05/29/2024 | News release | Distributed by Public on 05/29/2024 08:11
We're excited to announce the availability of NGINX Plus Release 32 (R32). Based on NGINX Open Source, NGINX Plus is the only all-in-one software web server, load balancer, reverse proxy, content cache, and API gateway.
New and enhanced features in NGINX Plus R32 include:
Rounding out the release are new features and bug fixes inherited from NGINX Open source and updates to the NGINX JavaScript module.
Important Changes in Behavior
Note: If you are upgrading from a release other than NGINX Plus R31, be sure to check the Important Changes in Behavior section in previous announcement blogs for all releases between your current version and this one.
Deprecation of the OpenTracing Module
The OpenTracing module, introduced in NGINX Plus R18 is being deprecated and marked for removal in NGINX Plus R34. Associated packages will be made available with all NGINX Plus releases until then. We strongly advise replacing the usage of the OpenTracing module with the OpenTelemetry module, introduced in NGINX Plus R29.
Removal of the ModSecurity Module
The ModSecurity module reached end of support on March 31st 2024. As a result, the modsec packages have been removed from the NGINX Plus repository and will no longer be available from the NGINX Plus repository going forward.
PGP Key Update
NGINX Open Source and NGINX Plus packages are signed using a PGP key. This key is set to expire on June 16, 2024. We have updated the key's expiration date so existing packages can continue to be verified after June 16th, 2024. We will generate new key pairs to sign packages for upcoming releases.
All NGINX users should download and install the updated PGP key by following these steps:
On Ubuntu/Debian:
On RHEL/CentOS:
You will not be able to verify your software signatures after June 16th, 2024, until you update your key.
Future Packaging and Release Policy
In future NGINX Plus releases, we will be streamlining our packaging and release policy. NGINX Plus will be built and tested on only the latest versions of supported operating system distributions. If you are installing NGINX Plus on older distributions, your package manager may suggest updating the dependent libraries and packages.
Changes to Platform Support
The following changes have been made to supported platforms in this release.
New operating systems supported:
Older operating systems removed:
Older operating systems deprecated and scheduled for removal in NGINX Plus R33:
New Features in Detail
SSL Certificate Caching to Improve NGINX load behavior
Previously, NGINX loaded a certificate, key, or certificate revocation list each time it was referenced in the NGINX configuration. This meant that multiple references to the same object resulted in an equal number of reloads of that object. This latency would be compounded when inheriting directives like lists of trusted certificates. Under certain conditions, this behavior would significantly impact NGINX startup time and could require large amounts of memory to store configurations.
Under the new behavior, SSL directives now reference cached certificate files and related objects. As a result, memory footprints and load times for configurations that repeatedly reference the same certificate objects is drastically reduced. The benefit is most evident in cases involving large NGINX configurations where a small set of trusted certificates are referenced across a large number of location blocks.
Here is a visualization of the load time improvement where NGINX is configured with approximately 5400 locations blocks (top-level and nested) and 878 certificates.
Notice the significant drop in load times towards the right side of the graph, where the average load time decreases from approximately 40 seconds before the change to ~6 seconds under the new behavior.
Pass Connections from Stream Module to Other Modules
NGINX Plus R32 inherits a feature from NGINX open source 1.25.5 that adds a new layer of configurability to NGINX. Specifically, NGINX stream module can now function as a router, serving as a proxy with the ability to pass connections from the stream context to other contexts like http, mail, or to a separate virtual server within the stream context itself.
This functionality is available as part of the ngx_stream_pass_module module, introduced in this release. The module has a single directive "pass" which can be used to specify the address to pass client connections to. The address can be specified by an IP address and port combination, a socket path, or referenced by NGINX variables.
With this functionality, customers who wish to run all their traffic through a single L4 endpoint can now terminate SSL connections at the L4 stream context and pass them to other modules (http, mail) or other virtual servers within the stream context. Additionally, SSL connections can be conditionally terminated based on server names or protocols, while proxying remaining traffic elsewhere. This unlocks a new set of possible configuration behaviors for managing traffic from a single endpoint.
The following configuration snippet terminates SSL connections in the stream module and conditionally passes them to the http context or another virtual server in the stream context, based on the requested server name.
In this example, all SSL connections are terminated at the stream server block. Depending on the server name in the incoming request, connections are either passed to the http server listening on port 8000 or to the stream virtual server listening on port 9001.
Another application of the module addresses use-cases where a third-party module does not support SSL termination. In such scenarios, the stream_pass module can terminate TLS encrypted connections before passing them to the third-party module.
This example demonstrates how the RTMP module, which natively does not support SSL, can use the stream_pass module to accept TLS encrypted traffic.
In this configuration snippet, the SSL connection is terminated in the stream server block and passed to the rtmp. The connection appears unencrypted to the RTMP module, which removes the need for additional customization or processing overhead to support SSL connections.
NGINX Plus Container Images
NGINX Plus R32 includes official availability of NGINX Plus container images for both privileged and unprivileged execution of NGINX Plus. Both container types are also made available with optional installations of NGINX Agent for easy connectivity to NGINX supported management planes. The images can be downloaded from the NGINX registry, available at: private-registry.nginx.com. Follow these instructions to access the image with your NGINX Plus certificate and key or JSON Web Token (JWT).
Other Enhancements and Bug Fixes in NGINX Plus R32
Bug Fix in the MQTT Module
Bug Fix in the zone_sync Module
Security Fixes
The following potential security issues were identified and fixed in the experimental HTTP3/QUIC implementation.
Changes Inherited from NGINX Open Source
NGINX Plus R32 is based on NGINX Open Source 1.25.5 and inherits functional changes, features, and bug fixes made since NGINX Plus R31 was released (in NGINX 1.25.4 and 1.25.5).
Features:
Bug Fixes:
Security:
For the full list of new changes, features, bug fixes, and workarounds inherited from recent releases, see the NGINX changes file.
Changes to the NGINX JavaScript Module
NGINX Plus R32 incorporates changes from the NGINX JavaScript (njs) module version 0.8.4. The following is a list of notable changes in njs since 0.8.2 (which was the version shipped with NGINX Plus R31).
Features
Changes
Bug Fixes
For a comprehensive list of all the features, changes, and bug fixes, see the njs Changelog.
Upgrade or Try NGINX Plus
If you're running NGINX Plus, we strongly encourage you to upgrade to NGINX Plus R32 as soon as possible. In addition to all the great new features, you'll also pick up several additional fixes and improvements, making it easier for NGINX to help you if you need to raise a support ticket.
If you aren't an NGINX Plus user, we encourage you to give it a try. You can use it for security, load balancing, and API gateway use cases, or as a fully supported web server with enhanced monitoring and management APIs. Get started today with a free 30-day trial.