BLOG | NGINX

Announcing NGINX Plus R32

NGINX-Part-of-F5-horiz-black-type-RGB
 Miniature
Published May 29, 2024

We’re excited to announce the availability of NGINX Plus Release 32 (R32). Based on NGINX Open Source, NGINX Plus is the only all-in-one software web server, load balancer, reverse proxy, content cache, and API gateway.

New and enhanced features in NGINX Plus R32 include:

  • SSL Certificate Caching — NGINX Plus R32 introduces significant improvements in NGINX startup time and memory usage in cases of configurations with a large number of locations with repeated SSL certificate/key pairs.
  • Stream_pass module — NGINX Plus R32 now allows the stream module to serve as a router, allowing connections to be conditionally passed from the stream module to other modules like http, mail, or back to stream itself.
  • NGINX Plus official container images — NGINX Plus R32 introduces the availability of official NGINX Plus container images for both privileged and unprivileged container runtimes. Additionally, both deployment methods ship with optional container images that include NGINX Agent, a companion daemon that enables seamless integration with NGINX management plane solutions.

Rounding out the release are new features and bug fixes inherited from NGINX Open source and updates to the NGINX JavaScript module.

Important Changes in Behavior

Note: If you are upgrading from a release other than NGINX Plus R31, be sure to check the Important Changes in Behavior section in previous announcement blogs for all releases between your current version and this one.

Deprecation of the OpenTracing Module

The OpenTracing module, introduced in NGINX Plus R18 is being deprecated and marked for removal in NGINX Plus R34. Associated packages will be made available with all NGINX Plus releases until then. We strongly advise replacing the usage of the OpenTracing module with the OpenTelemetry module, introduced in NGINX Plus R29.

Removal of the ModSecurity Module

The ModSecurity module reached end of support on March 31st 2024. As a result, the modsec packages have been removed from the NGINX Plus repository and will no longer be available from the NGINX Plus repository going forward.

PGP Key Update

NGINX Open Source and NGINX Plus packages are signed using a PGP key. This key is set to expire on June 16, 2024. We have updated the key’s expiration date so existing packages can continue to be verified after June 16th, 2024. We will generate new key pairs to sign packages for upcoming releases.

All NGINX users should download and install the updated PGP key by following these steps:

On Ubuntu/Debian:

wget -qO - https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

On RHEL/CentOS:

sudo rpm -e gpg-pubkey-7bd9bf62-5762b5f8
sudo rpm --import https://nginx.org/keys/nginx_signing.key

You will not be able to verify your software signatures after June 16th, 2024, until you update your key.

Future Packaging and Release Policy

In future NGINX Plus releases, we will be streamlining our packaging and release policy. NGINX Plus will be built and tested on only the latest versions of supported operating system distributions. If you are installing NGINX Plus on older distributions, your package manager may suggest updating the dependent libraries and packages.

Changes to Platform Support

The following changes have been made to supported platforms in this release.

New operating systems supported:

  • Ubuntu 24.04

Older operating systems removed:

  • FreeBSD 12 which reached EOL on Dec 31, 2023

Older operating systems deprecated and scheduled for removal in NGINX Plus R33:

  • CentOS7/RHEL7/Oracle Linux 7
  • Alpine Linux 3.16

New Features in Detail

SSL Certificate Caching to Improve NGINX load behavior

Previously, NGINX loaded a certificate, key, or certificate revocation list each time it was referenced in the NGINX configuration. This meant that multiple references to the same object resulted in an equal number of reloads of that object. This latency would be compounded when inheriting directives like lists of trusted certificates. Under certain conditions, this behavior would significantly impact NGINX startup time and could require large amounts of memory to store configurations.

Under the new behavior, SSL directives now reference cached certificate files and related objects. As a result, memory footprints and load times for configurations that repeatedly reference the same certificate objects is drastically reduced. The benefit is most evident in cases involving large NGINX configurations where a small set of trusted certificates are referenced across a large number of location blocks.

Here is a visualization of the load time improvement where NGINX is configured with approximately 5400 locations blocks (top-level and nested) and 878 certificates.

load time improvement

Notice the significant drop in load times towards the right side of the graph, where the average load time decreases from approximately 40 seconds before the change to ~6 seconds under the new behavior.

Pass Connections from Stream Module to Other Modules

NGINX Plus R32 inherits a feature from NGINX open source 1.25.5 that adds a new layer of configurability to NGINX. Specifically, NGINX stream module can now function as a router, serving as a proxy with the ability to pass connections from the stream context to other contexts like http, mail, or to a separate virtual server within the stream context itself.

This functionality is available as part of the ngx_stream_pass_module module, introduced in this release. The module has a single directive “pass” which can be used to specify the address to pass client connections to. The address can be specified by an IP address and port combination, a socket path, or referenced by NGINX variables.

With this functionality, customers who wish to run all their traffic through a single L4 endpoint can now terminate SSL connections at the L4 stream context and pass them to other modules (http, mail) or other virtual servers within the stream context. Additionally, SSL connections can be conditionally terminated based on server names or protocols, while proxying remaining traffic elsewhere. This unlocks a new set of possible configuration behaviors for managing traffic from a single endpoint.

The following configuration snippet terminates SSL connections in the stream module and conditionally passes them to the http context or another virtual server in the stream context, based on the requested server name.

http {
    server {
        listen 8000;

        location / {
            return 200 foo;
        }
    }
}

stream {
	 map $ssl_server_name $pass_port {
		foo.example.com 8000;
		default 9001;
	
	}

    server {
        listen 9000 ssl;

        ssl_certificate     domain.crt;
        ssl_certificate_key domain.key;

        pass 127.0.0.1:$pass_port;
    }
	server{
		listen 9001;
		return bar\n;
	}

}

In this example, all SSL connections are terminated at the stream server block. Depending on the server name in the incoming request, connections are either passed to the http server listening on port 8000 or to the stream virtual server listening on port 9001.

Another application of the module addresses use-cases where a third-party module does not support SSL termination. In such scenarios, the stream_pass module can terminate TLS encrypted connections before passing them to the third-party module.

This example demonstrates how the RTMP module, which natively does not support SSL, can use the stream_pass module to accept TLS encrypted traffic.

rtmp {
    server {
        listen 1935;#rtmp
	
	application foo{
		
		live on;
        }
    }
}

stream {
    server {
        listen 1936 ssl; #rtmps

        ssl_certificate     domain.crt;
        ssl_certificate_key domain.key;

        pass 127.0.0.1:1935;
    }
}

In this configuration snippet, the SSL connection is terminated in the stream server block and passed to the rtmp. The connection appears unencrypted to the RTMP module, which removes the need for additional customization or processing overhead to support SSL connections.

NGINX Plus Container Images

NGINX Plus R32 includes official availability of NGINX Plus container images for both privileged and unprivileged execution of NGINX Plus. Both container types are also made available with optional installations of NGINX Agent for easy connectivity to NGINX supported management planes. The images can be downloaded from the NGINX registry, available at: private-registry.nginx.com. Follow these instructions to access the image with your NGINX Plus certificate and key or JSON Web Token (JWT).

Other Enhancements and Bug Fixes in NGINX Plus R32

Bug Fix in the MQTT Module

  • Malformed packets when using default properties: This release contains a fix for an issue leading to malformed packets in the Message Queuing Telemetry Transport (MQTT) module, introduced in NGINX Plus R29. Previously, when the properties field was present and contained default values for all properties in the MQTT Connect message, the length of the outgoing packet did not account for the property length field (1 byte). This caused the packet length to be 1 byte less than expected and led to a malformed packet. This fix in R32 addresses that issue.

Bug Fix in the zone_sync Module

  • Memory leak on configuration reload: Previously, pending queue synchronization operations used chain links allocated from a distinct pool that was never freed. This led to memory leaks in the master, as well as all worker processes. The fix in this release reverts to an earlier zone sync implementation that uses a cycle pool for the pending queue.

Security Fixes

The following potential security issues were identified and fixed in the experimental HTTP3/QUIC implementation.

  • Heap overflow with write (CVE-2024-32760): Undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause other possible impacts.
  • Stack overflow/use after free (CVE-2024-31079): Undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other possible impacts. This attack requires that a request be specifically timed during the connection draining process, to which the attacker has no visibility and limited influence over.
  • Null pointer dereference with empty header (CVE-2024-35200): Undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other possible impacts.
  • Memory disclosure during QUIC handshake (CVE-2024-34161): When the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC messages can cause NGINX worker processes to terminate or cause leakage of previously freed memory.

Changes Inherited from NGINX Open Source

NGINX Plus R32 is based on NGINX Open Source 1.25.5 and inherits functional changes, features, and bug fixes made since NGINX Plus R31 was released (in NGINX 1.25.4 and 1.25.5).

Features:

  • Virtual servers in the stream module.
  • The ngx_stream_pass_module.
  • The "deferred", "accept_filter", and "setfib" parameters of the "listen" directive in the stream module.
  • Cache line size detection for some architectures.
  • Support for Homebrew on Apple Silicon.

Bug Fixes:

  • Windows cross-compilation bugfixes and improvements.
  • Unexpected connection closure while using 0-RTT in QUIC.
  • Connections with pending AIO operations might be closed prematurely during graceful shutdown of old worker processes.
  • Socket leak alerts no longer logged when fast shutdown was requested after graceful shutdown of old worker processes.
  • A socket descriptor error, a socket leak, or a segmentation fault in a worker process (for SSL proxying) might occur if AIO was used in a subrequest.
  • A segmentation fault might occur in a worker process if SSL proxying was used along with the "image_filter" directive and errors with code 415 were redirected with the "error_page" directive.
  • Bug fixes and improvements in HTTP/3.

Security:

  • When using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session (CVE-2024-24989, CVE-2024-24990).

For the full list of new changes, features, bug fixes, and workarounds inherited from recent releases, see the NGINX changes file.

Changes to the NGINX JavaScript Module

NGINX Plus R32 incorporates changes from the NGINX JavaScript (njs) module version 0.8.4. The following is a list of notable changes in njs since 0.8.2 (which was the version shipped with NGINX Plus R31).

Features

  • Feature: the Server header for outgoing header can be set.
  • Feature: QuickJS engine support in CLI.

Changes

  • Improvement: validation of URI and args arguments in r.subrequest().
  • Improvement: checks for duplicate js_set variables.

Bug Fixes

  • Bugfix: fixed Headers.set().
  • Bugfix: fixed js_set with Buffer values.
  • Bugfix: fixed clear() method of a shared dictionary when a timeout is not specified.
  • Bugfix: fixed stub_status statistics when js_periodic is enabled.
  • Bugfix: fixed building with libxml2 2.12 and later.
  • Bugfix: fixed Date constructor for overflows and with NaN values.
  • Bugfix: fixed underflow in querystring.parse().
  • Bugfix: fixed potential buffer overread in String.prototype.match().
  • Bugfix: fixed parsing of for-in loops.
  • Bugfix: fixed parsing of hexadecimal, octal, and binary literals with no digits.
  • Bugfix: fixed clear() method of a shared dictionary without a timeout introduced in 0.8.3.
  • Bugfix: fixed r.send() method of a shared dictionary without a timeout with Buffer argument.
  • Bugfix: fixed atob() with non-padded base64 strings.

For a comprehensive list of all the features, changes, and bug fixes, see the njs Changelog.

Upgrade or Try NGINX Plus

If you’re running NGINX Plus, we strongly encourage you to upgrade to NGINX Plus R32 as soon as possible. In addition to all the great new features, you’ll also pick up several additional fixes and improvements, making it easier for NGINX to help you if you need to raise a support ticket.

If you aren’t an NGINX Plus user, we encourage you to give it a try. You can use it for security, load balancing, and API gateway use cases, or as a fully supported web server with enhanced monitoring and management APIs. Get started today with a  free 30-day trial.


"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous NGINX.com links will redirect to similar NGINX content on F5.com."