Emva kweenyanga ezili-13 zophuhliso isebe elitsha elizinzileyo likhululiwe Umncedisi we-HTTP osebenza kakhulu kunye nomncedisi wommeli weprotocol ezininzi nginx 1.22.0, olubandakanya utshintsho oluqokelelwe kwi-1.21.x yesebe eliphambili.
Kwixesha elizayo, lonke utshintsho kwi-1.22 yesebe elizinzileyo liya kunxulumana nokulungiswa kweempazamo kunye nobuthathaka obunzulu. Isebe eliphambili le-nginx 1.23 liza kwenziwa kungekudala, apho ukuphuhliswa kweempawu ezintsha kuya kuqhubeka.
Kubasebenzisi abaqhelekileyo abangenawo umsebenzi wokuqinisekisa ukuhambelana neemodyuli zeqela lesithathu, kucetyiswa ukuba kusetyenziswe isebe eliphambili, ngokusekelwe kwiinguqulelo zemveliso yorhwebo i-Nginx Plus zenziwe rhoqo emva kweenyanga ezintathu.
Iindaba eziphambili kwi-nginx 1.22.0
Kolu guqulelo lutsha lwe nginx 1.22.0 oluvezwayo, i Ukhuseleko olomeleziweyo kuhlaselo lweklasi yeSicelo se-HTTP kwiinkqubo ze-front-end-backend ezikuvumela ukuba ufikelele kumxholo wezicelo zabanye abasebenzisi eziqhutywe kumsonto ofanayo phakathi kwesiphelo sangaphambili kunye nesiphelo sangasemva. I-Nginx ngoku ihlala ibuyisela imposiso xa usebenzisa indlela ye-CONNECT; ngokuchaza ngaxeshanye "Ubude boMxholo" kunye "noKugqithiselwa-Ukufakwa kweekhowudi" okubhalwe phezulu; xa kukho izithuba okanye iimpawu zolawulo kuluhlu lombuzo, igama lesihloko seHTTP, okanye "Inginginya" ixabiso leheader.
Enye into entsha ebalaseleyo kule nguqulo intsha kukuba ukongeza inkxaso yeenguqu kwizikhokelo "proxy_ssl_certificate", "proxy_ssl_certificate_key", "grpc_ssl_certificate", "grpc_ssl_certificate_key", "uwsgi_ssl_certificate" kunye ne "uwsgi_ssl_certificate_key".
Ukongeza, kukwaphawulwa ukuba yongezwa inkxaso ye "pipelining" mode Ukuthumela izicelo ezininzi ze-POP3 okanye ze-IMAP kuqhagamshelwano olufanayo kwimodyuli yommeli weposi, ngokunjalo nomyalelo omtsha "weempazamo_zinkulu" ochaza ubuninzi benani leempazamo zeprotocol emva kokuba uqhagamshelwano luya kuvalwa.
Izihloko "I-Auth-SSL-Protocol" kunye ne "Auth-SSL-Cipher" zigqithiselwa kwi-imeyile yokuqinisekisa umncedisi womncedisi, kunye nenkxaso yolwandiso lwe-ALPN TLS yongezwa kwimodyuli yothumelo. Ukumisela uluhlu lwemigaqo ye-ALPN exhaswayo (h2, http/1.1), kucetywayo ssl_alpn umyalelo, kunye nokufumana ulwazi malunga neprotocol ye-ALPN ekuvunyelwene ngayo nomxhasi, i-variable $ssl_alpn_protocol.
Olunye utshintsho ezibalaseleyo:
- Ukuthintela izicelo ze-HTTP/1.0 ezibandakanya i-header ye-HTTP ethi "Transfer-Encoding" (efakwe kwi-HTTP/1.1 protocol version).
- Iqonga le-FreeBSD liye laphucula inkxaso ye-sendfile system call, eyenzelwe ukucwangcisa ukuhanjiswa ngokuthe ngqo kwedatha phakathi kwenkcazo yefayile kunye nesokhethi. Imo ye-sendfile(SF_NODISKIO) yenziwe yasebenza ngokusisigxina kwaye nenkxaso ye-sendfile(SF_NOCACHE) mode yongeziwe.
- Iparamitha "yokukhawuleza" yongezwe kwimodyuli yokudlulisa, eyenza "i-TCP Fast Open" imowudi yokuphulaphula iziseko.
- Ubaleko oluzinzileyo lwabalinganiswa """, "<", ">", "\", "^", "`", "{", "|" kunye "}" xa usebenzisa ummeli ngotshintsho lwe-URI.
- Umyalelo we-proxy_half_close wongezwe kwimodyuli yomlambo, apho ukuziphatha xa uxhulumaniso lwe-proxy ye-TCP luvaliwe kwelinye icala ("i-TCP i-half-close") ingaqwalaselwa.
- Kongezwe i-mp4_start_key_frame yomyalelo kwimodyuli ye-ngx_http_mp4_ ukusasaza ividiyo kwisakhelo esingundoqo.
- Kongezwe okuguquguqukayo kwe-$ssl_curve ukubuyisela uhlobo lwegophe oluyi-elliptic olukhethiweyo kuthethwano oluphambili kwiseshoni yeTLS.
- Umyalelo we sendfile_max_chunk utshintshe ixabiso elingagqibekanga libe ziimegabytes ezi-2;
- Inkxaso enikezelweyo ngethala leencwadi le-OpenSSL 3.0. Inkxaso eyongeziweyo yokufowunela i-SSL_sendfile() xa usebenzisa i-OpenSSL 3.0.
- Indibano kunye nethala leencwadi le-PCRE2 yenziwe ngokungagqibekanga kwaye ibonelela ngemisebenzi yokusetyenzwa rhoqo kweentetho.
- Xa kulayishwa izatifikethi zeseva, ukusetyenziswa kwamanqanaba okhuseleko axhaswayo ukususela kwi-OpenSSL 1.1.0 kunye nokusetwa nge-"@SECLEVEL=N" ipharamitha kumyalelo we-ssl_ciphers iye yahlengahlengiswa.
- Isusiwe i-export cipher suite inkxaso.
- Kwisicelo sokuhluza umzimba we-API, ukugcinwa kwedatha kuvunyelwe.
- Isusiwe inkxaso yokuseka uqhagamshelo lwe-HTTP/2 usebenzisa i-Negotiation ye-Negotiation elandelayo (NPN) endaweni ye-ALPN.
Gqibela ukuba unomdla wokwazi okungakumbi ngayo, ungajonga iinkcukacha Kule khonkco ilandelayo.