From vbart at nginx.com Thu Feb 4 23:12:08 2021 From: vbart at nginx.com (Valentin V. Bartenev) Date: Fri, 05 Feb 2021 02:12:08 +0300 Subject: [nginx-announce] unit-1.22.0 Message-ID: <3963972.1IzOArtZ34@vbart-laptop> Hi, I'm glad to announce a new release of NGINX Unit. This is our first release of 2021, and it focuses on improving stability. There's an extensive list of bugfixes, although many occur in rare conditions that have so far been observed only in our test environments. These bugs were caught due to improvements in our continuous functional testing; our QA, Andrei Zeliankou, is always looking to increase the testing coverage and use new techniques to spot various race conditions and leaks, thus improving the quality of each release. This very important work never ends. ### IMPORTANT: Changes to official Linux packages Starting with this release, the user and group accounts that run non-privileged Unit processes are changed in our Linux packages: - in previous packages: nobody:nobody - in 1.22.0 and later: unit:unit These settings are used to serve static files and run applications if "user" or "group" options are not explicitly specified in the app configuration. Please take a note of the change and update your configuration appropriately before upgrading an existing Unit installation with our official packages: - https://unit.nginx.org/installation/#official-packages The rationale for this change in our packages was that using "nobody" by default was very inconvenient while serving static files. You can always override these settings with the --user and --group daemon options in your startup scripts. See here for more details: - https://unit.nginx.org/installation/#installation-src-startup ### IMPORTANT 2: Changes to official Docker images Another notable change is also related to our official distributions; in this case, it affects our Docker images. Many asked us to provide the most up-to-date versions of language modules in our Docker images, but there was no maintainable way of doing this while still relying on the Debian base image we used before. Starting with 1.22.0, we stop maintaining images with language modules that use the old Debian base; instead, now we rely on official Docker images for latest language versions: - https://unit.nginx.org/installation/#docker-images Our images are available at both Docker Hub and Amazon ECR Public Gallery; you can also download them at our website. Changes with Unit 1.22.0 04 Feb 2021 *) Feature: the ServerRequest and ServerResponse objects of Node.js module are now compliant with Stream API. *) Feature: support for specifying multiple directories in the "path" option of Python apps. *) Bugfix: a memory leak occurred in the router process when serving files larger than 128K; the bug had appeared in 1.13.0. *) Bugfix: apps could stop processing new requests under high load; the bug had appeared in 1.19.0. *) Bugfix: app processes could terminate unexpectedly under high load; the bug had appeared in 1.19.0. *) Bugfix: invalid HTTP responses were generated for some unusual status codes. *) Bugfix: the PHP_AUTH_USER, PHP_AUTH_PW, and PHP_AUTH_DIGEST server variables were missing in the PHP module. *) Bugfix: the router process could crash with multithreaded apps under high load. *) Bugfix: Ruby apps with multithreading configured could crash on start under load. *) Bugfix: mount points weren't unmounted when the "mount" namespace isolation was used; the bug had appeared in 1.21.0. *) Bugfix: the router process could crash while removing or reconfiguring an app that used WebSocket. *) Bugfix: a memory leak occurring in the router process when removing or reconfiguring an application; the bug had appeared in 1.19.0. Meanwhile, we continue working on metrics and application restart APIs, SNI support in TLS, and improvements to process isolation. As always, we encourage you to follow our roadmap on GitHub, where your ideas and requests are more than welcome: - https://github.com/orgs/nginx/projects/1 Stay tuned! wbr, Valentin V. Bartenev From mdounin at mdounin.ru Tue Feb 16 16:12:39 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 16 Feb 2021 19:12:39 +0300 Subject: [nginx-announce] nginx-1.19.7 Message-ID: <20210216161239.GH77619@mdounin.ru> Changes with nginx 1.19.7 16 Feb 2021 *) Change: connections handling in HTTP/2 has been changed to better match HTTP/1.x; the "http2_recv_timeout", "http2_idle_timeout", and "http2_max_requests" directives have been removed, the "keepalive_timeout" and "keepalive_requests" directives should be used instead. *) Change: the "http2_max_field_size" and "http2_max_header_size" directives have been removed, the "large_client_header_buffers" directive should be used instead. *) Feature: now, if free worker connections are exhausted, nginx starts closing not only keepalive connections, but also connections in lingering close. *) Bugfix: "zero size buf in output" alerts might appear in logs if an upstream server returned an incorrect response during unbuffered proxying; the bug had appeared in 1.19.1. *) Bugfix: HEAD requests were handled incorrectly if the "return" directive was used with the "image_filter" or "xslt_stylesheet" directives. *) Bugfix: in the "add_trailer" directive. -- Maxim Dounin http://nginx.org/ From xeioex at nginx.com Tue Feb 16 18:07:58 2021 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 16 Feb 2021 21:07:58 +0300 Subject: [nginx-announce] njs-0.5.1 Message-ID: <182c1d6d-9ff4-6a96-c6f7-8e3acee3f0d9@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release focuses on extending the modules functionality. Notable new features: - ngx.fetch() method implements a generic HTTP client which does not depend on subrequests: : example.js: : function fetch(r) { : ngx.fetch('http://nginx.org/') : .then(reply => reply.text()) : .then(body => r.return(200, body)) : .catch(e => r.return(501, e.message)); : } - js_header_filter directive. The directive allows changing arbitrary header fields of a response header. : nginx.conf: : js_import foo.js; : : location / { : js_header_filter foo.filter; : proxy_passhttp://127.0.0.1:8081/; : } : : foo.js: : function filter(r) { : var cookies = r.headersOut['Set-Cookie']; : var len = r.args.len ? Number(r.args.len) : 0; : r.headersOut['Set-Cookie'] = cookies.filter(v=>v.length > len); : } : : export default {filter}; You can learn more about njs: - Overview and introduction:http://nginx.org/en/docs/njs/ - Presentation:https://youtu.be/Jc_L6UffFOs - Using node modules with njs: http://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files: http://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github:https://github.com/nginx/njs/issues - Mailing list:http://mailman.nginx.org/mailman/listinfo/nginx-devel Changes with njs 0.5.1 16 Feb 2021 nginx modules: *) Feature: introduced ngx.fetch() method implementing Fetch API. The following init options are supported: body, headers, buffer_size (nginx specific), max_response_body_size (nginx specific), method. The following properties and methods of Response object are implemented: arrayBuffer(), bodyUsed, json(), headers, ok, redirect, status, statusText, text(), type, url. The following properties and methods of Header object are implemented: get(), getAll(), has(). Notable limitations: only the http:// scheme is supported, redirects are not handled. In collaboration with ??? (Hong Zhi Dao). *) Feature: added the "js_header_filter" directive. *) Bugfix: fixed processing buffered data in body filter in stream module. Core: *) Bugfix: fixed safe mode bypass in Function constructor. *) Bugfix: fixed Date.prototype.toISOString() with invalid date values. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Tue Mar 9 15:42:35 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 9 Mar 2021 18:42:35 +0300 Subject: [nginx-announce] nginx-1.19.8 Message-ID: Changes with nginx 1.19.8 09 Mar 2021 *) Feature: flags in the "proxy_cookie_flags" directive can now contain variables. *) Feature: the "proxy_protocol" parameter of the "listen" directive, the "proxy_protocol" and "set_real_ip_from" directives in mail proxy. *) Bugfix: HTTP/2 connections were immediately closed when using "keepalive_timeout 0"; the bug had appeared in 1.19.7. *) Bugfix: some errors were logged as unknown if nginx was built with glibc 2.32. *) Bugfix: in the eventport method. -- Maxim Dounin http://nginx.org/ From xeioex at nginx.com Tue Mar 9 18:11:06 2021 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 9 Mar 2021 21:11:06 +0300 Subject: [nginx-announce] njs-0.5.2 Message-ID: Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release focuses on extending the modules functionality. Notable new features: - js_body_filter directive. The directive allows changing the response body. : nginx.conf: : js_import foo.js; : : location / { : js_body_filter foo.to_lower; : proxy_pass http://127.0.0.1:8081/; : } : : foo.js: : function to_lower(r, data, flags) { : r.sendBuffer(data.toLowerCase(), flags); : } : : export default {to_lower}; - njs.on('exit') callback. The "exit" hook allows to implement some cleanup logic before the VM instance is destroyed. : foo.js: : function handler(r) { : njs.on('exit', () => { : r.warn("DONE"); : }); : } You can learn more about njs: - Overview and introduction: http://nginx.org/en/docs/njs/ - Presentation: https://youtu.be/Jc_L6UffFOs - Using node modules with njs: http://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files: http://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github: https://github.com/nginx/njs/issues - Mailing list: http://mailman.nginx.org/mailman/listinfo/nginx-devel Changes with njs 0.5.2 09 Mar 2021 nginx modules: *) Feature: added the "js_body_filter" directive. *) Feature: introduced the "status" property for stream session object. *) Feature: added njs.on('exit') callback support. *) Bugfix: fixed property descriptor reuse for not extensible objects. Thanks to Artem S. Povalyukhin. *) Bugfix: fixed Object.freeze() and friends according to the specification. Thanks to Artem S. Povalyukhin. *) Bugfix: fixed Function() in CLI mode. *) Bugfix: fixed for-in iteration of typed array values. Thanks to Artem S. Povalyukhin. From vbart at nginx.com Thu Mar 25 19:21:54 2021 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 25 Mar 2021 22:21:54 +0300 Subject: [nginx-announce] unit-1.23.0 Message-ID: <3098090.aeNJFYEL58@vbart-laptop> Hi, I'm glad to announce a new release of NGINX Unit. Nowadays, TLS is everywhere, while plain HTTP is almost nonexistent in the global network. We are fully aware of this trend and strive to simplify TLS configuration in Unit as much as possible. Frankly, there's still much to do, but the introduction of smart SNI certificate selection marks yet another step in this direction. Perhaps, you already know about Unit's certificate storage API that uploads certificate bundles to a running instance. Otherwise, if you're not yet fully informed but still curious, here's a decent overview: - https://unit.nginx.org/configuration/#certificate-management Basically, you just upload a certificate chain and a key under some name; after that, you can specify the name ("mycert" in the example below) with any listening socket to configure it for HTTPS: { "listeners": { "*:443": { "tls": { "certificate": "mycert" }, "pass": "routes" } } } Unit's API also enables informative introspection of uploaded certificate bundles so you can monitor their validity and benefit from service discovery. You can also upload any number of certificate bundles to switch between them on the fly without restarting the server (yes, Unit's dynamic nature is exactly like that). Still, with this release, there are even more options, as you can supply any number of certificate bundle names with a listener socket: { "certificate": [ "mycertA", "mycertB", ... ] } For each client, Unit automatically selects a suitable certificate from the list depending on the domain name the client connects to (and therefore supplies via the "Server Name Indication" TLS extension). Thus, you don't even need to care about matching certificates to server names; Unit handles that for you. As a result, there's almost no room for a mistake, which spares more time for stuff that matters. As one can reasonably expect, you can always add more certs, delete them, or edit the cert list on the fly without compromising performance. That's the Unit way! In case you're wondering whom to thank for this shiny new feature: give a warm welcome to Andrey Suvorov, a new developer on our team. He will continue working on TLS improvements in Unit, and his TODO list is already stacked. Still, if you'd like to suggest a concept or have a particular interest in some feature, just start a ticket on GitHub; we are open to your ideas: - https://github.com/nginx/unit/issues Also, plenty of solid bug fixing work was done by the whole team. See the full change log below: Changes with Unit 1.23.0 25 Mar 2021 *) Feature: support for multiple certificate bundles on a listener via the Server Name Indication (SNI) TLS extension. *) Feature: "--mandir" ./configure option to specify the directory for man page installation. *) Bugfix: the router process could crash on premature TLS connection close; the bug had appeared in 1.17.0. *) Bugfix: a connection leak occurred on premature TLS connection close; the bug had appeared in 1.6. *) Bugfix: a descriptor and memory leak occurred in the router process when processing small WebSocket frames from a client; the bug had appeared in 1.19.0. *) Bugfix: a descriptor leak occurred in the router process when removing or reconfiguring an application; the bug had appeared in 1.19.0. *) Bugfix: persistent storage of certificates might've not worked with some filesystems in Linux, and all uploaded certificate bundles were forgotten after restart. *) Bugfix: the controller process could crash while requesting information about a certificate with a non-DNS SAN entry. *) Bugfix: the controller process could crash on manipulations with a certificate containing a SAN and no standard name attributes in subject or issuer. *) Bugfix: the Ruby module didn't respect the user locale for defaults in the Encoding class. *) Bugfix: the PHP 5 module failed to build with thread safety enabled; the bug had appeared in 1.22.0. Other notable features we are working on include: - statistics API - process control API - chrooting on a per-request basis during static file serving - MIME types filtering for static files - configuring ciphers and other OpenSSL settings So much more to come! Also, if you'd like to know more about Unit and prefer watching fun videos instead of reading tedious documentation, I'm happy to recommend Timo Stark, our own PM Engineer. Recently, he started regularly streaming on Twitch and YouTube: - https://www.twitch.tv/h30ne - https://www.youtube.com/Tippexs91 Tomorrow (March 26), at 10 p.m. CET (or 2 p.m. PDT), he is going on air to livestream his using Unit's brand-new SNI feature to automate the certbot setup: - https://youtu.be/absaan-8y1Q Everyone is welcome! wbr, Valentin V. Bartenev From mdounin at mdounin.ru Tue Mar 30 15:00:38 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 30 Mar 2021 18:00:38 +0300 Subject: [nginx-announce] nginx-1.19.9 Message-ID: Changes with nginx 1.19.9 30 Mar 2021 *) Bugfix: nginx could not be built with the mail proxy module, but without the ngx_mail_ssl_module; the bug had appeared in 1.19.8. *) Bugfix: "upstream sent response body larger than indicated content length" errors might occur when working with gRPC backends; the bug had appeared in 1.19.1. *) Bugfix: nginx might not close a connection till keepalive timeout expiration if the connection was closed by the client while discarding the request body. *) Bugfix: nginx might not detect that a connection was already closed by the client when waiting for auth_delay or limit_req delay, or when working with backends. *) Bugfix: in the eventport method. -- Maxim Dounin http://nginx.org/ From xeioex at nginx.com Tue Mar 30 19:31:47 2021 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 30 Mar 2021 22:31:47 +0300 Subject: [nginx-announce] njs-0.5.3 Message-ID: <4f230c26-39de-bdc2-bab8-fc19f0009503@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release focuses on extending the modules functionality. Notable new features: - js_var directive. The directive creates an nginx variable writable from njs. The variable is not overwritten after a redirect unlike variables created with the set directive. This is especially useful in situations where some directive value depends on the result of a subrequest. The following example illustrates the case where Authorization header is processed by a HTTP endpoint which returns foo value as a result. This result is passed as a header to the backend. : nginx.conf: : js_import main.js; : : js_var $foo; : .. : : location /secure/ { : auth_request /set_foo; : : proxy_set_header Foo $foo; : proxy_pass http://backend; : } : : location =/set_foo { : internal; : js_content main.set_foo; : } : : main.js: : function set_foo(r) { : ngx.fetch('http://127.0.0.1:8080', {headers: {Authorization: r.headersIn.Authorization}}) : .then(reply => { : r.variables.foo = reply.headers.get('foo'); : r.return(200); : }); : } : : export default {set_foo}; You can learn more about njs: - Overview and introduction: http://nginx.org/en/docs/njs/ - Presentation: https://youtu.be/Jc_L6UffFOs - Using node modules with njs: http://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files: http://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github: https://github.com/nginx/njs/issues - Mailing list: http://mailman.nginx.org/mailman/listinfo/nginx-devel Changes with njs 0.5.3 30 Mar 2021 nginx modules: *) Feature: added the "js_var" directive. From mdounin at mdounin.ru Tue Apr 13 15:41:54 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 13 Apr 2021 18:41:54 +0300 Subject: [nginx-announce] nginx-1.19.10 Message-ID: Changes with nginx 1.19.10 13 Apr 2021 *) Change: the default value of the "keepalive_requests" directive was changed to 1000. *) Feature: the "keepalive_time" directive. *) Feature: the $connection_time variable. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Apr 20 14:52:37 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 20 Apr 2021 17:52:37 +0300 Subject: [nginx-announce] nginx-1.20.0 Message-ID: Changes with nginx 1.20.0 20 Apr 2021 *) 1.20.x stable branch. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue May 25 15:37:20 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 25 May 2021 18:37:20 +0300 Subject: [nginx-announce] nginx-1.21.0 Message-ID: Changes with nginx 1.21.0 25 May 2021 *) Security: 1-byte memory overwrite might occur during DNS server response processing if the "resolver" directive was used, allowing an attacker who is able to forge UDP packets from the DNS server to cause worker process crash or, potentially, arbitrary code execution (CVE-2021-23017). *) Feature: variables support in the "proxy_ssl_certificate", "proxy_ssl_certificate_key" "grpc_ssl_certificate", "grpc_ssl_certificate_key", "uwsgi_ssl_certificate", and "uwsgi_ssl_certificate_key" directives. *) Feature: the "max_errors" directive in the mail proxy module. *) Feature: the mail proxy module supports POP3 and IMAP pipelining. *) Feature: the "fastopen" parameter of the "listen" directive in the stream module. Thanks to Anbang Wen. *) Bugfix: special characters were not escaped during automatic redirect with appended trailing slash. *) Bugfix: connections with clients in the mail proxy module might be closed unexpectedly when using SMTP pipelining. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue May 25 15:37:48 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 25 May 2021 18:37:48 +0300 Subject: [nginx-announce] nginx-1.20.1 Message-ID: Changes with nginx 1.20.1 25 May 2021 *) Security: 1-byte memory overwrite might occur during DNS server response processing if the "resolver" directive was used, allowing an attacker who is able to forge UDP packets from the DNS server to cause worker process crash or, potentially, arbitrary code execution (CVE-2021-23017). -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue May 25 15:39:38 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 25 May 2021 18:39:38 +0300 Subject: [nginx-announce] nginx security advisory (CVE-2021-23017) Message-ID: Hello! A security issue in nginx resolver was identified, which might allow an attacker to cause 1-byte memory overwrite by using a specially crafted DNS response, resulting in worker process crash or, potentially, in arbitrary code execution (CVE-2021-23017). The issue only affects nginx if the "resolver" directive is used in the configuration file. Further, the attack is only possible if an attacker is able to forge UDP packets from the DNS server. The issue affects nginx 0.6.18 - 1.20.0. The issue is fixed in nginx 1.21.0, 1.20.1. Patch for the issue can be found here: http://nginx.org/download/patch.2021.resolver.txt Thanks to Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH. -- Maxim Dounin http://nginx.org/ From vbart at nginx.com Thu May 27 19:26:47 2021 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 27 May 2021 22:26:47 +0300 Subject: [nginx-announce] unit-1.24.0 Message-ID: <4316341.LvFx2qVVIh@vbart-laptop> Hi, I'm glad to announce a new release of NGINX Unit. This one is full of shiny new features. But before I dive into the details, let me introduce our new developers without whom this release wouldn't be so feature-rich. Please, welcome Zhidao Hong (???) and Ois?n Canty. Zhidao has already been contributing to various nginx open-source projects for years as a community member, and I'm very excited to finally have him on board. Ois?n is a university student who's very interested in Unit; he joined our dev team as an intern and already shown solid coding skills, curiosity, and attention to details, which is so important to our project. Good job! Now, back to the features. I'd like to highlight the first of our improvements in serving static media assets. :: MIME Type Filtering :: Now, you can restrict file serving by MIME type: { "share": "/www/data", "types": [ "image/*", "video/*" ] } The configuration above allows only files with various video and image extensions, but all other requests will return status code 403. In particular, this goes well with the "fallback" option that performs another action if the "share" returns a 40x error: { "share": "/www/data", "types": [ "!application/x-httpd-php" ], "fallback": { "pass": "applications/php" } } Here, all requests to existing files other than ".php" will be served as static content while the rest will be passed to a PHP application. More examples and documentation snippets are available here: - https://unit.nginx.org/configuration/#mime-filtering :: Chrooting and Path Restrictions When Serving Files :: As we take security seriously, now Unit introduces the ability to chroot not only its application processes but also the static files it serves on a per-request basis. Additionally, you can restrict traversal of mounting points and symbolic link resolution: { "share": "/www/data/static/", "chroot": "/www/data/", "follow_symlinks": false, "traverse_mounts": false } See here for more information: - https://unit.nginx.org/configuration/#path-restrictions For details of Unit application process isolation abilities: - https://unit.nginx.org/configuration/#process-isolation Other notable features unrelated to static file serving: * Multiple WSGI/ASGI Python entry points per process It allows loading multiple modules or app entry points into a single Python process, choosing between them when handling requests with the full power of Unit's routes system. See here for Python's "targets" object description: - https://unit.nginx.org/configuration/#configuration-python-targets And here, more info about Unit's internal routing: - https://unit.nginx.org/configuration/#routes * Automatic overloading of "http" and "websocket" modules in Node.js Now you can run Node.js apps on Unit without touching their sources: - https://unit.nginx.org/configuration/#node-js * Applying OpenSSL configuration commands Finally, you can control various TLS settings via OpenSSL's generic configuration interface with all the dynamic power of Unit: - https://unit.nginx.org/configuration/#ssl-tls-configuration The full changelog for the release: Changes with Unit 1.24.0 27 May 2021 *) Change: PHP added to the default MIME type list. *) Feature: arbitrary configuration of TLS connections via OpenSSL commands. *) Feature: the ability to limit static file serving by MIME types. *) Feature: support for chrooting, rejecting symlinks, and rejecting mount point traversal on a per-request basis when serving static files. *) Feature: a loader for automatically overriding the "http" and "websocket" modules in Node.js. *) Feature: multiple "targets" in Python applications. *) Feature: compatibility with Ruby 3.0. *) Bugfix: the router process could crash while closing a TLS connection. *) Bugfix: a segmentation fault might have occurred in the PHP module if fastcgi_finish_request() was used with the "auto_globals_jit" option enabled. That's all for today, but even more exciting features are poised for the upcoming releases: - statistics API - process control API - variables from regexp captures in the "match" object - simple request rewrites using variables - variables support in static file serving options - ability to override client IP from the X-Forwarded-For header - TLS sessions cache and tickets Also, please check our GitHub to follow the development and discuss new features: - https://github.com/nginx/unit Stay tuned! wbr, Valentin V. Bartenev From xeioex at nginx.com Tue Jun 15 17:14:29 2021 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 15 Jun 2021 20:14:29 +0300 Subject: [nginx-announce] njs-0.6.0 Message-ID: <81539ee9-5525-00a1-4ddd-526eea2774c3@nginx.com> Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release proceeds to extend the coverage of ECMAScript specifications. Notable new features: - let and const declarations support : >> fuction test() { x = 1; let x; } : undefined : >> test() : ReferenceError: cannot access variable before initialization : >> function test2() {const x = 1; x = 2; } : undefined : >> test2() : TypeError: assignment to constant variable You can learn more about njs: - Overview and introduction: http://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration: https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code: https://youtu.be/0CVhq4AUU7M - Using node modules with njs: http://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files: http://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github: https://github.com/nginx/njs/issues - Mailing list: http://mailman.nginx.org/mailman/listinfo/nginx-devel Changes with njs 0.6.0 15 Jun 2021 Core: *) Feature: added let and const declaration support. *) Feature: added RegExp.prototype[Symbol.split]. *) Feature: added sticky flag support for RegExp. *) Bugfix: fixed heap-buffer-overflow in String.prototype.lastIndexOf(). *) Bugfix: fixed RegExp.prototype.test() according to the specification. *) Bugfix: fixed String.prototype.split() according to the specification. *) Bugfix: fixed use-of-uninitialized-value while tracking rejected promises. *) Bugfix: fixed njs.dump() for objects with circular references. From xeioex at nginx.com Tue Jun 29 16:08:23 2021 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 29 Jun 2021 19:08:23 +0300 Subject: [nginx-announce] njs-0.6.1 Message-ID: <237585ec-20bd-196a-fd1f-3a1d5d7a3142@nginx.com> Hello, This is a bugfix release that fixes RegExp matching for a regular expression containing UTF-8 characters. The matching of ASCII or byte string by UTF-8 regexp was always negative. What methods were affected: - RegExp.prototype.exec() (since 0.4.2) - RegExp.protytype.test() (since 0.5.3) You can learn more about njs: - Overview and introduction: http://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration: https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code: https://youtu.be/0CVhq4AUU7M - Using node modules with njs: http://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files: http://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github: https://github.com/nginx/njs/issues - Mailing list: http://mailman.nginx.org/mailman/listinfo/nginx-devel Changes with njs 0.6.1 29 Jun 2021 *) Bugfix: fixed RegExpBuiltinExec() with UTF-8 only regexps. The bug was introduced in 0.4.2. *) Bugfix: fixed parsing of export default declaration with non-assignment expressions. Thanks to Artem S. Povalyukhin. From mdounin at mdounin.ru Tue Jul 6 15:16:19 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 6 Jul 2021 18:16:19 +0300 Subject: [nginx-announce] nginx-1.21.1 Message-ID: Changes with nginx 1.21.1 06 Jul 2021 *) Change: now nginx always returns an error for the CONNECT method. *) Change: now nginx always returns an error if both "Content-Length" and "Transfer-Encoding" header lines are present in the request. *) Change: now nginx always returns an error if spaces or control characters are used in the request line. *) Change: now nginx always returns an error if spaces or control characters are used in a header name. *) Change: now nginx always returns an error if spaces or control characters are used in the "Host" request header line. *) Change: optimization of configuration testing when using many listening sockets. *) Bugfix: nginx did not escape """, "<", ">", "\", "^", "`", "{", "|", and "}" characters when proxying with changed URI. *) Bugfix: SSL variables might be empty when used in logs; the bug had appeared in 1.19.5. *) Bugfix: keepalive connections with gRPC backends might not be closed after receiving a GOAWAY frame. *) Bugfix: reduced memory consumption for long-lived requests when proxying with more than 64 buffers. -- Maxim Dounin http://nginx.org/ From vbart at nginx.com Fri Aug 20 04:13:34 2021 From: vbart at nginx.com (Valentin V. Bartenev) Date: Fri, 20 Aug 2021 07:13:34 +0300 Subject: [nginx-announce] unit-1.25.0 Message-ID: <1790730.tdWV9SEqCh@vbart-laptop> Hi, I'm glad to announce a new release of NGINX Unit. This one is much awaited not only because the last one occurred quite some time ago, but also because it contains some sought-after features that were requested quite often. :: Obtaining The Originating Client IP Address :: When Unit operates behind a reverse proxy, it receives all incoming connections from a proxy machine address. As a result, the originating IP address of a client cannot be determined from the IP protocol. To overcome this, a special HTTP request header field can be used to carry the client IP address information over one to several proxies. Such header fields are usually called "X-Forwarded-For", but variations exist as well ("X-Real-IP", "X-Remote-Addr", etc..). Before, Unit could not use information from such header fields otherwise than just pass them on "as is." With this release, functionality similar to the real-ip nginx module became available. Now, in any listener object, you can specify a "client_ip" option, configuring trusted proxy addresses and the header field name, to obtain the client IP address: { "listeners": { "*:80": { "client_ip": { "header": "X-Forwarded-For", "recursive": true, "source": [ "10.0.0.0/8", "150.172.238.0/24" ] } } } } Unit will use the address obtained from this header to the same effect as if a direct connection was made from the client. For instance, it will be reflected in any logs, used for source address matching in routing, and provided to the application via a relevant request environment (e. g. $_SERVER['REMOTE_ADDR'] in PHP). See more details in the documentation: - https://unit.nginx.org/configuration/#originating-ip-identification :: Control API to Restart Application Processes :: Unit dynamic configuration is pretty smart and granular. If it detects no changes to an application during reconfiguration, it won't touch the application's processes. However, sometimes our users need to restart a specific application, and the only good way to do that was to intentionally introduce a change to the application's configuration. Usually, a dummy "environment" option was used for this: curl -X PUT -d '"$RANDOM"' --unix-socket /var/run/control.unit.sock \ /config/applications//environment/gen While it worked well, the solution can't be called elegant; it was more like a workaround. But now, Unit has a special section in the control API that allows restarting any configured application with a basic GET request: curl --unix-socket /var/run/control.unit.sock \ /control/applications//restart See here for the details of app process management in Unit: - https://unit.nginx.org/configuration/#process-management :: TLS Sessions Cache and Tickets :: A full TLS handshake can be quite expensive; to save server resources and reduce latency in subsequent client connections, two ways are commonly used: TLS sessions cache and TLS session tickets. The main difference between the two is who stores the session information: the server (cache) or the client (tickets). Now, Unit allows you to configure either or both: { "tls": { "certificate": "bundle", "session": { "cache_size": 10000, "timeout": 600, "tickets": true } } } For tickets, it doesn't only allow enabling or disabling them; you can specify shared ticket keys between multiple servers and rotate them. See more sophisticated configurations in the docs: - https://unit.nginx.org/configuration/#ssl-tls-configuration We will proceed to improve the client-side protocol support to be on par with nginx in this regard or even go further. To be specific, HTTP/2 and HTTP/3 are definitely on our shortlist. :: Ruby Process and Thread Start/Stop Hooks :: Earlier this year, one of our users opened a feature request on Unit's GitHub: https://github.com/nginx/unit/issues/535; we were asked to support hooks to be triggered on process or thread start/stop, as does another popular Ruby web server, Puma. These are usually used to instantiate a database connection or to perform some other initialization or cleanup work. A few months later, we've fulfilled the request. Here we go: - https://unit.nginx.org/configuration/#ruby That's why I always ask you not to hesitate and instead open a feature request for any crazy idea you may have on our GitHub issue tracker: - https://github.com/nginx/unit/issues We'd like to hear from you, we'd like to know your cases, your issues, anything you're struggling with or are missing and would want to see in Unit. Sure, not all requests are handled fast. There's plenty of them pending for years already. It's different case by case; sometimes, we're just busy with other important tasks, sometimes the feature depends on other missing parts, which also depend on other ones, and so on. Sometimes, it just takes a while to find a good solution, to design a good architecture, or to find a proper method of configuring something. Anyway, all your requests are collected and carefully examined; perhaps, it's your idea that will be implemented next. Please go and open a ticket if in doubt. The full changelog for the release: Changes with Unit 1.25.0 19 Aug 2021 *) Feature: client IP address replacement from a specified HTTP header field. *) Feature: TLS sessions cache. *) Feature: TLS session tickets. *) Feature: application restart control. *) Feature: process and thread lifecycle hooks in Ruby. *) Bugfix: the router process could crash on TLS connection open when multiple listeners with TLS certificates were configured; the bug had appeared in 1.23.0. *) Bugfix: TLS connections were rejected for configurations with multiple certificate bundles in a listener if the client did not use SNI. *) Bugfix: the router process could crash with frequent multithreaded application reconfiguration. *) Bugfix: compatibility issues with some Python ASGI apps, notably based on the Starlette framework. *) Bugfix: a descriptor and memory leak occurred in the router process when an app process stopped or crashed. *) Bugfix: the controller or router process could crash if the configuration contained a full-form IPv6 in a listener address. *) Bugfix: the router process crashed when a request was passed to an empty "routes" or "upstreams" using a variable "pass" option. *) Bugfix: the router process crashed while matching a request to an empty array of source or destination address patterns. In the meantime, there are several other features currently at different stages of development and implementation: - Variable support in the static file serving options - Custom variables from regexp captures in the "match" object - Simple request rewrites using variables - More variables to access request and connection information - A statistics API - Unit CLI utility tool - App prototype processes to reduce memory usage, share the PHP opcache, and improve the handling of apps isolation - njs integration (https://nginx.org/en/docs/njs/index.html) - .NET Core language module prototype Some of them bound to appear in the next release. Stay tuned! wbr, Valentin V. Bartenev From mdounin at mdounin.ru Tue Aug 31 15:40:09 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 31 Aug 2021 18:40:09 +0300 Subject: [nginx-announce] nginx-1.21.2 Message-ID: Changes with nginx 1.21.2 31 Aug 2021 *) Change: now nginx rejects HTTP/1.0 requests with the "Transfer-Encoding" header line. *) Change: export ciphers are no longer supported. *) Feature: OpenSSL 3.0 compatibility. *) Feature: the "Auth-SSL-Protocol" and "Auth-SSL-Cipher" header lines are now passed to the mail proxy authentication server. Thanks to Rob Mueller. *) Feature: request body filters API now permits buffering of the data being processed. *) Bugfix: backend SSL connections in the stream module might hang after an SSL handshake. *) Bugfix: the security level, which is available in OpenSSL 1.1.0 or newer, did not affect loading of the server certificates when set with "@SECLEVEL=N" in the "ssl_ciphers" directive. *) Bugfix: SSL connections with gRPC backends might hang if select, poll, or /dev/poll methods were used. *) Bugfix: when using HTTP/2 client request body was always written to disk if the "Content-Length" header line was not present in the request. -- Maxim Dounin http://nginx.org/ From xeioex at nginx.com Tue Aug 31 15:55:30 2021 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 31 Aug 2021 18:55:30 +0300 Subject: [nginx-announce] njs-0.6.2 Message-ID: Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release proceeds to extend the coverage of ECMAScript specifications. Notable new features: - Advanced Promise constructor methods : Promise.all(urls.map(u => ngx.fetch(u))) : .then(responses => r.return(200, JSON.stringify(responses))) Learn more about njs: - Overview and introduction: https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration: https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code: https://youtu.be/0CVhq4AUU7M - Using node modules with njs: https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files: https://nginx.org/en/docs/njs/typescript.html Feel free to try it and give us feedback on: - Github: https://github.com/nginx/njs/issues - Mailing list: https://mailman.nginx.org/mailman/listinfo/nginx-devel Changes with njs 0.6.2 31 Aug 2021 nginx modules: *) Bugfix: fixed CPU hog when js_filter is registered in both directions. Core: *) Feature: introduced AggregateError implementation. *) Feature: added remaining Promise constructor methods. The following methods were added: Promise.all(), Promise.allSettled(), Promise.any(), Promise.race(). *) Improvement: removed recursion from code generator. *) Bugfix: fixed rest parameter parsing without binding identifier. *) Bugfix: fixed resolve/reject callback for Promise.prototype.finally(). *) Bugfix: fixed %TypedArray%.prototype.join() with detached buffer. *) Bugfix: fixed memory leak in interactive shell. From mdounin at mdounin.ru Tue Sep 7 15:32:07 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 7 Sep 2021 18:32:07 +0300 Subject: [nginx-announce] nginx-1.21.3 Message-ID: Changes with nginx 1.21.3 07 Sep 2021 *) Change: optimization of client request body reading when using HTTP/2. *) Bugfix: in request body filters internal API when using HTTP/2 and buffering of the data being processed. -- Maxim Dounin http://nginx.org/ From xeioex at nginx.com Tue Oct 19 16:44:27 2021 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 19 Oct 2021 19:44:27 +0300 Subject: [nginx-announce] njs-0.7.0 Message-ID: Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release adds a bunch of long-awaited features. Notable new features: - async/await support: - HTTPS support in Fetch API: : async function content(r) { : let results = await Promise.all([ngx.fetch('https://nginx.org/'), : ngx.fetch('https://nginx.org/en/')]); : : r.return(200, JSON.stringify(results, undefined, 4)); : } - WebCrypto API support: : async function host_hash(r) { : let hash = await crypto.subtle.digest('SHA-512', r.headersIn.host); : r.setReturnValue(Buffer.from(hash).toString('hex')); : } Learn more about njs: - Overview and introduction: https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration: https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code: https://youtu.be/0CVhq4AUU7M - Using node modules with njs: https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files: https://nginx.org/en/docs/njs/typescript.html We are hiring: If you are a C programmer, passionate about Open Source and you love what we do, consider the following career opportunity: https://ffive.wd5.myworkdayjobs.com/NGINX/job/Ireland-Homebase/Software-Engineer-III---NGNIX-NJS_RP1022237 Feel free to try it and give us feedback on: - Github: https://github.com/nginx/njs/issues - Mailing list: https://mailman.nginx.org/mailman/listinfo/nginx-devel Changes with njs 0.7.0 19 Oct 2021 nginx modules: *) Feature: added HTTPS support for Fetch API. *) Feature: added setReturnValue() method. Core: *) Feature: introduced Async/Await implementation. *) Feature: added WebCrypto API implementation. *) Bugfix: fixed copying of closures for declared functions. The bug was introduced in 0.6.0. *) Bugfix: fixed unhandled promise rejection in handle events. *) Bugfix: fixed Response.headers getter in Fetch API. From mdounin at mdounin.ru Tue Nov 2 15:09:02 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 2 Nov 2021 18:09:02 +0300 Subject: [nginx-announce] nginx-1.21.4 Message-ID: Changes with nginx 1.21.4 02 Nov 2021 *) Change: support for NPN instead of ALPN to establish HTTP/2 connections has been removed. *) Change: now nginx rejects SSL connections if ALPN is used by the client, but no supported protocols can be negotiated. *) Change: the default value of the "sendfile_max_chunk" directive was changed to 2 megabytes. *) Feature: the "proxy_half_close" directive in the stream module. *) Feature: the "ssl_alpn" directive in the stream module. *) Feature: the $ssl_alpn_protocol variable. *) Feature: support for SSL_sendfile() when using OpenSSL 3.0. *) Feature: the "mp4_start_key_frame" directive in the ngx_http_mp4_module. Thanks to Tracey Jaquith. *) Bugfix: in the $content_length variable when using chunked transfer encoding. *) Bugfix: after receiving a response with incorrect length from a proxied backend nginx might nevertheless cache the connection. Thanks to Awdhesh Mathpal. *) Bugfix: invalid headers from backends were logged at the "info" level instead of "error"; the bug had appeared in 1.21.1. *) Bugfix: requests might hang when using HTTP/2 and the "aio_write" directive. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Nov 16 14:58:41 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 16 Nov 2021 17:58:41 +0300 Subject: [nginx-announce] nginx-1.20.2 Message-ID: Changes with nginx 1.20.2 16 Nov 2021 *) Feature: OpenSSL 3.0 compatibility. *) Bugfix: SSL variables might be empty when used in logs; the bug had appeared in 1.19.5. *) Bugfix: keepalive connections with gRPC backends might not be closed after receiving a GOAWAY frame. *) Bugfix: backend SSL connections in the stream module might hang after an SSL handshake. *) Bugfix: SSL connections with gRPC backends might hang if select, poll, or /dev/poll methods were used. *) Bugfix: in the $content_length variable when using chunked transfer encoding. *) Bugfix: requests might hang when using HTTP/2 and the "aio_write" directive. -- Maxim Dounin http://nginx.org/ From vbart at nginx.com Fri Nov 19 22:27:37 2021 From: vbart at nginx.com (Valentin V. Bartenev) Date: Sat, 20 Nov 2021 01:27:37 +0300 Subject: [nginx-announce] unit-1.26.0 Message-ID: <3138835.aeNJFYEL58@vbart-laptop> Hi, I'm glad to announce a new release of NGINX Unit. Please read this letter to the end, as it explains some significant changes in the latest version. But first, I have great news for the PHP users: now the interpreter's OPcache is shared between the processes of an app. In previous versions, due to an architecture limitation (which imposed strong isolation, much stronger than was sometimes needed), each PHP process had a separate OPcache memory. As a result, with some workloads (especially involving many dynamic processes), performance could degrade because each new process had to warm up the cache after starting. Also, it required more memory because the bytecode of same PHP scripts was duplicated in each process. Now, all these flaws are finally gone. Next, we noticed that more and more users use Unit to serve static files, if only because it's efficient and easy to configure. Modern apps are all dynamic, yes, but at the same time, almost all apps and websites have static resources like images, scripts, styles, fonts, and media files. It's very important to supply these resources as fast as possible without any delays to smoothen the overall user experience. We take this aspect seriously and continue improving Unit capabilities as a generic static media web server. This time, all changes are about configuration flexibility. You may know that nginx has a number of different directives that control static file serving: - root - alias - try_files Some of these are mutually exclusive, some can be combined, some work differently depending on the location type. That gives the configuration a lot of flexibility but may look a bit complicated. Users kept asking us to provide the same functionality in Unit, but instead of just repeating these, we thought about how we can improve this experience to make it easier to understand without losing flexibility. Finally, we came up with a solution. In previous versions, we introduced the "share" directive, very similar to the "root" directive in nginx: { "share": "/path/to/dir/" } Basically, it specified the so-called document root directory. To determine a file to serve, Unit appended the URI from the request to this "share" path. For this request: GET /some/file.html The above configuration served "/path/to/dir/some/file.html". In simple times, that's exactly what you want. Still, there are plenty of cases when a different file needs to be served and the requested URI doesn't match a path. More, you may want to serve a single file for any requests; the so-called one-page apps often utilize such a scheme. Such border cases call for a finer degree of control over the full path to a file. As a result, we kept receiving suggestions like: { "share_file": "/path/to/a/file.html" } The idea was to specify the full path to the file instead of the document root part only. In parallel, we work variable support so we thought about introducing variable paths; for instance, you may want to serve different files depending on the normalized Host header: { "share_file": "/www/data/$host/app.html" } Sneak peek ahead: we have plans for ways to create custom variables that extract various parts of the request using regular expressions. Still, look at the suggested configuration: { "share_file": "/www/data/$uri" } And compare it to what we had: { "share": "/www/data/" } These configurations are essentially equal; why bother with another option at all? Figuring in the maxim that says that explicit is often better than implicit, this value: "/www/data/$uri" Is better and more self-descriptive than: "/www/data/" The latter only shows a part of the path, so you need to remind yourself that the URI is appended to it. Keeping this in mind and striving to have a cleaner configuration with fewer options to read about and to choose from, we finally decided to alter the behaviour of the "share" option. Starting with Unit 1.26.0, the "share" option specifies the *entire* path to a shared file rather than just the document root. And yes, the option supports variables, so you can write: { "share": "/www/data/$uri" } There won't be a separate "share_file" option. I used it only to illustrate the initial idea and the resulting change; the "share" option assumes all relevant functionality instead. If you run previous versions of Unit and use "share" in your configurations, an update to Unit 1.26+ will automatically append "$uri" to all your "share" values to preserve the expected behavior. Configurations like this: { "share": "/www/data/" } Are automatically rewritten as follows: { "share": "/www/data/$uri" } This occurs only once, after the version update. If you manage your configurations using some scripts and store them somewhere else, make sure to adjust the "share" values there accordingly. Note that Unit won't fix your "share" values that you upload in reconfiguration requests over the control socket API. To read more about the new share behavior, check the documentation: - https://unit.nginx.org/configuration/#static-files I hope this transition will be easy and as hassle-free as possible for our existing users. For new users, there is nothing to care about, just mind that blog posts or other sources about previous Unit versions can use configurations that rely on the discontinued "share" behavior, so make the necessary adjustments before copying them. All docs and howtos at the official Unit website were already updated: - https://unit.nginx.org/howto/ Are you with me? That's not the end of news about "share". Here's one more, and it's pretty exciting. Earlier, to implement a "try_files"-like behavior, you had to use something like this: { "share": "path1" "fallback": { "share": "path2" "fallback": { "pass": "application/blog" } } } This snippet tries to serve a file using "path1"; if it doesn't exist or is inaccessible, it falls back to "path2", and then passes the request further, to the blog app. Now it's much easier to configure: { "share": [ "path1", "path2" ] "fallback": { "pass": "application/blog" } } The "share" directive now can accept an array of paths, trying them one by one until a file is found. If there is no file to serve, the "fallback" action occurs; if no fallback is defined, the result of the last try is returned. And yes, all these paths can contain variables: { "share": [ "/www/$host$uri", "/www/static$uri", "/www/app.html" ] } For more examples and detailed explanations: - https://unit.nginx.org/configuration/#static-files In future releases, we'll introduce more variables and the ability to extract various parts of requests and save them into your custom variables, which will provide essentially endless flexibility to manipulate file paths. There are some more notable features in this release as well: 1. Variables support in the "chroot" option to accompany variable-based paths in "share" during static media serving. Learn more about Unit's ability to chroot while serving static assets: - https://unit.nginx.org/configuration/#path-restrictions 2. The "query" matching option to filter and route requests by arbitrary query string values. We already had the "arguments" option that enabled filtering and routing requests by particular key-value pairs of query string arguments, but the query string doesn't always fit this format. So, now you can also use regexps and wildcard matching to work on the full query string value. Learn more about our very flexible and elaborate request filtering and routing: - https://unit.nginx.org/configuration/#routes The complete change log for this release is below: Changes with Unit 1.26.0 18 Nov 2021 *) Change: the "share" option now specifies the entire path to the files it serves, rather than a document root directory to be prepended to the request URI. *) Feature: automatic adjustment of existing configurations to the new "share" behavior when updating from previous versions. *) Feature: variables support in the "share" option. *) Feature: multiple paths in the "share" option. *) Feature: variables support in the "chroot" option. *) Feature: PHP opcache is shared between application processes. *) Feature: request routing by the query string. *) Bugfix: the router and app processes could crash when the requests limit was reached by asynchronous or multithreaded apps. *) Bugfix: established WebSocket connections could stop reading frames from the client after the corresponding listener had been reconfigured. *) Bugfix: fixed building with glibc 2.34, notably Fedora 35. Other major features that we are preparing for the next release include: - basic statistics API for monitoring Unit instances - various variables for different aspects of request and connection data - customization of access log format with variables - custom variables out of regexp captures on various request parameters - simple request rewrite using variables - command-line tool to simplify the use of Unit's control socket API There probably will be even more. To participate, share your ideas, or discuss new features, you're welcome to visit Unit's issue tracker on GitHub: - https://github.com/nginx/unit/issues Stay tuned! wbr, Valentin V. Bartenev From vbart at nginx.com Thu Dec 2 19:23:52 2021 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 02 Dec 2021 22:23:52 +0300 Subject: [nginx-announce] unit-1.26.1 Message-ID: <4697340.31r3eYUQgx@vbart-laptop> Hi, I'm glad to announce a new release of NGINX Unit. This is a minor bugfix release that aims to eliminate some annoying regressions revealed after the release of Unit 1.26.0 two weeks ago. Notably, the shared OPcache implementation in that release required introducing some major architectural changes, but our functional tests didn't catch some regressions caused by these changes. Still, thanks to our active community, the issues were reported shortly after the release, and now we can provide an updated version. We will also improve our functional testing to avoid such regressions in the future. The most painful and visible one was that sometimes Unit daemon couldn't completely exit, leaving some zombie processes. However, the second attempt to stop it always succeeded. Also, some DragonFly BSD kernel interfaces are seemingly broken, preventing the Unit daemon from functioning, so we disabled their use when compiling for DragonFly BSD. Changes with Unit 1.26.1 02 Dec 2021 *) Bugfix: occasionally, the Unit daemon was unable to fully terminate; the bug had appeared in 1.26.0. *) Bugfix: a prototype process could crash on an application process exit; the bug had appeared in 1.26.0. *) Bugfix: the router process crashed on reconfiguration if "access_log" was configured without listeners. *) Bugfix: a segmentation fault occurred in the PHP module if chdir() or fastcgi_finish_request() was called in the OPcache preloading script. *) Bugfix: fatal errors on DragonFly BSD; the bug had appeared in 1.26.0. To know more about the bunch of changes introduced in Unit 1.26 and the roadmap for 1.27, please see the previous announcement: - https://mailman.nginx.org/pipermail/unit/2021-November/000288.html Thank you again for keeping your finger on the pulse, reporting issues and submitting feature requests via our GitHub issue tracker: - https://github.com/nginx/unit/issues Stay tuned! wbr, Valentin V. Bartenev From mdounin at mdounin.ru Tue Dec 28 15:41:56 2021 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 28 Dec 2021 18:41:56 +0300 Subject: [nginx-announce] nginx-1.21.5 Message-ID: Changes with nginx 1.21.5 28 Dec 2021 *) Change: now nginx is built with the PCRE2 library by default. *) Change: now nginx always uses sendfile(SF_NODISKIO) on FreeBSD. *) Feature: support for sendfile(SF_NOCACHE) on FreeBSD. *) Feature: the $ssl_curve variable. *) Bugfix: connections might hang when using HTTP/2 without SSL with the "sendfile" and "aio" directives. -- Maxim Dounin http://nginx.org/ From xeioex at nginx.com Tue Dec 28 16:07:12 2021 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 28 Dec 2021 19:07:12 +0300 Subject: [nginx-announce] njs-0.7.1 Message-ID: Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release focuses on stabilization of recently released features including async/await and HTTPS support in ngx.fetch(). The "js_include" directive deprecated since 0.4.0 was removed. Also a series of user invisible refactoring was committed. The most prominent one is PCRE2 support. PCRE2 is the default RegExp engine now. Learn more about njs: - Overview and introduction: https://nginx.org/en/docs/njs/ - NGINX JavaScript in Your Web Server Configuration: https://youtu.be/Jc_L6UffFOs - Extending NGINX with Custom Code: https://youtu.be/0CVhq4AUU7M - Using node modules with njs: https://nginx.org/en/docs/njs/node_modules.html - Writing njs code using TypeScript definition files: https://nginx.org/en/docs/njs/typescript.html We are hiring: If you are a C programmer, passionate about Open Source and you love what we do, consider the following career opportunity: https://ffive.wd5.myworkdayjobs.com/NGINX/job/Ireland-Homebase/Software-Engineer-III---NGNIX-NJS_RP1022237 Feel free to try it and give us feedback on: - Github: https://github.com/nginx/njs/issues - Mailing list: https://mailman.nginx.org/mailman/listinfo/nginx-devel Changes with njs 0.7.1 28 Dec 2021 nginx modules: *) Change: the "js_include" directive deprecated since 0.4.0 was removed. *) Change: PCRE/PCRE2-specific code was moved to the modules. This ensures that njs uses the same RegExp library as nginx. Core: *) Feature: extended "fs" module. Added stat(), fstat() and friends. *) Change: default RegExp engine for CLI is switched to PCRE2. *) Bugfix: fixed decodeURI() and decodeURIComponent() with invalid byte strings. The bug was introduced in 0.4.3. *) Bugfix: fixed heap-use-after-free in await frame. The bug was introduced in 0.7.0. *) Bugfix: fixed WebCrypto sign() and verify() methods with OpenSSL 3.0. *) Bugfix: fixed exception throwing when RegExp match fails. The bug was introduced in 0.1.15. *) Bugfix: fixed catching of exception thrown in try block of async function. The bug was introduced in 0.7.0. *) Bugfix: fixed execution of async function in synchronous context. The bug was introduced in 0.7.0. *) Bugfix: fixed function redeclaration in CLI when interactive mode is on. The bug was introduced in 0.6.2. *) Bugfix: fixed typeof operator with DataView object. *) Bugfix: eliminated information leak in Buffer.from().