I'm glad to announce a new release of NGINX Unit.
This release includes a few internal routing improvements that simplify some
configurations and a new isolation option for chrooting application processes
Changes with Unit 1.18.0 28 May 2020
*) Feature: the "rootfs" isolation option for changing root filesystem
for an application.
*) Feature: multiple "targets" in PHP applications.
*) Feature: support for percent encoding in the "uri" and "arguments"
matching options and in the "pass" option.
Also, our official packages for the recently released Ubuntu 20.04 (Focal Fossa)
are available now:
At least two of the features in this release deserve special attention.
Changing The Root Filesystem
Security is our top priority, so let's look closer at the "rootfs"
The coolest thing about it is that it's not just a simple chroot() system
call as some may expect. It's not a secret that chroot() is not intended
for security purposes, and there's plenty of ways for an attacker to get out
of the chrooted directory (just check "man 2 chroot"). That's why on modern
systems Unit can use pivot_root() with the "mount" namespace isolation
enabled, which is way more secure and pretty similar to putting your
application in an individual container.
Also, our goal is to make any security option as easy to use as possible.
In this case, Unit automatically tries to mount all the necessary
language-specific dependencies inside a new root, so you won't need
to care about them. Currently, this capability works for selected languages
only, but the support will be extended in the next releases.
For more information and examples of "rootfs" usage, check the documentation:
Now to the second feature...
Multiple PHP application "targets"
The other major update in this release is called "targets", aiming to simplify
configuration for many PHP applications. Perhaps, it is best illustrated by an
example: WordPress. This is one of many applications that use two different
1. Most user requests are handled by index.php regardless of the actual
2. Administration interface and some components rely on direct requests
to specific .php scripts named in the URI.
Earlier, users had to configure two Unit applications to handle this disparity:
The first app directly executes the .php scripts named by the URI, whereas the
second one passes all requests to index.php.
Now, you can use "targets" instead:
The complete example is available in our WordPress howto:
You can configure as many "targets" in one PHP application as you want, routing
requests between them using various sophisticated request matching rules.
Check our website to know more about the new option:
To learn more about request matching rules:
Finally, see here for more howtos:
We have plenty of them, covering many popular web applications and frameworks,
but if your favorite one is still missing, let us know by opening a ticket here:
To keep the finger on the pulse, refer to our further plans in the roadmap here:
wbr, Valentin V. Bartenev
Changes with nginx 1.19.0 26 May 2020
*) Feature: client certificate validation with OCSP.
*) Bugfix: "upstream sent frame for closed stream" errors might occur
when working with gRPC backends.
*) Bugfix: OCSP stapling might not work if the "resolver" directive was
*) Bugfix: connections with incorrect HTTP/2 preface were not logged.
This release extends http module.
Notable new features:
- raw headers API:
With the following request headers:
: Host: localhost
: Foo: bar
: foo: bar2
All 'foo' headers can be collected with the syntax:
: r.rawHeadersIn.filter(v=>v.toLowerCase() == 'foo').map(v=>v);
the output will be:
: ['bar', 'bar2']
- TypeScript API definition:
: /// <reference path="ngx_http_js_module.d.ts" />
: function content_handler(r: NginxHTTPRequest)
: r.headersOut['content-type'] = 'text/plain';
: r.return(200, "Hello from TypeScript");
: tsc foo.ts --outFile foo.js
foo.js can be used directly with njs.
You can learn more about njs:
- Overview and introduction: http://nginx.org/en/docs/njs/
- Using node modules with njs: http://nginx.org/en/docs/njs/node_modules.html
- Writing njs code using TypeScript definition files:
Feel free to try it and give us feedback on:
- Github: https://github.com/nginx/njs/issues
- Mailing list: http://mailman.nginx.org/mailman/listinfo/nginx-devel
Changes with njs 0.4.1 19 May 2020
*) Feature: added support for multi-value headers in r.headersIn.
*) Feature: introduced raw headers API.
*) Feature: added TypeScript API description.
*) Bugfix: fixed Array.prototype.slice() for sparse arrays.