various roles, including OpenStack, Drizzle, and MySQL. He’s known to many as LinuxJedi.

About F5 NGINX

F5, Inc. is the company behind NGINX, the popular open source project. We offer a suite of technologies for developing and delivering modern applications. Together with F5, our combined solution bridges the gap between NetOps and DevOps, with multi-cloud application services that span from code to customer.

Learn more at nginx.com or join the conversation by following @nginx on Twitter.