nginx.git/src/stream, branch release-1.30.0 nginx Fixed the "include" directive inside the "geo" block. 2026-03-24T18:20:16+00:00 Eugene Grebenschikov e.grebenshchikov@f5.com 2026-03-12T00:57:05+00:00 0de6e878ba43b55dd23b437c5be1819a55f63ec4 The "include" directive should be able to include multiple files if given a filename mask. Completes remaining changes introduced in da4ffd8. Closes: https://github.com/nginx/nginx/issues/1165 
The "include" directive should be able to include multiple files if
given a filename mask.

Completes remaining changes introduced in da4ffd8.

Closes: https://github.com/nginx/nginx/issues/1165
Stream: fixed client certificate validation with OCSP. 2026-03-24T15:28:20+00:00 Sergey Kandaurov pluknet@nginx.com 2026-03-17T15:20:03+00:00 18711f7754401dd4ce26faa721e0f0bce41d4c1e Check for OCSP status was missed in 581cf2267, resulting in a broken validation. Reported by Mufeed VH of Winfunc Research. 
Check for OCSP status was missed in 581cf2267, resulting
in a broken validation.

Reported by Mufeed VH of Winfunc Research.
The "multipath" parameter of the "listen" directive. 2026-03-18T21:13:51+00:00 Sergey Kandaurov pluknet@nginx.com 2025-10-16T15:22:56+00:00 920dc099c130e0ea23eb36becd157a95901aa5a2 When configured, it enables Multipath TCP support on a listen socket. As of now it works on Linux starting with Linux 5.6 and glibc 2.32, where it is enabled with an IPPROTO_MPTCP socket(2) protocol. To avoid EADDRINUSE errors in bind() and listen() when transitioning between sockets with different protocols, SO_REUSEPORT is set on both sockets. See f7f1607bf for potential implications. Based on previous work by Maxime Dourov and Anthony Doeraene. 
When configured, it enables Multipath TCP support on a listen socket.
As of now it works on Linux starting with Linux 5.6 and glibc 2.32,
where it is enabled with an IPPROTO_MPTCP socket(2) protocol.

To avoid EADDRINUSE errors in bind() and listen() when transitioning
between sockets with different protocols, SO_REUSEPORT is set on both
sockets.  See f7f1607bf for potential implications.

Based on previous work by Maxime Dourov and Anthony Doeraene.
Upstream: introduced a new macro for down value. 2026-03-09T17:08:30+00:00 Aleksei Bavshin a.bavshin@nginx.com 2026-03-04T19:35:41+00:00 c5036ad30cfafb233494fa81c0b328aac3eb0e9b 






Add basic ECH shared-mode via OpenSSL.
2025-12-01T12:33:40+00:00

sftcd
stephen.farrell@cs.tcd.ie

2025-11-26T14:12:07+00:00

ab4f5b2d32c1f621ebdf5816a34b568015b98c63












Improved host header validation.
2025-11-26T15:51:40+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-11-04T12:34:32+00:00

511abb19e1e1b127f6d0943ccac346211a490a35

Validation is rewritten to follow RFC 3986 host syntax, based on
ngx_http_parse_request_line().  The following is now rejected:
- the rest of gen-delims "#", "?", "@", "[", "]"
- other unwise delims <">, "<", ">", "\", "^", "`', "{", "|", "}"
- IP literals with a trailing dot, missing closing bracket, or pct-encoded
- a port subcomponent with invalid values
- characters in upper half





Validation is rewritten to follow RFC 3986 host syntax, based on
ngx_http_parse_request_line().  The following is now rejected:
- the rest of gen-delims "#", "?", "@", "[", "]"
- other unwise delims <">, "<", ">", "\", "^", "`', "{", "|", "}"
- IP literals with a trailing dot, missing closing bracket, or pct-encoded
- a port subcomponent with invalid values
- characters in upper half







SSL: ngx_ssl_set_client_hello_callback() error handling.
2025-11-10T16:01:28+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-11-06T13:30:41+00:00

38a701d88b14f0747003c4e893d9fb13f51639ca

The function interface is changed to follow a common approach
to other functions used to setup SSL_CTX, with an exception of
"ngx_conf_t *cf" since it is not bound to nginx configuration.

This is required to report and propagate SSL_CTX_set_ex_data()
errors, as reminded by Coverity (CID 1668589).





The function interface is changed to follow a common approach
to other functions used to setup SSL_CTX, with an exception of
"ngx_conf_t *cf" since it is not bound to nginx configuration.

This is required to report and propagate SSL_CTX_set_ex_data()
errors, as reminded by Coverity (CID 1668589).







OCSP: fixed invalid type for the 'ssl_ocsp' directive.
2025-10-27T11:05:36+00:00

Roman Semenov
r.semenov@f5.com

2025-10-22T18:24:27+00:00

ce30a1cb0ddce88027e760dc91145af6c6e8eef1












Geo: the "volatile" parameter.
2025-10-24T22:06:54+00:00

Dmitry Plotnikov
d.plotnikov@f5.com

2025-10-21T19:48:36+00:00

ac72ca60c773a9ab6f3c6344ac1f2c03ca2b3201

Similar to map's volatile parameter, creates a non-cacheable geo variable.





Similar to map's volatile parameter, creates a non-cacheable geo variable.







SSL: $ssl_sigalg, $ssl_client_sigalg.
2025-10-24T14:22:32+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-10-17T16:38:17+00:00

71f8eb52b7746d6d8ddeb6efab5fc115c187be31

Variables contain the IANA name of the signature scheme[1] used to sign
the TLS handshake.

Variables are only meaningful when using OpenSSL 3.5 and above, with older
versions they are empty.  Moreover, since this data isn't stored in a
serialized session, variables are only available for new sessions.

[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Requested by willmafh.





Variables contain the IANA name of the signature scheme[1] used to sign
the TLS handshake.

Variables are only meaningful when using OpenSSL 3.5 and above, with older
versions they are empty.  Moreover, since this data isn't stored in a
serialized session, variables are only available for new sessions.

[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Requested by willmafh.