After 13 months of development new stable branch released High-performance HTTP server and multi-protocol proxy server nginx 1.22.0, which incorporates the changes accumulated in the 1.21.x main branch.
In the future, all changes in the 1.22 stable branch will be related to debugging and serious vulnerabilities. The main branch of nginx 1.23 will be formed soon, in which the development of new features will continue.
For ordinary users who do not have the task of ensuring compatibility with third-party modules, it is recommended to use the main branch, based on which versions of the commercial product Nginx Plus are formed every three months.
Main news in nginx 1.22.0
In this new version of nginx 1.22.0 that is presented, the Enhanced protection against HTTP Request Smuggling class attacks in front-end-backend systems that allow you to access the content of other users' requests processed in the same thread between the front-end and the back-end. Nginx now always returns an error when using the CONNECT method; by simultaneously specifying the "Content-Length" and "Transfer-Encoding" headers; when there are spaces or control characters in the query string, HTTP header name, or "Host" header value.
Another novelty that stands out in this new version is that added support for variables to directives "proxy_ssl_certificate", "proxy_ssl_certificate_key", "grpc_ssl_certificate", "grpc_ssl_certificate_key", "uwsgi_ssl_certificate" and "uwsgi_ssl_certificate_key".
In addition, it is also noted that it was added support for "pipelining" mode to send multiple POP3 or IMAP requests on the same connection to the mail proxy module, as well as a new "max_errors" directive that specifies the maximum number of protocol errors after which the connection will be closed.
Headers "Auth-SSL-Protocol" and "Auth-SSL-Cipher" are passed to the mail proxy authentication server, plus support for the ALPN TLS extension was added to the transmission module. To determine the list of supported ALPN protocols (h2, http/1.1), the ssl_alpn directive is proposed, and to obtain information about the ALPN protocol agreed with the client, the variable $ssl_alpn_protocol.
Of the other changes that stand out:
- Blocking HTTP/1.0 requests that include the "Transfer-Encoding" HTTP header (introduced in HTTP/1.1 protocol version).
- The FreeBSD platform has improved support for the sendfile system call, which is designed to orchestrate a direct transfer of data between a file descriptor and a socket. The sendfile(SF_NODISKIO) mode is permanently enabled and support for the sendfile(SF_NOCACHE) mode has been added.
- The "fastopen" parameter has been added to the transmit module, which enables "TCP Fast Open" mode for listening sockets.
- Fixed escaping of characters """, "<", ">", "\", "^", "`", "{", "|" and "}" when using proxy with URI change.
- The proxy_half_close directive has been added to the stream module, with which the behavior when a proxy TCP connection is closed on one side ("TCP half-close") can be configured.
- Added a new mp4_start_key_frame directive to the ngx_http_mp4_module module to stream a video from a key frame.
- Added $ssl_curve variable to return the type of elliptic curve selected for key negotiation in a TLS session.
- The sendfile_max_chunk directive changed the default value to 2 megabytes;
- Support provided with the OpenSSL 3.0 library. Added support for calling SSL_sendfile() when using OpenSSL 3.0.
- Assembly with the PCRE2 library is enabled by default and provides functions for processing regular expressions.
- When loading server certificates, the use of security levels supported since OpenSSL 1.1.0 and set via the "@SECLEVEL=N" parameter in the ssl_ciphers directive has been adjusted.
- Removed export cipher suite support.
- In the request body filtering API, buffering of processed data is allowed.
- Removed support for establishing HTTP/2 connections using the NPN (Next Protocol Negotiation) extension instead of ALPN.
Finally if you are interested in knowing more about it, you can check the details In the following link.