Nginx 1.30 changes default proxy behavior

Contents

Nginx 1.30.0 has been released as the new stable version, incorporating numerous features from the 1.29.x mainline. The most significant innovations concern modern web protocols and transport mechanisms: HTTP Early Hints (103), HTTP/2 connections to backends, encrypted ClientHello (ECH), multipath TCP, and sticky sessions. Additionally, a default behavior changes: the proxy module now uses HTTP/1.1 with Keep-Alive for backend connections.

Nginx is a widely used open-source web server, reverse proxy, and load balancer primarily employed in high-scaling web applications and cloud environments. Stable releases adopt proven features from the mainline and are considered suitable for production use.

Early Hints, HTTP/2 to Backends, and New Proxy Behavior

With HTTP Early Hints, Nginx can inform clients about required resources even before the actual response. The server sends an HTTP status code 103 with preload headers, allowing browsers to load CSS or JavaScript files early – for instance, while the backend is still rendering content. This reduces the perceived loading time.

Also new is the ability to address backend servers via HTTP/2. Previously, Nginx typically used HTTP/1.1 for these connections. HTTP/2 allows multiplexing, meaning multiple parallel requests over a single connection. This particularly benefits microservice architectures where an API gateway addresses many backend endpoints simultaneously.

A small but practically relevant change: the proxy module now uses HTTP/1.1 with Keep-Alive for backend connections by default. Existing connections can thus be reused, reducing the number of connection establishments and improving performance for many short requests.

Encryption and Transport: ECH and Multipath TCP

With Encrypted ClientHello (ECH), Nginx encrypts parts of the TLS handshake – specifically the Server Name Indication (SNI). This prevents third parties from identifying which domain a client is requesting during the connection setup. The integration relies on current OpenSSL interfaces and includes adjustments for logging and error handling.

Also new: support for multipath TCP (MPTCP). This technology uses multiple network paths simultaneously, such as WLAN and mobile data in parallel. This makes connections more stable and can, in ideal cases, achieve higher bandwidths. However, MPTCP support at the operating system and network level is a prerequisite.

For load balancing, Nginx 1.30 introduces Sticky Sessions. These consistently route a client's requests to the same backend server. This is helpful for stateful applications that do not store session data centrally. The Keepalive module for upstreams is now active by default. Combined with the changed proxy behavior (HTTP/1.1 with Keep-Alive), this noticeably reduces the overhead in connection management to backends.

TLS Stack and QUIC Improvements

The release includes numerous improvements related to HTTP/3 and QUIC, including stability fixes, adaptations to new OpenSSL 3.5 APIs, and optimizations in connection management. Additionally, there is support for TLS certificate compression, which streamlines the handshake. This is particularly beneficial for mobile clients and HTTP/3 connections.

Within the TLS stack, new callback mechanisms for ClientHello processing enable more flexible certificate selection. Simultaneously, the project has expanded compatibility with OpenSSL 4.0, BoringSSL, and AWS-LC.

Configuration, Platform, and Bug Fixes

On the configuration side, there is, among other things, a new max_headers directive that limits the number of allowed headers, thus protecting against misuse. On macOS, TCP keepalive parameters can now be configured.

As usual, the release includes many bug fixes, including those for HTTP/2, HTTP/3, proxying, gRPC, and the mail modules. The developers have also addressed faulty header processing, integer overflows, and validation errors.

All information about Nginx 1.30.0 can be found in the Release Notes on the GitHub project page.

(fo)