nginx.git/src, branch release-1.29.3 nginx Modules compatibility: increased compat section size. 2025-10-28T12:00:54+00:00 Roman Arutyunyan arut@nginx.com 2025-10-27T12:12:46+00:00 65c0b2e7709aa6949747dc2925dc3bcbddc1659f 






Fixed compilation warnings on Windows after c93a0c48af87.
2025-10-28T08:11:21+00:00

Roman Arutyunyan
arut@nginx.com

2025-10-27T17:16:49+00:00

f04e2b7f6e96a0587f091229272a5f060dbf32c0












OCSP: fixed invalid type for the 'ssl_ocsp' directive.
2025-10-27T11:05:36+00:00

Roman Semenov
r.semenov@f5.com

2025-10-22T18:24:27+00:00

ce30a1cb0ddce88027e760dc91145af6c6e8eef1












Headers filter: inheritance control for add_header and add_trailer.
2025-10-25T15:46:20+00:00

Roman Arutyunyan
arut@nginx.com

2025-07-14T17:44:05+00:00

c93a0c48af87bbae1568eaf110e207e435bbe0bd

The new directives add_header_inherit and add_trailer_inherit allow
to alter inheritance rules for the values specified in the add_header
and add_trailer directives in a convenient way.

The "merge" parameter enables appending the values from the previous level
to the current level values.

The "off" parameter cancels inheritance of the values from the previous
configuration level, similar to add_header "" (2194e75bb).

The "on" parameter (default) enables the standard inheritance behaviour,
which is to inherit values from the previous level only if there are no
directives on the current level.

The inheritance rules themselves are inherited in a standard way.  Thus,
for example, "add_header_inherit merge;" specified at the top level will
be inherited in all nested levels recursively unless redefined below.





The new directives add_header_inherit and add_trailer_inherit allow
to alter inheritance rules for the values specified in the add_header
and add_trailer directives in a convenient way.

The "merge" parameter enables appending the values from the previous level
to the current level values.

The "off" parameter cancels inheritance of the values from the previous
configuration level, similar to add_header "" (2194e75bb).

The "on" parameter (default) enables the standard inheritance behaviour,
which is to inherit values from the previous level only if there are no
directives on the current level.

The inheritance rules themselves are inherited in a standard way.  Thus,
for example, "add_header_inherit merge;" specified at the top level will
be inherited in all nested levels recursively unless redefined below.







Geo: the "volatile" parameter.
2025-10-24T22:06:54+00:00

Dmitry Plotnikov
d.plotnikov@f5.com

2025-10-21T19:48:36+00:00

ac72ca60c773a9ab6f3c6344ac1f2c03ca2b3201

Similar to map's volatile parameter, creates a non-cacheable geo variable.





Similar to map's volatile parameter, creates a non-cacheable geo variable.







SSL: $ssl_sigalg, $ssl_client_sigalg.
2025-10-24T14:22:32+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-10-17T16:38:17+00:00

71f8eb52b7746d6d8ddeb6efab5fc115c187be31

Variables contain the IANA name of the signature scheme[1] used to sign
the TLS handshake.

Variables are only meaningful when using OpenSSL 3.5 and above, with older
versions they are empty.  Moreover, since this data isn't stored in a
serialized session, variables are only available for new sessions.

[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Requested by willmafh.





Variables contain the IANA name of the signature scheme[1] used to sign
the TLS handshake.

Variables are only meaningful when using OpenSSL 3.5 and above, with older
versions they are empty.  Moreover, since this data isn't stored in a
serialized session, variables are only available for new sessions.

[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Requested by willmafh.







Upstream: reset local address in case of error.
2025-10-24T13:49:04+00:00

Roman Arutyunyan
arut@nginx.com

2025-10-23T14:21:57+00:00

364a94ecec13037126f28f91cf8f290979ffc229

After f10bc5a763bb the address was set to NULL only when local address was
not specified at all.  In case complex value evaluated to an empty or
invalid string, local address remained unchanged.  Currenrly this is not
a problem since the value is only set once.  This change is a preparation
for being able to change the local address after initial setting.





After f10bc5a763bb the address was set to NULL only when local address was
not specified at all.  In case complex value evaluated to an empty or
invalid string, local address remained unchanged.  Currenrly this is not
a problem since the value is only set once.  This change is a preparation
for being able to change the local address after initial setting.







CONNECT method support for HTTP/1.1.
2025-10-23T14:40:05+00:00

Roman Arutyunyan
arut@nginx.com

2025-09-23T11:03:52+00:00

42ca3a4576a32d0a912b0bba4088b8169f55ab2d

The change allows modules to use the CONNECT method with HTTP/1.1 requests.
To do so, they need to set the "allow_connect" flag in the core server
configuration.





The change allows modules to use the CONNECT method with HTTP/1.1 requests.
To do so, they need to set the "allow_connect" flag in the core server
configuration.







Added $request_port and $is_request_port variables.
2025-10-23T14:40:05+00:00

Roman Arutyunyan
arut@nginx.com

2025-09-29T16:47:27+00:00

c8c7beb96f61e2251abbc345357116131cf91c22

The $request_port variable contains the port passed by the client in the
request line (for HTTP/1.x) or ":authority" pseudo-header (for HTTP/2 and
HTTP/3).  If the request line contains no host, or ":authority" is missing,
then $request_port is taken from the "Host" header, similar to the $host
variable.

The $is_request_port variable contains ":" if $request_port is non-empty,
and is empty otherwise.





The $request_port variable contains the port passed by the client in the
request line (for HTTP/1.x) or ":authority" pseudo-header (for HTTP/2 and
HTTP/3).  If the request line contains no host, or ":authority" is missing,
then $request_port is taken from the "Host" header, similar to the $host
variable.

The $is_request_port variable contains ":" if $request_port is non-empty,
and is empty otherwise.







SSL: support for compressed server certificates with BoringSSL.
2025-10-08T15:56:41+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-15T18:22:53+00:00

78d1ab5a2c00839a36ff6bac661d9785fce3c1a4

BoringSSL/AWS-LC provide two callbacks for each compression algorithm,
which may be used to compress and decompress certificates in runtime.
This change implements compression support with zlib, as enabled with
the ssl_certificate_compression directive.  Compressed certificates
are stored in certificate exdata and reused in subsequent connections.

Notably, AWS-LC saves an X509 pointer in SSL connection, which allows
to use it from SSL_get_certificate() for caching purpose.  In contrast,
BoringSSL reconstructs X509 on-the-fly, though given that it doesn't
support multiple certificates, always replacing previously configured
certificates, we use the last configured one from ssl->certs, instead.





BoringSSL/AWS-LC provide two callbacks for each compression algorithm,
which may be used to compress and decompress certificates in runtime.
This change implements compression support with zlib, as enabled with
the ssl_certificate_compression directive.  Compressed certificates
are stored in certificate exdata and reused in subsequent connections.

Notably, AWS-LC saves an X509 pointer in SSL connection, which allows
to use it from SSL_get_certificate() for caching purpose.  In contrast,
BoringSSL reconstructs X509 on-the-fly, though given that it doesn't
support multiple certificates, always replacing previously configured
certificates, we use the last configured one from ssl->certs, instead.