Ngemva kwezinyanga ezingu-13 zokuthuthukiswa igatsha elisha elizinzile likhululiwe Iseva ye-HTTP esebenza kahle kakhulu kanye neseva elibamba enamaphrothokholi amaningi nginx 1.22.0, okufaka izinguquko ezinqwabelene egatsheni eliyinhloko le-1.21.x.
Esikhathini esizayo, zonke izinguquko egatsheni elizinzile le-1.22 zizohlotshaniswa nokususa iphutha kanye nobuthakathaka obukhulu. Igatsha eliyinhloko le-nginx 1.23 lizokwakhiwa maduze, lapho ukuthuthukiswa kwezici ezintsha kuzoqhubeka.
Kubasebenzisi abajwayelekile abangenawo umsebenzi wokuqinisekisa ukuhambisana namamojula wezinkampani zangaphandle, kunconywa ukusebenzisa igatsha eliyinhloko, ngokusekelwe kulokho okutholakala kuzo izinguqulo zomkhiqizo wezohwebo i-Nginx Plus njalo ngemva kwezinyanga ezintathu.
Izindaba eziphambili ku-nginx 1.22.0
Kule nguqulo entsha ye-nginx 1.22.0 eyethulwa, i Ukuvikeleka okuthuthukisiwe ekuhlaselweni kwekilasi Lokushushumbisa Isicelo se-HTTP kumasistimu we-front-end-backend akuvumela ukuthi ufinyelele okuqukethwe kwezicelo zabanye abasebenzisi ezicutshungulwe kuchungechunge olufanayo phakathi kwe-front-end kanye ne-back-end. I-Nginx manje ihlale ibuyisela iphutha lapho isebenzisa indlela ye-CONNECT; ngokucacisa ngasikhathi sinye izihloko ze-"Content-Length" kanye "Ne-Transfer-Encoding"; uma kunezikhala noma izinhlamvu zokulawula kuyunithi yezinhlamvu zombuzo, igama lesihloko se-HTTP, noma inani lesihloko elithi "Isingethe".
Okunye okusha okugqamayo kule nguqulo entsha ukuthi wengeze ukwesekwa kokuguquguqukayo kuziqondiso "proxy_ssl_certificate", "proxy_ssl_certificate_key", "grpc_ssl_certificate", "grpc_ssl_certificate_key", "uwsgi_ssl_certificate" kanye "uwsgi_ssl_certificate_key".
Ngaphezu kwalokho, kuphinde kuphawulwe ukuthi yengezwe ukusekela imodi "yokufaka amapayipi". ukuthumela izicelo eziningi ze-POP3 noma ze-IMAP ekuxhumekeni okufanayo kumojula yommeleli wemeyili, kanye nomyalelo omusha othi "max_errors" ocacisa inani eliphakeme lamaphutha ephrothokholi okuthi ngemva kwalokho uxhumo luvalwe.
Izihloko "I-Auth-SSL-Protocol" kanye ne-"Auth-SSL-Cipher" idluliselwa kuseva yokuqinisekisa yommeleli wemeyili, kanye nokusekelwa kwesandiso se-ALPN TLS kwengezwe kumojula yokudlulisela. Ukuze kunqunywe uhlu lwezivumelwano ezisekelwayo ze-ALPN (h2, http/1.1), kuhlongozwa iziqondiso ze-ssl_alpn, kanye nokuthola ulwazi mayelana nephrothokholi ye-ALPN okuvunyelwane ngayo neklayenti, okuguquguqukayo okungu-$ssl_alpn_protocol.
Kwezinye izinguquko okugqamile:
- Ukuvimbela izicelo ze-HTTP/1.0 ezihlanganisa isihloko se-HTTP esithi "Dlulisa-Umbhalo Wekhodi" (eyethulwe ngenguqulo yephrothokholi ye-HTTP/1.1).
- Inkundla yeFreeBSD ithuthukise ukwesekwa kwekholi yesistimu ye-sendfile, eklanyelwe ukuhlela ukudluliswa okuqondile kwedatha phakathi kwesichazi sefayela nesokhethi. Imodi yokuthumela(SF_NODISKIO) inikwe amandla unomphela futhi usekelo lwemodi yokuthumela(SF_NOCACHE) yengeziwe.
- Ipharamitha ethi "fastopen" yengezwe kumojula yokudlulisa, eyenza imodi ye-"TCP Fast Open" ibe namasokhethi okulalela.
- Kulungiswe ukuphunyuka kwezinhlamvu """, "<", ">", "\", "^", "`", "{", "|" kanye nokuthi "}" uma usebenzisa ummeleli onokushintsha kwe-URI.
- I-proxy_half_close Directive yengezwe kumojuli yokusakaza, lapho ukuziphatha lapho uxhumano lommeleli we-TCP luvaliwe ohlangothini olulodwa ("i-TCP-close half") ingalungiselelwa.
- Kwengezwe isiqondiso esisha se-mp4_start_key_frame kumojula ye-ngx_http_mp4_module ukuze usakaze ividiyo ngozimele ongukhiye.
- Kwengezwe okuhlukile kwe-$ssl_curve ukuze kubuyiselwe uhlobo lwejika eliyielliptic elikhethelwe ukuxoxisana ngokhiye kuseshini ye-TLS.
- Umyalelo we-sendfile_max_chunk uguqule inani elimisiwe laba amamegabhayithi angu-2;
- Ukusekelwa okuhlinzekwa ngelabhulali ye-OpenSSL 3.0. Ukwesekwa okwengeziwe kokushayela i-SSL_sendfile() uma usebenzisa i-OpenSSL 3.0.
- Ukuhlanganisa nomtapo wezincwadi we-PCRE2 kunikwe amandla ngokuzenzakalela futhi kunikeza imisebenzi yokucubungula izinkulumo ezivamile.
- Lapho kulayishwa izitifiketi zeseva, ukusetshenziswa kwamazinga okuphepha asekelwa kusukela ku-OpenSSL 1.1.0 futhi asethwa ngepharamitha ethi "@SECLEVEL=N" kumyalelo we-ssl_ciphers kulungisiwe.
- Kususwe ukusekelwa kwe-export cipher suite.
- Ku-API yokuhlunga umzimba wesicelo, ukugcina kumthamo wedatha ecutshunguliwe kuvunyelwe.
- Kususwe usekelo lokuqalisa uxhumo lwe-HTTP/2 kusetshenziswa isandiso Se-Negotiation Yephrothokholi Elandelayo (NPN) esikhundleni se-ALPN.
Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.