Changes with nginx 1.8.1 26 Jan 2016 *) Security: invalid pointer dereference might occur during DNS server response processing if the "resolver" directive was used, allowing an attacker who is able to forge UDP packets from the DNS server to cause segmentation fault in a worker process (CVE-2016-0742). *) Security: use-after-free condition might occur during CNAME response processing if the "resolver" directive was used, allowing an attacker who is able to trigger name resolution to cause segmentation fault in a worker process, or might have potential other impact (CVE-2016-0746). *) Security: CNAME resolution was insufficiently limited if the "resolver" directive was used, allowing an attacker who is able to trigger arbitrary name resolution to cause excessive resource consumption in worker processes (CVE-2016-0747). *) Bugfix: the "proxy_protocol" parameter of the "listen" directive did not work if not specified in the first "listen" directive for a listen socket. *) Bugfix: nginx might fail to start on some old Linux variants; the bug had appeared in 1.7.11. *) Bugfix: a segmentation fault might occur in a worker process if the "try_files" and "alias" directives were used inside a location given by a regular expression; the bug had appeared in 1.7.1. *) Bugfix: the "try_files" directive inside a nested location given by a regular expression worked incorrectly if the "alias" directive was used in the outer location. *) Bugfix: "header already sent" alerts might appear in logs when using cache; the bug had appeared in 1.7.5. *) Bugfix: a segmentation fault might occur in a worker process if different ssl_session_cache settings were used in different virtual servers. *) Bugfix: the "expires" directive might not work when using variables. *) Bugfix: if nginx was built with the ngx_http_spdy_module it was possible to use the SPDY protocol even if the "spdy" parameter of the "listen" directive was not specified. Changes with nginx 1.8.0 21 Apr 2015 *) 1.8.x stable branch. Changes with nginx 1.7.12 07 Apr 2015 *) Feature: now the "tcp_nodelay" directive works with backend SSL connections. *) Feature: now thread pools can be used to read cache file headers. *) Bugfix: in the "proxy_request_buffering" directive. *) Bugfix: a segmentation fault might occur in a worker process when using thread pools on Linux. *) Bugfix: in error handling when using the "ssl_stapling" directive. Thanks to Filipe da Silva. *) Bugfix: in the ngx_http_spdy_module. Changes with nginx 1.7.11 24 Mar 2015 *) Change: the "sendfile" parameter of the "aio" directive is deprecated; now nginx automatically uses AIO to pre-load data for sendfile if both "aio" and "sendfile" directives are used. *) Feature: experimental thread pools support. *) Feature: the "proxy_request_buffering", "fastcgi_request_buffering", "scgi_request_buffering", and "uwsgi_request_buffering" directives. *) Feature: request body filters experimental API. *) Feature: client SSL certificates support in mail proxy. Thanks to Sven Peter, Franck Levionnois, and Filipe Da Silva. *) Feature: startup speedup when using the "hash ... consistent" directive in the upstream block. Thanks to Wai Keen Woon. *) Feature: debug logging into a cyclic memory buffer. *) Bugfix: in hash table handling. Thanks to Chris West. *) Bugfix: in the "proxy_cache_revalidate" directive. *) Bugfix: SSL connections might hang if deferred accept or the "proxy_protocol" parameter of the "listen" directive were used. Thanks to James Hamlin. *) Bugfix: the $upstream_response_time variable might contain a wrong value if the "image_filter" directive was used. *) Bugfix: in integer overflow handling. Thanks to Régis Leroy. *) Bugfix: it was not possible to enable SSLv3 with LibreSSL. *) Bugfix: the "ignoring stale global SSL error ... called a function you should not call" alerts appeared in logs when using LibreSSL. *) Bugfix: certificates specified by the "ssl_client_certificate" and "ssl_trusted_certificate" directives were inadvertently used to automatically construct certificate chains. Changes with nginx 1.7.10 10 Feb 2015 *) Feature: the "use_temp_path" parameter of the "proxy_cache_path", "fastcgi_cache_path", "scgi_cache_path", and "uwsgi_cache_path" directives. *) Feature: the $upstream_header_time variable. *) Workaround: now on disk overflow nginx tries to write error logs once a second only. *) Bugfix: the "try_files" directive did not ignore normal files while testing directories. Thanks to Damien Tournoud. *) Bugfix: alerts "sendfile() failed" if the "sendfile" directive was used on OS X; the bug had appeared in 1.7.8. *) Bugfix: alerts "sem_post() failed" might appear in logs. *) Bugfix: nginx could not be built with musl libc. Thanks to James Taylor. *) Bugfix: nginx could not be built on Tru64 UNIX. Thanks to Goetz T. Fischer. Changes with nginx 1.7.9 23 Dec 2014 *) Feature: variables support in the "proxy_cache", "fastcgi_cache", "scgi_cache", and "uwsgi_cache" directives. *) Feature: variables support in the "expires" directive. *) Feature: loading of secret keys from hardware tokens with OpenSSL engines. Thanks to Dmitrii Pichulin. *) Feature: the "autoindex_format" directive. *) Bugfix: cache revalidation is now only used for responses with 200 and 206 status codes. Thanks to Piotr Sikora. *) Bugfix: the "TE" client request header line was passed to backends while proxying. *) Bugfix: the "proxy_pass", "fastcgi_pass", "scgi_pass", and "uwsgi_pass" directives might not work correctly inside the "if" and "limit_except" blocks. *) Bugfix: the "proxy_store" directive with the "on" parameter was ignored if the "proxy_store" directive with an explicitly specified file path was used on a previous level. *) Bugfix: nginx could not be built with BoringSSL. Thanks to Lukas Tribus. Changes with nginx 1.7.8 02 Dec 2014 *) Change: now the "If-Modified-Since", "If-Range", etc. client request header lines are passed to a backend while caching if nginx knows in advance that the response will not be cached (e.g., when using proxy_cache_min_uses). *) Change: now after proxy_cache_lock_timeout nginx sends a request to a backend with caching disabled; the new directives "proxy_cache_lock_age", "fastcgi_cache_lock_age", "scgi_cache_lock_age", and "uwsgi_cache_lock_age" specify a time after which the lock will be released and another attempt to cache a response will be made. *) Change: the "log_format" directive can now be used only at http level. *) Feature: the "proxy_ssl_certificate", "proxy_ssl_certificate_key", "proxy_ssl_password_file", "uwsgi_ssl_certificate", "uwsgi_ssl_certificate_key", and "uwsgi_ssl_password_file" directives. Thanks to Piotr Sikora. *) Feature: it is now possible to switch to a named location using "X-Accel-Redirect". Thanks to Toshikuni Fukaya. *) Feature: now the "tcp_nodelay" directive works with SPDY connections. *) Feature: new directives in vim syntax highliting scripts. Thanks to Peter Wu. *) Bugfix: nginx ignored the "s-maxage" value in the "Cache-Control" backend response header line. Thanks to Piotr Sikora. *) Bugfix: in the ngx_http_spdy_module. Thanks to Piotr Sikora. *) Bugfix: in the "ssl_password_file" directive when using OpenSSL 0.9.8zc, 1.0.0o, 1.0.1j. *) Bugfix: alerts "header already sent" appeared in logs if the "post_action" directive was used; the bug had appeared in 1.5.4. *) Bugfix: alerts "the http output chain is empty" might appear in logs if the "postpone_output 0" directive was used with SSI includes. *) Bugfix: in the "proxy_cache_lock" directive with SSI subrequests. Thanks to Yichun Zhang. Changes with nginx 1.7.7 28 Oct 2014 *) Change: now nginx takes into account the "Vary" header line in a backend response while caching. *) Feature: the "proxy_force_ranges", "fastcgi_force_ranges", "scgi_force_ranges", and "uwsgi_force_ranges" directives. *) Feature: the "proxy_limit_rate", "fastcgi_limit_rate", "scgi_limit_rate", and "uwsgi_limit_rate" directives. *) Feature: the "Vary" parameter of the "proxy_ignore_headers", "fastcgi_ignore_headers", "scgi_ignore_headers", and "uwsgi_ignore_headers" directives. *) Bugfix: the last part of a response received from a backend with unbufferred proxy might not be sent to a client if "gzip" or "gunzip" directives were used. *) Bugfix: in the "proxy_cache_revalidate" directive. Thanks to Piotr Sikora. *) Bugfix: in error handling. Thanks to Yichun Zhang and Daniil Bondarev. *) Bugfix: in the "proxy_next_upstream_tries" and "proxy_next_upstream_timeout" directives. Thanks to Feng Gu. *) Bugfix: nginx/Windows could not be built with MinGW-w64 gcc. Thanks to Kouhei Sutou. Changes with nginx 1.7.6 30 Sep 2014 *) Change: the deprecated "limit_zone" directive is not supported anymore. *) Feature: the "limit_conn_zone" and "limit_req_zone" directives now can be used with combinations of multiple variables. *) Bugfix: request body might be transmitted incorrectly when retrying a FastCGI request to the next upstream server. *) Bugfix: in logging to syslog. Changes with nginx 1.7.5 16 Sep 2014 *) Security: it was possible to reuse SSL sessions in unrelated contexts if a shared SSL session cache or the same TLS session ticket key was used for multiple "server" blocks (CVE-2014-3616). Thanks to Antoine Delignat-Lavaud. *) Change: now the "stub_status" directive does not require a parameter. *) Feature: the "always" parameter of the "add_header" directive. *) Feature: the "proxy_next_upstream_tries", "proxy_next_upstream_timeout", "fastcgi_next_upstream_tries", "fastcgi_next_upstream_timeout", "memcached_next_upstream_tries", "memcached_next_upstream_timeout", "scgi_next_upstream_tries", "scgi_next_upstream_timeout", "uwsgi_next_upstream_tries", and "uwsgi_next_upstream_timeout" directives. *) Bugfix: in the "if" parameter of the "access_log" directive. *) Bugfix: in the ngx_http_perl_module. Thanks to Piotr Sikora. *) Bugfix: the "listen" directive of the mail proxy module did not allow to specify more than two parameters. *) Bugfix: the "sub_filter" directive did not work with a string to replace consisting of a single character. *) Bugfix: requests might hang if resolver was used and a timeout occurred during a DNS request. *) Bugfix: in the ngx_http_spdy_module when using with AIO. *) Bugfix: a segmentation fault might occur in a worker process if the "set" directive was used to change the "$http_...", "$sent_http_...", or "$upstream_http_..." variables. *) Bugfix: in memory allocation error handling. Thanks to Markus Linnala and Feng Gu. Changes with nginx 1.7.4 05 Aug 2014 *) Security: pipelined commands were not discarded after STARTTLS command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6. Thanks to Chris Boulton. *) Change: URI escaping now uses uppercase hexadecimal digits. Thanks to Piotr Sikora. *) Feature: now nginx can be build with BoringSSL and LibreSSL. Thanks to Piotr Sikora. *) Bugfix: requests might hang if resolver was used and a DNS server returned a malformed response; the bug had appeared in 1.5.8. *) Bugfix: in the ngx_http_spdy_module. Thanks to Piotr Sikora. *) Bugfix: the $uri variable might contain garbage when returning errors with code 400. Thanks to Sergey Bobrov. *) Bugfix: in error handling in the "proxy_store" directive and the ngx_http_dav_module. Thanks to Feng Gu. *) Bugfix: a segmentation fault might occur if logging of errors to syslog was used; the bug had appeared in 1.7.1. *) Bugfix: the $geoip_latitude, $geoip_longitude, $geoip_dma_code, and $geoip_area_code variables might not work. Thanks to Yichun Zhang. *) Bugfix: in memory allocation error handling. Thanks to Tatsuhiko Kubo and Piotr Sikora. Changes with nginx 1.7.3 08 Jul 2014 *) Feature: weak entity tags are now preserved on response modifications, and strong ones are changed to weak. *) Feature: cache revalidation now uses If-None-Match header if possible. *) Feature: the "ssl_password_file" directive. *) Bugfix: the If-None-Match request header line was ignored if there was no Last-Modified header in a response returned from cache. *) Bugfix: "peer closed connection in SSL handshake" messages were logged at "info" level instead of "error" while connecting to backends. *) Bugfix: in the ngx_http_dav_module module in nginx/Windows. *) Bugfix: SPDY connections might be closed prematurely if caching was used. Changes with nginx 1.7.2 17 Jun 2014 *) Feature: the "hash" directive inside the "upstream" block. *) Feature: defragmentation of free shared memory blocks. Thanks to Wandenberg Peixoto and Yichun Zhang. *) Bugfix: a segmentation fault might occur in a worker process if the default value of the "access_log" directive was used; the bug had appeared in 1.7.0. Thanks to Piotr Sikora. *) Bugfix: trailing slash was mistakenly removed from the last parameter of the "try_files" directive. *) Bugfix: nginx could not be built on OS X in some cases. *) Bugfix: in the ngx_http_spdy_module. Changes with nginx 1.7.1 27 May 2014 *) Feature: the "$upstream_cookie_..." variables. *) Feature: the $ssl_client_fingerprint variable. *) Feature: the "error_log" and "access_log" directives now support logging to syslog. *) Feature: the mail proxy now logs client port on connect. *) Bugfix: memory leak if the "ssl_stapling" directive was used. Thanks to Filipe da Silva. *) Bugfix: the "alias" directive used inside a location given by a regular expression worked incorrectly if the "if" or "limit_except" directives were used. *) Bugfix: the "charset" directive did not set a charset to encoded backend responses. *) Bugfix: a "proxy_pass" directive without URI part might use original request after the $args variable was set. Thanks to Yichun Zhang. *) Bugfix: in the "none" parameter in the "smtp_auth" directive; the bug had appeared in 1.5.6. Thanks to Svyatoslav Nikolsky. *) Bugfix: if sub_filter and SSI were used together, then responses might be transferred incorrectly. *) Bugfix: nginx could not be built with the --with-file-aio option on Linux/aarch64. Changes with nginx 1.7.0 24 Apr 2014 *) Feature: backend SSL certificate verification. *) Feature: support for SNI while working with SSL backends. *) Feature: the $ssl_server_name variable. *) Feature: the "if" parameter of the "access_log" directive. Changes with nginx 1.5.13 08 Apr 2014 *) Change: improved hash table handling; the default values of the "variables_hash_max_size" and "types_hash_bucket_size" were changed to 1024 and 64 respectively. *) Feature: the ngx_http_mp4_module now supports the "end" argument. *) Feature: byte ranges support in the ngx_http_mp4_module and while saving responses to cache. *) Bugfix: alerts "ngx_slab_alloc() failed: no memory" no longer logged when using shared memory in the "ssl_session_cache" directive and in the ngx_http_limit_req_module. *) Bugfix: the "underscores_in_headers" directive did not allow underscore as a first character of a header. Thanks to Piotr Sikora. *) Bugfix: cache manager might hog CPU on exit in nginx/Windows. *) Bugfix: nginx/Windows terminated abnormally if the "ssl_session_cache" directive was used with the "shared" parameter. *) Bugfix: in the ngx_http_spdy_module. Changes with nginx 1.5.12 18 Mar 2014 *) Security: a heap memory buffer overflow might occur in a worker process while handling a specially crafted request by ngx_http_spdy_module, potentially resulting in arbitrary code execution (CVE-2014-0133). Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr. Manuel Sadosky, Buenos Aires, Argentina. *) Feature: the "proxy_protocol" parameters of the "listen" and "real_ip_header" directives, the $proxy_protocol_addr variable. *) Bugfix: in the "fastcgi_next_upstream" directive. Thanks to Lucas Molas. Changes with nginx 1.5.11 04 Mar 2014 *) Security: memory corruption might occur in a worker process on 32-bit platforms while handling a specially crafted request by ngx_http_spdy_module, potentially resulting in arbitrary code execution (CVE-2014-0088); the bug had appeared in 1.5.10. Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr. Manuel Sadosky, Buenos Aires, Argentina. *) Feature: the $ssl_session_reused variable. *) Bugfix: the "client_max_body_size" directive might not work when reading a request body using chunked transfer encoding; the bug had appeared in 1.3.9. Thanks to Lucas Molas. *) Bugfix: a segmentation fault might occur in a worker process when proxying WebSocket connections. *) Bugfix: a segmentation fault might occur in a worker process if the ngx_http_spdy_module was used on 32-bit platforms; the bug had appeared in 1.5.10. *) Bugfix: the $upstream_status variable might contain wrong data if the "proxy_cache_use_stale" or "proxy_cache_revalidate" directives were used. Thanks to Piotr Sikora. *) Bugfix: a segmentation fault might occur in a worker process if errors with code 400 were redirected to a named location using the "error_page" directive. *) Bugfix: nginx/Windows could not be built with Visual Studio 2013. Changes with nginx 1.5.10 04 Feb 2014 *) Feature: the ngx_http_spdy_module now uses SPDY 3.1 protocol. Thanks to Automattic and MaxCDN for sponsoring this work. *) Feature: the ngx_http_mp4_module now skips tracks too short for a seek requested. *) Bugfix: a segmentation fault might occur in a worker process if the $ssl_session_id variable was used in logs; the bug had appeared in 1.5.9. *) Bugfix: the $date_local and $date_gmt variables used wrong format outside of the ngx_http_ssi_filter_module. *) Bugfix: client connections might be immediately closed if deferred accept was used; the bug had appeared in 1.3.15. *) Bugfix: alerts "getsockopt(TCP_FASTOPEN) ... failed" appeared in logs during binary upgrade on Linux; the bug had appeared in 1.5.8. Thanks to Piotr Sikora. Changes with nginx 1.5.9 22 Jan 2014 *) Change: now nginx expects escaped URIs in "X-Accel-Redirect" headers. *) Feature: the "ssl_buffer_size" directive. *) Feature: the "limit_rate" directive can now be used to rate limit responses sent in SPDY connections. *) Feature: the "spdy_chunk_size" directive. *) Feature: the "ssl_session_tickets" directive. Thanks to Dirkjan Bussink. *) Bugfix: the $ssl_session_id variable contained full session serialized instead of just a session id. Thanks to Ivan Ristić. *) Bugfix: nginx incorrectly handled escaped "?" character in the "include" SSI command. *) Bugfix: the ngx_http_dav_module did not unescape destination URI of the COPY and MOVE methods. *) Bugfix: resolver did not understand domain names with a trailing dot. Thanks to Yichun Zhang. *) Bugfix: alerts "zero size buf in output" might appear in logs while proxying; the bug had appeared in 1.3.9. *) Bugfix: a segmentation fault might occur in a worker process if the ngx_http_spdy_module was used. *) Bugfix: proxied WebSocket connections might hang right after handshake if the select, poll, or /dev/poll methods were used. *) Bugfix: the "xclient" directive of the mail proxy module incorrectly handled IPv6 client addresses. Changes with nginx 1.5.8 17 Dec 2013 *) Feature: IPv6 support in resolver. *) Feature: the "listen" directive supports the "fastopen" parameter. Thanks to Mathew Rodley. *) Feature: SSL support in the ngx_http_uwsgi_module. Thanks to Roberto De Ioris. *) Feature: vim syntax highlighting scripts were added to contrib. Thanks to Evan Miller. *) Bugfix: a timeout might occur while reading client request body in an SSL connection using chunked transfer encoding. *) Bugfix: the "master_process" directive did not work correctly in nginx/Windows. *) Bugfix: the "setfib" parameter of the "listen" directive might not work. *) Bugfix: in the ngx_http_spdy_module. Changes with nginx 1.5.7 19 Nov 2013 *) Security: a character following an unescaped space in a request line was handled incorrectly (CVE-2013-4547); the bug had appeared in 0.8.41. Thanks to Ivan Fratric of the Google Security Team. *) Change: a logging level of auth_basic errors about no user/password provided has been lowered from "error" to "info". *) Feature: the "proxy_cache_revalidate", "fastcgi_cache_revalidate", "scgi_cache_revalidate", and "uwsgi_cache_revalidate" directives. *) Feature: the "ssl_session_ticket_key" directive. Thanks to Piotr Sikora. *) Bugfix: the directive "add_header Cache-Control ''" added a "Cache-Control" response header line with an empty value. *) Bugfix: the "satisfy any" directive might return 403 error instead of 401 if auth_request and auth_basic directives were used. Thanks to Jan Marc Hoffmann. *) Bugfix: the "accept_filter" and "deferred" parameters of the "listen" directive were ignored for listen sockets created during binary upgrade. Thanks to Piotr Sikora. *) Bugfix: some data received from a backend with unbufferred proxy might not be sent to a client immediately if "gzip" or "gunzip" directives were used. Thanks to Yichun Zhang. *) Bugfix: in error handling in ngx_http_gunzip_filter_module. *) Bugfix: responses might hang if the ngx_http_spdy_module was used with the "auth_request" directive. *) Bugfix: memory leak in nginx/Windows. Changes with nginx 1.5.6 01 Oct 2013 *) Feature: the "fastcgi_buffering" directive. *) Feature: the "proxy_ssl_protocols" and "proxy_ssl_ciphers" directives. Thanks to Piotr Sikora. *) Feature: optimization of SSL handshakes when using long certificate chains. *) Feature: the mail proxy supports SMTP pipelining. *) Bugfix: in the ngx_http_auth_basic_module when using "$apr1$" password encryption method. Thanks to Markus Linnala. *) Bugfix: in MacOSX, Cygwin, and nginx/Windows incorrect location might be used to process a request if locations were given using characters in different cases. *) Bugfix: automatic redirect with appended trailing slash for proxied locations might not work. *) Bugfix: in the mail proxy server. *) Bugfix: in the ngx_http_spdy_module. Changes with nginx 1.5.5 17 Sep 2013 *) Change: now nginx assumes HTTP/1.0 by default if it is not able to detect protocol reliably. *) Feature: the "disable_symlinks" directive now uses O_PATH on Linux. *) Feature: now nginx uses EPOLLRDHUP events to detect premature connection close by clients if the "epoll" method is used. *) Bugfix: in the "valid_referers" directive if the "server_names" parameter was used. *) Bugfix: the $request_time variable did not work in nginx/Windows. *) Bugfix: in the "image_filter" directive. Thanks to Lanshun Zhou. *) Bugfix: OpenSSL 1.0.1f compatibility. Thanks to Piotr Sikora. Changes with nginx 1.5.4 27 Aug 2013 *) Change: the "js" extension MIME type has been changed to "application/javascript"; default value of the "charset_types" directive was changed accordingly. *) Change: now the "image_filter" directive with the "size" parameter returns responses with the "application/json" MIME type. *) Feature: the ngx_http_auth_request_module. *) Bugfix: a segmentation fault might occur on start or during reconfiguration if the "try_files" directive was used with an empty parameter. *) Bugfix: memory leak if relative paths were specified using variables in the "root" or "auth_basic_user_file" directives. *) Bugfix: the "valid_referers" directive incorrectly executed regular expressions if a "Referer" header started with "https://". Thanks to Liangbin Li. *) Bugfix: responses might hang if subrequests were used and an SSL handshake error happened during subrequest processing. Thanks to Aviram Cohen. *) Bugfix: in the ngx_http_autoindex_module. *) Bugfix: in the ngx_http_spdy_module. Changes with nginx 1.5.3 30 Jul 2013 *) Change in internal API: now u->length defaults to -1 if working with backends in unbuffered mode. *) Change: now after receiving an incomplete response from a backend server nginx tries to send an available part of the response to a client, and then closes client connection. *) Bugfix: a segmentation fault might occur in a worker process if the ngx_http_spdy_module was used with the "client_body_in_file_only" directive. *) Bugfix: the "so_keepalive" parameter of the "listen" directive might be handled incorrectly on DragonFlyBSD. Thanks to Sepherosa Ziehau. *) Bugfix: in the ngx_http_xslt_filter_module. *) Bugfix: in the ngx_http_sub_filter_module. Changes with nginx 1.5.2 02 Jul 2013 *) Feature: now several "error_log" directives can be used. *) Bugfix: the $r->header_in() embedded perl method did not return value of the "Cookie" and "X-Forwarded-For" request header lines; the bug had appeared in 1.3.14. *) Bugfix: in the ngx_http_spdy_module. Thanks to Jim Radford. *) Bugfix: nginx could not be built on Linux with x32 ABI. Thanks to Serguei Ivantsov. Changes with nginx 1.5.1 04 Jun 2013 *) Feature: the "ssi_last_modified", "sub_filter_last_modified", and "xslt_last_modified" directives. Thanks to Alexey Kolpakov. *) Feature: the "http_403" parameter of the "proxy_next_upstream", "fastcgi_next_upstream", "scgi_next_upstream", and "uwsgi_next_upstream" directives. *) Feature: the "allow" and "deny" directives now support unix domain sockets. *) Bugfix: nginx could not be built with the ngx_mail_ssl_module, but without ngx_http_ssl_module; the bug had appeared in 1.3.14. *) Bugfix: in the "proxy_set_body" directive. Thanks to Lanshun Zhou. *) Bugfix: in the "lingering_time" directive. Thanks to Lanshun Zhou. *) Bugfix: the "fail_timeout" parameter of the "server" directive in the "upstream" context might not work if "max_fails" parameter was used; the bug had appeared in 1.3.0. *) Bugfix: a segmentation fault might occur in a worker process if the "ssl_stapling" directive was used. Thanks to Piotr Sikora. *) Bugfix: in the mail proxy server. Thanks to Filipe Da Silva. *) Bugfix: nginx/Windows might stop accepting connections if several worker processes were used. Changes with nginx 1.5.0 07 May 2013 *) Security: a stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028); the bug had appeared in 1.3.9. Thanks to Greg MacManus, iSIGHT Partners Labs. Changes with nginx 1.4.0 24 Apr 2013 *) Bugfix: nginx could not be built with the ngx_http_perl_module if the --with-openssl option was used; the bug had appeared in 1.3.16. *) Bugfix: in a request body handling in the ngx_http_perl_module; the bug had appeared in 1.3.9. Changes with nginx 1.3.16 16 Apr 2013 *) Bugfix: a segmentation fault might occur in a worker process if subrequests were used; the bug had appeared in 1.3.9. *) Bugfix: the "tcp_nodelay" directive caused an error if a WebSocket connection was proxied into a unix domain socket. *) Bugfix: the $upstream_response_length variable has an incorrect value "0" if buffering was not used. Thanks to Piotr Sikora. *) Bugfix: in the eventport and /dev/poll methods. Changes with nginx 1.3.15 26 Mar 2013 *) Change: opening and closing a connection without sending any data in it is no longer logged to access_log with error code 400. *) Feature: the ngx_http_spdy_module. Thanks to Automattic for sponsoring this work. *) Feature: the "limit_req_status" and "limit_conn_status" directives. Thanks to Nick Marden. *) Feature: the "image_filter_interlace" directive. Thanks to Ian Babrou. *) Feature: $connections_waiting variable in the ngx_http_stub_status_module. *) Feature: the mail proxy module now supports IPv6 backends. *) Bugfix: request body might be transmitted incorrectly when retrying a request to the next upstream server; the bug had appeared in 1.3.9. Thanks to Piotr Sikora. *) Bugfix: in the "client_body_in_file_only" directive; the bug had appeared in 1.3.9. *) Bugfix: responses might hang if subrequests were used and a DNS error happened during subrequest processing. Thanks to Lanshun Zhou. *) Bugfix: in backend usage accounting. Changes with nginx 1.3.14 05 Mar 2013 *) Feature: $connections_active, $connections_reading, and $connections_writing variables in the ngx_http_stub_status_module. *) Feature: support of WebSocket connections in the ngx_http_uwsgi_module and ngx_http_scgi_module. *) Bugfix: in virtual servers handling with SNI. *) Bugfix: new sessions were not always stored if the "ssl_session_cache shared" directive was used and there was no free space in shared memory. Thanks to Piotr Sikora. *) Bugfix: multiple X-Forwarded-For headers were handled incorrectly. Thanks to Neal Poole for sponsoring this work. *) Bugfix: in the ngx_http_mp4_module. Thanks to Gernot Vormayr. Changes with nginx 1.3.13 19 Feb 2013 *) Change: a compiler with name "cc" is now used by default. *) Feature: support for proxying of WebSocket connections. Thanks to Apcera and CloudBees for sponsoring this work. *) Feature: the "auth_basic_user_file" directive supports "{SHA}" password encryption method. Thanks to Louis Opter. Changes with nginx 1.3.12 05 Feb 2013 *) Feature: variables support in the "proxy_bind", "fastcgi_bind", "memcached_bind", "scgi_bind", and "uwsgi_bind" directives. *) Feature: the $pipe, $request_length, $time_iso8601, and $time_local variables can now be used not only in the "log_format" directive. Thanks to Kiril Kalchev. *) Feature: IPv6 support in the ngx_http_geoip_module. Thanks to Gregor Kališnik. *) Bugfix: in the "proxy_method" directive. *) Bugfix: a segmentation fault might occur in a worker process if resolver was used with the poll method. *) Bugfix: nginx might hog CPU during SSL handshake with a backend if the select, poll, or /dev/poll methods were used. *) Bugfix: the "[crit] SSL_write() failed (SSL:)" error. *) Bugfix: in the "client_body_in_file_only" directive; the bug had appeared in 1.3.9. *) Bugfix: in the "fastcgi_keep_conn" directive. Changes with nginx 1.3.11 10 Jan 2013 *) Bugfix: a segmentation fault might occur if logging was used; the bug had appeared in 1.3.10. *) Bugfix: the "proxy_pass" directive did not work with IP addresses without port specified; the bug had appeared in 1.3.10. *) Bugfix: a segmentation fault occurred on start or during reconfiguration if the "keepalive" directive was specified more than once in a single upstream block. *) Bugfix: parameter "default" of the "geo" directive did not set default value for IPv6 addresses. Changes with nginx 1.3.10 25 Dec 2012 *) Change: domain names specified in configuration file are now resolved to IPv6 addresses as well as IPv4 ones. *) Change: now if the "include" directive with mask is used on Unix systems, included files are sorted in alphabetical order. *) Change: the "add_header" directive adds headers to 201 responses. *) Feature: the "geo" directive now supports IPv6 addresses in CIDR notation. *) Feature: the "flush" and "gzip" parameters of the "access_log" directive. *) Feature: variables support in the "auth_basic" directive. *) Bugfix: nginx could not be built with the ngx_http_perl_module in some cases. *) Bugfix: a segmentation fault might occur in a worker process if the ngx_http_xslt_module was used. *) Bugfix: nginx could not be built on MacOSX in some cases. Thanks to Piotr Sikora. *) Bugfix: the "limit_rate" directive with high rates might result in truncated responses on 32-bit platforms. Thanks to Alexey Antropov. *) Bugfix: a segmentation fault might occur in a worker process if the "if" directive was used. Thanks to Piotr Sikora. *) Bugfix: a "100 Continue" response was issued with "413 Request Entity Too Large" responses. *) Bugfix: the "image_filter", "image_filter_jpeg_quality" and "image_filter_sharpen" directives might be inherited incorrectly. Thanks to Ian Babrou. *) Bugfix: "crypt_r() failed" errors might appear if the "auth_basic" directive was used on Linux. *) Bugfix: in backup servers handling. Thanks to Thomas Chen. *) Bugfix: proxied HEAD requests might return incorrect response if the "gzip" directive was used. Changes with nginx 1.3.9 27 Nov 2012 *) Feature: support for chunked transfer encoding while reading client request body. *) Feature: the $request_time and $msec variables can now be used not only in the "log_format" directive. *) Bugfix: cache manager and cache loader processes might not be able to start if more than 512 listen sockets were used. *) Bugfix: in the ngx_http_dav_module. Changes with nginx 1.3.8 30 Oct 2012 *) Feature: the "optional_no_ca" parameter of the "ssl_verify_client" directive. Thanks to Mike Kazantsev and Eric O'Connor. *) Feature: the $bytes_sent, $connection, and $connection_requests variables can now be used not only in the "log_format" directive. Thanks to Benjamin Grössing. *) Feature: the "auto" parameter of the "worker_processes" directive. *) Bugfix: "cache file ... has md5 collision" alert. *) Bugfix: in the ngx_http_gunzip_filter_module. *) Bugfix: in the "ssl_stapling" directive. Changes with nginx 1.3.7 02 Oct 2012 *) Feature: OCSP stapling support. Thanks to Comodo, DigiCert and GlobalSign for sponsoring this work. *) Feature: the "ssl_trusted_certificate" directive. *) Feature: resolver now randomly rotates addresses returned from cache. Thanks to Anton Jouline. *) Bugfix: OpenSSL 0.9.7 compatibility. Changes with nginx 1.3.6 12 Sep 2012 *) Feature: the ngx_http_gunzip_filter_module. *) Feature: the "memcached_gzip_flag" directive. *) Feature: the "always" parameter of the "gzip_static" directive. *) Bugfix: in the "limit_req" directive; the bug had appeared in 1.1.14. Thanks to Charles Chen. *) Bugfix: nginx could not be built by gcc 4.7 with -O2 optimization if the --with-ipv6 option was used. Changes with nginx 1.3.5 21 Aug 2012 *) Change: the ngx_http_mp4_module module no longer skips tracks in formats other than H.264 and AAC. *) Bugfix: a segmentation fault might occur in a worker process if the "map" directive was used with variables as values. *) Bugfix: a segmentation fault might occur in a worker process if the "geo" directive was used with the "ranges" parameter but without the "default" parameter; the bug had appeared in 0.8.43. Thanks to Zhen Chen and Weibin Yao. *) Bugfix: in the -p command-line parameter handling. *) Bugfix: in the mail proxy server. *) Bugfix: of minor potential bugs. Thanks to Coverity. *) Bugfix: nginx/Windows could not be built with Visual Studio 2005 Express. Thanks to HAYASHI Kentaro. Changes with nginx 1.3.4 31 Jul 2012 *) Change: the "ipv6only" parameter is now turned on by default for listening IPv6 sockets. *) Feature: the Clang compiler support. *) Bugfix: extra listening sockets might be created. Thanks to Roman Odaisky. *) Bugfix: nginx/Windows might hog CPU if a worker process failed to start. Thanks to Ricardo Villalobos Guevara. *) Bugfix: the "proxy_pass_header", "fastcgi_pass_header", "scgi_pass_header", "uwsgi_pass_header", "proxy_hide_header", "fastcgi_hide_header", "scgi_hide_header", and "uwsgi_hide_header" directives might be inherited incorrectly. Changes with nginx 1.3.3 10 Jul 2012 *) Feature: entity tags support and the "etag" directive. *) Bugfix: trailing dot in a source value was not ignored if the "map" directive was used with the "hostnames" parameter. *) Bugfix: incorrect location might be used to process a request if a URI was changed via a "rewrite" directive before an internal redirect to a named location. Changes with nginx 1.3.2 26 Jun 2012 *) Change: the "single" parameter of the "keepalive" directive is now ignored. *) Change: SSL compression is now disabled when using all versions of OpenSSL, including ones prior to 1.0.0. *) Feature: it is now possible to use the "ip_hash" directive to balance IPv6 clients. *) Feature: the $status variable can now be used not only in the "log_format" directive. *) Bugfix: a segmentation fault might occur in a worker process on shutdown if the "resolver" directive was used. *) Bugfix: a segmentation fault might occur in a worker process if the ngx_http_mp4_module was used. *) Bugfix: in the ngx_http_mp4_module. *) Bugfix: a segmentation fault might occur in a worker process if conflicting wildcard server names were used. *) Bugfix: nginx might be terminated abnormally on a SIGBUS signal on ARM platform. *) Bugfix: an alert "sendmsg() failed (9: Bad file number)" on HP-UX while reconfiguration. Changes with nginx 1.3.1 05 Jun 2012 *) Security: now nginx/Windows ignores trailing dot in URI path component, and does not allow URIs with ":$" in it. Thanks to Vladimir Kochetkov, Positive Research Center. *) Feature: the "proxy_pass", "fastcgi_pass", "scgi_pass", "uwsgi_pass" directives, and the "server" directive inside the "upstream" block, now support IPv6 addresses. *) Feature: the "resolver" directive now supports IPv6 addresses and an optional port specification. *) Feature: the "least_conn" directive inside the "upstream" block. *) Feature: it is now possible to specify a weight for servers while using the "ip_hash" directive. *) Bugfix: a segmentation fault might occur in a worker process if the "image_filter" directive was used; the bug had appeared in 1.3.0. *) Bugfix: nginx could not be built with ngx_cpp_test_module; the bug had appeared in 1.1.12. *) Bugfix: access to variables from SSI and embedded perl module might not work after reconfiguration. Thanks to Yichun Zhang. *) Bugfix: in the ngx_http_xslt_filter_module. Thanks to Kuramoto Eiji. *) Bugfix: memory leak if $geoip_org variable was used. Thanks to Denis F. Latypoff. *) Bugfix: in the "proxy_cookie_domain" and "proxy_cookie_path" directives. Changes with nginx 1.3.0 15 May 2012 *) Feature: the "debug_connection" directive now supports IPv6 addresses and the "unix:" parameter. *) Feature: the "set_real_ip_from" directive and the "proxy" parameter of the "geo" directive now support IPv6 addresses. *) Feature: the "real_ip_recursive", "geoip_proxy", and "geoip_proxy_recursive" directives. *) Feature: the "proxy_recursive" parameter of the "geo" directive. *) Bugfix: a segmentation fault might occur in a worker process if the "resolver" directive was used. *) Bugfix: a segmentation fault might occur in a worker process if the "fastcgi_pass", "scgi_pass", or "uwsgi_pass" directives were used and backend returned incorrect response. *) Bugfix: a segmentation fault might occur in a worker process if the "rewrite" directive was used and new request arguments in a replacement used variables. *) Bugfix: nginx might hog CPU if the open file resource limit was reached. *) Bugfix: nginx might loop infinitely over backends if the "proxy_next_upstream" directive with the "http_404" parameter was used and there were backup servers specified in an upstream block. *) Bugfix: adding the "down" parameter of the "server" directive might cause unneeded client redistribution among backend servers if the "ip_hash" directive was used. *) Bugfix: socket leak. Thanks to Yichun Zhang. *) Bugfix: in the ngx_http_fastcgi_module. Changes with nginx 1.2.0 23 Apr 2012 *) Bugfix: a segmentation fault might occur in a worker process if the "try_files" directive was used; the bug had appeared in 1.1.19. *) Bugfix: response might be truncated if there were more than IOV_MAX buffers used. *) Bugfix: in the "crop" parameter of the "image_filter" directive. Thanks to Maxim Bublis. Changes with nginx 1.1.19 12 Apr 2012 *) Security: specially crafted mp4 file might allow to overwrite memory locations in a worker process if the ngx_http_mp4_module was used, potentially resulting in arbitrary code execution (CVE-2012-2089). Thanks to Matthew Daley. *) Bugfix: nginx/Windows might be terminated abnormally. Thanks to Vincent Lee. *) Bugfix: nginx hogged CPU if all servers in an upstream were marked as "backup". *) Bugfix: the "allow" and "deny" directives might be inherited incorrectly if they were used with IPv6 addresses. *) Bugfix: the "modern_browser" and "ancient_browser" directives might be inherited incorrectly. *) Bugfix: timeouts might be handled incorrectly on Solaris/SPARC. *) Bugfix: in the ngx_http_mp4_module. Changes with nginx 1.1.18 28 Mar 2012 *) Change: keepalive connections are no longer disabled for Safari by default. *) Feature: the $connection_requests variable. *) Feature: $tcpinfo_rtt, $tcpinfo_rttvar, $tcpinfo_snd_cwnd and $tcpinfo_rcv_space variables. *) Feature: the "worker_cpu_affinity" directive now works on FreeBSD. *) Feature: the "xslt_param" and "xslt_string_param" directives. Thanks to Samuel Behan. *) Bugfix: in configure tests. Thanks to Piotr Sikora. *) Bugfix: in the ngx_http_xslt_filter_module. *) Bugfix: nginx could not be built on Debian GNU/Hurd. Changes with nginx 1.1.17 15 Mar 2012 *) Security: content of previously freed memory might be sent to a client if backend returned specially crafted response. Thanks to Matthew Daley. *) Bugfix: in the embedded perl module if used from SSI. Thanks to Matthew Daley. *) Bugfix: in the ngx_http_uwsgi_module. Changes with nginx 1.1.16 29 Feb 2012 *) Change: the simultaneous subrequest limit has been raised to 200. *) Feature: the "from" parameter of the "disable_symlinks" directive. *) Feature: the "return" and "error_page" directives can now be used to return 307 redirections. *) Bugfix: a segmentation fault might occur in a worker process if the "resolver" directive was used and there was no "error_log" directive specified at global level. Thanks to Roman Arutyunyan. *) Bugfix: a segmentation fault might occur in a worker process if the "proxy_http_version 1.1" or "fastcgi_keep_conn on" directives were used. *) Bugfix: memory leaks. Thanks to Lanshun Zhou. *) Bugfix: in the "disable_symlinks" directive. *) Bugfix: on ZFS filesystem disk cache size might be calculated incorrectly; the bug had appeared in 1.0.1. *) Bugfix: nginx could not be built by the icc 12.1 compiler. *) Bugfix: nginx could not be built by gcc on Solaris; the bug had appeared in 1.1.15. Changes with nginx 1.1.15 15 Feb 2012 *) Feature: the "disable_symlinks" directive. *) Feature: the "proxy_cookie_domain" and "proxy_cookie_path" directives. *) Bugfix: nginx might log incorrect error "upstream prematurely closed connection" instead of correct "upstream sent too big header" one. Thanks to Feibo Li. *) Bugfix: nginx could not be built with the ngx_http_perl_module if the --with-openssl option was used. *) Bugfix: the number of internal redirects to named locations was not limited. *) Bugfix: calling $r->flush() multiple times might cause errors in the ngx_http_gzip_filter_module. *) Bugfix: temporary files might be not removed if the "proxy_store" directive was used with SSI includes. *) Bugfix: in some cases non-cacheable variables (such as the $args variable) returned old empty cached value. *) Bugfix: a segmentation fault might occur in a worker process if too many SSI subrequests were issued simultaneously; the bug had appeared in 0.7.25. Changes with nginx 1.1.14 30 Jan 2012 *) Feature: multiple "limit_req" limits may be used simultaneously. *) Bugfix: in error handling while connecting to a backend. Thanks to Piotr Sikora. *) Bugfix: in AIO error handling on FreeBSD. *) Bugfix: in the OpenSSL library initialization. *) Bugfix: the "proxy_redirect" directives might be inherited incorrectly. *) Bugfix: memory leak during reconfiguration if the "pcre_jit" directive was used. Changes with nginx 1.1.13 16 Jan 2012 *) Feature: the "TLSv1.1" and "TLSv1.2" parameters of the "ssl_protocols" directive. *) Bugfix: the "limit_req" directive parameters were not inherited correctly; the bug had appeared in 1.1.12. *) Bugfix: the "proxy_redirect" directive incorrectly processed "Refresh" header if regular expression were used. *) Bugfix: the "proxy_cache_use_stale" directive with "error" parameter did not return answer from cache if there were no live upstreams. *) Bugfix: the "worker_cpu_affinity" directive might not work. *) Bugfix: nginx could not be built on Solaris; the bug had appeared in 1.1.12. *) Bugfix: in the ngx_http_mp4_module. Changes with nginx 1.1.12 26 Dec 2011 *) Change: a "proxy_pass" directive without URI part now uses changed URI after redirection with the "error_page" directive. Thanks to Lanshun Zhou. *) Feature: the "proxy/fastcgi/scgi/uwsgi_cache_lock", "proxy/fastcgi/scgi/uwsgi_cache_lock_timeout" directives. *) Feature: the "pcre_jit" directive. *) Feature: the "if" SSI command supports captures in regular expressions. *) Bugfix: the "if" SSI command did not work inside the "block" command. *) Bugfix: the "limit_conn_log_level" and "limit_req_log_level" directives might not work. *) Bugfix: the "limit_rate" directive did not allow to use full throughput, even if limit value was very high. *) Bugfix: the "sendfile_max_chunk" directive did not work, if the "limit_rate" directive was used. *) Bugfix: a "proxy_pass" directive without URI part always used original request URI if variables were used. *) Bugfix: a "proxy_pass" directive without URI part might use original request after redirection with the "try_files" directive. Thanks to Lanshun Zhou. *) Bugfix: in the ngx_http_scgi_module. *) Bugfix: in the ngx_http_mp4_module. *) Bugfix: nginx could not be built on Solaris; the bug had appeared in 1.1.9. Changes with nginx 1.1.11 12 Dec 2011 *) Feature: the "so_keepalive" parameter of the "listen" directive. Thanks to Vsevolod Stakhov. *) Feature: the "if_not_empty" parameter of the "fastcgi/scgi/uwsgi_param" directives. *) Feature: the $https variable. *) Feature: the "proxy_redirect" directive supports variables in the first parameter. *) Feature: the "proxy_redirect" directive supports regular expressions. *) Bugfix: the $sent_http_cache_control variable might contain a wrong value if the "expires" directive was used. Thanks to Yichun Zhang. *) Bugfix: the "read_ahead" directive might not work combined with "try_files" and "open_file_cache". *) Bugfix: a segmentation fault might occur in a worker process if small time was used in the "inactive" parameter of the "proxy_cache_path" directive. *) Bugfix: responses from cache might hang. Changes with nginx 1.1.10 30 Nov 2011 *) Bugfix: a segmentation fault occured in a worker process if AIO was used on Linux; the bug had appeared in 1.1.9. Changes with nginx 1.1.9 28 Nov 2011 *) Change: now double quotes are encoded in an "echo" SSI-command output. Thanks to Z