nginx.git/src/http/ngx_http_upstream.h, branch release-1.29.7 nginx Sticky: added the "header" parameter in the learn mode. 2026-03-09T17:08:30+00:00 Vladimir Homutov vl@nginx.com 2017-06-08T12:39:06+00:00 8021cb02de840d6168a98e4eefb9bdfbe51ba96e With this parameter set, sessions are learned after receiving upstream headers. 
With this parameter set, sessions are learned after receiving upstream headers.
Upstream: added sticky sessions support for upstreams. 2026-03-09T17:08:30+00:00 Vladimir Homutov vl@nginx.com 2013-04-02T21:44:36+00:00 104734f21888cfec6994e092073f51a0d4b0fb47 Sticky sessions allow to route the same client to the same upstream server. - upstream structures are extended to keep session-related information - existing balancing modules are updated to provide an id of the selected server (SID) in pc->sid, and to select the server, given it's SID. - other balancing modules are allowed to set the pc->hint value to choose the desired peer. The sticky module will not change the hint if it's already set. - the feature is enabled by default and can be disabled with the "--without-http_upstream_sticky" switch of the configure script. The following configuration can be used to enable sticky sessions for supported balancing modules: upstream u1 { server 127.0.0.1:8080; server 127.0.0.1:8081; sticky cookie server_id expires=1h domain=.example.com path=/; } Co-authored-by: Ruslan Ermilov <ru@nginx.com> Co-authored-by: Roman Arutyunyan <arut@nginx.com> Co-authored-by: Maxim Dounin <mdounin@mdounin.ru> 
Sticky sessions allow to route the same client to the same upstream server.

- upstream structures are extended to keep session-related information

- existing balancing modules are updated to provide an id of the selected
  server (SID) in pc->sid, and to select the server, given it's SID.

- other balancing modules are allowed to set the pc->hint value to choose
  the desired peer.  The sticky module will not change the hint if it's
  already set.

- the feature is enabled by default and can be disabled with the
  "--without-http_upstream_sticky" switch of the configure script.

The following configuration can be used to enable sticky sessions for
supported balancing modules:

    upstream u1 {
        server 127.0.0.1:8080;
        server 127.0.0.1:8081;

        sticky cookie server_id expires=1h domain=.example.com path=/;
    }

Co-authored-by: Ruslan Ermilov <ru@nginx.com>
Co-authored-by: Roman Arutyunyan <arut@nginx.com>
Co-authored-by: Maxim Dounin <mdounin@mdounin.ru>
Upstream: reinit upstream after reading bad response. 2026-02-04T15:09:20+00:00 Roman Arutyunyan arut@nginx.com 2026-01-28T16:38:38+00:00 d7a249470b78a155c7548aea5f4eb959dae9fd03 Previously, when connecting to a backend, if the read event handler was called before the write event handler, and the received response triggered a next upstream condition, then ngx_http_upstream_reinit() was not called to clean up the old upstream context. This had multiple implications. For all proxy modules, since the last upstream response was not cleaned up, it was mixed with the next upstream response. This could result in ignoring the second response status code, duplicate response headers or reporting old upstream header errors. With ngx_http_grpc_module and ngx_http_proxy_v2_module, ctx->connection was left dangling since the object it referenced was allocated from the last upstream connection pool, which was deleted when freeing last upstream. This lead to use-after-free when trying to reuse this object for the next upstream. 
Previously, when connecting to a backend, if the read event handler was
called before the write event handler, and the received response triggered
a next upstream condition, then ngx_http_upstream_reinit() was not called
to clean up the old upstream context.  This had multiple implications.

For all proxy modules, since the last upstream response was not cleaned up,
it was mixed with the next upstream response.  This could result in ignoring
the second response status code, duplicate response headers or reporting
old upstream header errors.

With ngx_http_grpc_module and ngx_http_proxy_v2_module, ctx->connection
was left dangling since the object it referenced was allocated from the
last upstream connection pool, which was deleted when freeing last upstream.
This lead to use-after-free when trying to reuse this object for the next
upstream.
Upstream: add support for connection level ALPN protocol negotiation. 2025-12-08T03:49:16+00:00 Zhidao HONG z.hong@f5.com 2025-07-15T14:54:21+00:00 b8492d9c25c34c87419d2ad118fa812fd72da27c This commit is prepared for HTTP/2 and HTTP/3 support. The ALPN protocol is now set per-connection in ngx_http_upstream_ssl_init_connection(), allowing proper protocol negotiation for each individual upstream connection regardless of SSL context sharing. 
This commit is prepared for HTTP/2 and HTTP/3 support.

The ALPN protocol is now set per-connection in
ngx_http_upstream_ssl_init_connection(), allowing proper protocol negotiation
for each individual upstream connection regardless of SSL context sharing.
Modules compatibility: increased compat section size. 2025-10-28T12:00:54+00:00 Roman Arutyunyan arut@nginx.com 2025-10-27T12:12:46+00:00 65c0b2e7709aa6949747dc2925dc3bcbddc1659f 






Upstream: fixed reinit request with gRPC and Early Hints.
2025-06-23T16:12:21+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-06-23T10:55:32+00:00

cdf7a9c6cb7f344efc80d790fbacdc1c94ab16e3

The gRPC module context has connection specific state, which can be lost
after request reinitialization when it comes to processing early hints.

The fix is to do only a portion of u->reinit_request() implementation
required after processing early hints, now inlined in modules.

Now NGX_HTTP_UPSTREAM_EARLY_HINTS is returned from u->process_header()
for early hints.  When reading a cached response, this code is mapped
to NGX_HTTP_UPSTREAM_INVALID_HEADER to indicate invalid header format.





The gRPC module context has connection specific state, which can be lost
after request reinitialization when it comes to processing early hints.

The fix is to do only a portion of u->reinit_request() implementation
required after processing early hints, now inlined in modules.

Now NGX_HTTP_UPSTREAM_EARLY_HINTS is returned from u->process_header()
for early hints.  When reading a cached response, this code is mapped
to NGX_HTTP_UPSTREAM_INVALID_HEADER to indicate invalid header format.







Upstream: early hints support.
2025-06-19T06:19:57+00:00

Roman Arutyunyan
arut@nginx.com

2024-11-15T04:23:53+00:00

662c1dd2a97afd6c7ca09b8f5a74347ee017b86b

The change implements processing upstream early hints response in
ngx_http_proxy_module and ngx_http_grpc_module.  A new directive
"early_hints" enables sending early hints to the client.  By default,
sending early hints is disabled.

Example:

    map $http_sec_fetch_mode $early_hints {
        navigate $http2$http3;
    }

    early_hints $early_hints;

    proxy_pass http://example.com;





The change implements processing upstream early hints response in
ngx_http_proxy_module and ngx_http_grpc_module.  A new directive
"early_hints" enables sending early hints to the client.  By default,
sending early hints is disabled.

Example:

    map $http_sec_fetch_mode $early_hints {
        navigate $http2$http3;
    }

    early_hints $early_hints;

    proxy_pass http://example.com;







Upstream: fixed passwords support for dynamic certificates.
2025-04-10T13:27:45+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-02-05T15:16:05+00:00

6c3a9d561271ec451f479a84fbe54c81a63dad2e

Passwords were not preserved in optimized SSL contexts, the bug had
appeared in d791b4aab (1.23.1), as in the following configuration:

    server {
        proxy_ssl_password_file password;
        proxy_ssl_certificate $ssl_server_name.crt;
        proxy_ssl_certificate_key $ssl_server_name.key;

        location /original/ {
            proxy_pass https://u1/;
        }

        location /optimized/ {
            proxy_pass https://u2/;
        }
    }

The fix is to always preserve passwords, by copying to the configuration
pool, if dynamic certificates are used.  This is done as part of merging
"ssl_passwords" configuration.

To minimize the number of copies, a preserved version is then used for
inheritance.  A notable exception is inheritance of preserved empty
passwords to the context with statically configured certificates:

    server {
        proxy_ssl_certificate $ssl_server_name.crt;
        proxy_ssl_certificate_key $ssl_server_name.key;

        location / {
            proxy_pass ...;

            proxy_ssl_certificate example.com.crt;
            proxy_ssl_certificate_key example.com.key;
        }
    }

In this case, an unmodified version (NULL) of empty passwords is set,
to allow reading them from the password prompt on nginx startup.

As an additional optimization, a preserved instance of inherited
configured passwords is set to the previous level, to inherit it
to other contexts:

    server {
        proxy_ssl_password_file password;

        location /1/ {
            proxy_pass https://u1/;
            proxy_ssl_certificate $ssl_server_name.crt;
            proxy_ssl_certificate_key $ssl_server_name.key;
        }

        location /2/ {
            proxy_pass https://u2/;
            proxy_ssl_certificate $ssl_server_name.crt;
            proxy_ssl_certificate_key $ssl_server_name.key;
        }
    }





Passwords were not preserved in optimized SSL contexts, the bug had
appeared in d791b4aab (1.23.1), as in the following configuration:

    server {
        proxy_ssl_password_file password;
        proxy_ssl_certificate $ssl_server_name.crt;
        proxy_ssl_certificate_key $ssl_server_name.key;

        location /original/ {
            proxy_pass https://u1/;
        }

        location /optimized/ {
            proxy_pass https://u2/;
        }
    }

The fix is to always preserve passwords, by copying to the configuration
pool, if dynamic certificates are used.  This is done as part of merging
"ssl_passwords" configuration.

To minimize the number of copies, a preserved version is then used for
inheritance.  A notable exception is inheritance of preserved empty
passwords to the context with statically configured certificates:

    server {
        proxy_ssl_certificate $ssl_server_name.crt;
        proxy_ssl_certificate_key $ssl_server_name.key;

        location / {
            proxy_pass ...;

            proxy_ssl_certificate example.com.crt;
            proxy_ssl_certificate_key example.com.key;
        }
    }

In this case, an unmodified version (NULL) of empty passwords is set,
to allow reading them from the password prompt on nginx startup.

As an additional optimization, a preserved instance of inherited
configured passwords is set to the previous level, to inherit it
to other contexts:

    server {
        proxy_ssl_password_file password;

        location /1/ {
            proxy_pass https://u1/;
            proxy_ssl_certificate $ssl_server_name.crt;
            proxy_ssl_certificate_key $ssl_server_name.key;
        }

        location /2/ {
            proxy_pass https://u2/;
            proxy_ssl_certificate $ssl_server_name.crt;
            proxy_ssl_certificate_key $ssl_server_name.key;
        }
    }







Upstream: caching certificates and certificate keys with variables.
2025-01-17T00:37:46+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-10-29T14:20:53+00:00

454ad0ef33a347eba1a62d18c8fc0498f4dcfd64

Caching is enabled with proxy_ssl_certificate_cache and friends.

Co-authored-by: Aleksei Bavshin <a.bavshin@nginx.com>





Caching is enabled with proxy_ssl_certificate_cache and friends.

Co-authored-by: Aleksei Bavshin <a.bavshin@nginx.com>







Upstream: construct upstream peers from DNS SRV records.
2024-11-07T15:57:42+00:00

Dmitry Volyntsev
xeioex@nginx.com

2016-03-17T15:42:31+00:00

9fe119b431c957824d7bed75fce47dfbda74ca33