nginx.git, branch release-1.29.4 nginx nginx-1.29.4-RELEASE 2025-12-09T18:28:10+00:00 Sergey Kandaurov pluknet@nginx.com 2025-12-09T15:12:35+00:00 c70457482c4223b6fd9adc3caa6a302163e6030d 






QUIC: fixed possible segfault on handshake failures.
2025-12-09T17:25:10+00:00

Jan Svojanovsky
jan.svojanovsky@cdn77.com

2025-12-09T11:27:02+00:00

66fde99b1d9113128778125c2f942f1d0f016be5

When using OpenSSL 3.5, the crypto_release_rcd QUIC callback can be
called late, after the QUIC connection was already closed on handshake
failure, resulting in a segmentation fault.  For instance, it happened
if a client Finished message didn't align with a record boundary.





When using OpenSSL 3.5, the crypto_release_rcd QUIC callback can be
called late, after the QUIC connection was already closed on handshake
failure, resulting in a segmentation fault.  For instance, it happened
if a client Finished message didn't align with a record boundary.







Proxy: cache support for HTTP/2.
2025-12-08T03:49:16+00:00

Zhidao HONG
z.hong@f5.com

2025-11-30T16:35:31+00:00

61690b5dc04ac31e4b402695cfc71c504be489dd












Proxy: buffering support for HTTP/2.
2025-12-08T03:49:16+00:00

Zhidao HONG
z.hong@f5.com

2025-11-30T16:32:15+00:00

17fd964f99b7c28155dc0aadbadeb3b739951cf3












Proxy: extracted control frame and skip functions for HTTP/2.
2025-12-08T03:49:16+00:00

Zhidao HONG
z.hong@f5.com

2025-11-30T16:27:26+00:00

fdd8e97558b3e4002affd11fedc88cdf4ad4796c












Proxy: extracted ngx_http_proxy_v2_process_frames() function.
2025-12-08T03:49:16+00:00

Zhidao HONG
z.hong@f5.com

2025-11-30T16:24:24+00:00

2a0342a17ddfe32ee984177dc313c8de14cb1de2












Proxy: added HTTP/2 proxy module.
2025-12-08T03:49:16+00:00

Zhidao HONG
z.hong@f5.com

2025-07-15T15:35:39+00:00

9bf758ea4d5db1101296cc111f6d782045148727

The module allows to use HTTP/2 protocol for proxying.
HTTP/2 proxying is enabled by specifying "proxy_http_version 2".

Example:

    server {
        listen 8000;

        location / {
            proxy_http_version 2;
            proxy_pass https://127.0.0.1:8443;
        }
    }

    server {
        listen 8443 ssl;
        http2 on;

        ssl_certificate certs/example.com.crt;
        ssl_certificate_key certs/example.com.key;

        location / {
            return 200 foo;
        }
    }





The module allows to use HTTP/2 protocol for proxying.
HTTP/2 proxying is enabled by specifying "proxy_http_version 2".

Example:

    server {
        listen 8000;

        location / {
            proxy_http_version 2;
            proxy_pass https://127.0.0.1:8443;
        }
    }

    server {
        listen 8443 ssl;
        http2 on;

        ssl_certificate certs/example.com.crt;
        ssl_certificate_key certs/example.com.key;

        location / {
            return 200 foo;
        }
    }







Proxy: refactored for HTTP/2 support.
2025-12-08T03:49:16+00:00

Roman Arutyunyan
arut@nginx.com

2025-07-15T15:03:39+00:00

90a4fc793527b67678fd48b2692be09f30d8ffcf












Upstream: add support for connection level ALPN protocol negotiation.
2025-12-08T03:49:16+00:00

Zhidao HONG
z.hong@f5.com

2025-07-15T14:54:21+00:00

b8492d9c25c34c87419d2ad118fa812fd72da27c

This commit is prepared for HTTP/2 and HTTP/3 support.

The ALPN protocol is now set per-connection in
ngx_http_upstream_ssl_init_connection(), allowing proper protocol negotiation
for each individual upstream connection regardless of SSL context sharing.





This commit is prepared for HTTP/2 and HTTP/3 support.

The ALPN protocol is now set per-connection in
ngx_http_upstream_ssl_init_connection(), allowing proper protocol negotiation
for each individual upstream connection regardless of SSL context sharing.







Disabled bare LF in chunked transfer encoding.
2025-12-06T13:41:32+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-11-24T22:06:29+00:00

f405ef11fde6ed749318a844c010ce97483a8f98

Chunked transfer encoding, since originally introduced in HTTP/1.1
in RFC 2068, is specified to use CRLF as the only line terminator.

Although tolerant applications may recognize a single LF, formally
this covers the start line and fields, and doesn't apply to chunks.
Strict chunked parsing is reaffirmed as intentional in RFC errata
ID 7633, notably "because it does not have to retain backwards
compatibility with 1.0 parsers".

A general RFC 2616 recommendation to tolerate deviations whenever
interpreted unambiguously doesn't apply here, because chunked body
is used to determine HTTP message framing; a relaxed parsing may
cause various security problems due to a broken delimitation.
For instance, this is possible when receiving chunked body from
intermediates that blindly parse chunk-ext or a trailer section
until CRLF, and pass it further without re-coding.





Chunked transfer encoding, since originally introduced in HTTP/1.1
in RFC 2068, is specified to use CRLF as the only line terminator.

Although tolerant applications may recognize a single LF, formally
this covers the start line and fields, and doesn't apply to chunks.
Strict chunked parsing is reaffirmed as intentional in RFC errata
ID 7633, notably "because it does not have to retain backwards
compatibility with 1.0 parsers".

A general RFC 2616 recommendation to tolerate deviations whenever
interpreted unambiguously doesn't apply here, because chunked body
is used to determine HTTP message framing; a relaxed parsing may
cause various security problems due to a broken delimitation.
For instance, this is possible when receiving chunked body from
intermediates that blindly parse chunk-ext or a trailer section
until CRLF, and pass it further without re-coding.