Releases
Support for Current and Previous Releases
NGINX provides technical support for F5 NGINX Plus releases for 24 months from the initial date of each release. With each new NGINX Plus release, the previously released version enters End of Software Development (EoSD). We do not issue updates for releases that have reached EoSD. For this reason, we advise customers to run the most recent release. The initial release dates for NGINX Plus are noted in this document. New releases are announced on the NGINX Product Support Announcements mailing list.
NGINX Plus Release 32 (R32)
29 May 2024
Based on NGINX Open Source 1.25.5
NGINX Plus R32 is a feature release:
-
SSL certificate caching that improves the NGINX startup time and memory usage in cases of configurations with large number of locations with relatively small number of unique certificate/key pairs
-
The
stream_pass
module that allows passing the accepted connection directly to any configured listening socket inhttp
,stream
,mail
, and other similar modules -
NGINX Plus official container images
-
Virtual servers in the
stream
module -
The
deferred
,accept_filter
, andsetfib
parameters of the listen directive in thestream
module -
Cache line size detection for some architectures
-
Security fixes:
-
Heap Overflow w/ write (CVE-2024-32760): Undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause other possible impacts
-
Stack Overflow / Use after free (CVE-2024-31079): Undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other possible impacts. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over
-
Null Pointer Dereference w/ Empty Header (CVE-2024-35200): Undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other possible impacts
-
Memory Disclosure during QUIC handshake (CVE-2024-34161): When the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC messages can cause NGINX worker processes to terminate or cause leakage of previously freed memory
-
-
Bugfixes:
-
in the MQTT Filter module: malformed packets when using default properties
-
in the zone_sync module: memory leak on configuration reload
-
Unexpected connection closure while using 0-RTT in QUIC
-
Connections with pending AIO operations might be closed prematurely during graceful shutdown of old worker processes
-
Socket leak alerts no longer logged when fast shutdown was requested after graceful shutdown of old worker processes
-
A socket descriptor error, a socket leak, or a segmentation fault in a worker process (for SSL proxying) might occur if AIO was used in a subrequest
-
A segmentation fault might occur in a worker process if SSL proxying was used along with the image_filter directive and errors with code 415 were redirected with the error_page directive
-
Bugfixes and improvements in HTTP/3
-
-
New features and bugfixes in njs:
-
setting the
Server
header for outgoing header -
QuickJS engine support in CLI
-
NGINX Plus R32 is supported on:
- AlmaLinux 8, 9
- Alpine Linux 3.16, 3.17, 3.18, 3.19
- Amazon Linux 2 LTS, 2023
- CentOS 7.4+
- Debian 11, 12
- FreeBSD 13, 14
- Oracle Linux 7.4+, 8.1+, 9
- RHEL 7.4+, 8.1+, 9.0+
- Rocky Linux 8, 9
- SUSE Linux Enterprise Server 12 SP5, 15 SP2
- Ubuntu 20.04 LTS, 22.04 LTS, 24.04 LTS
Notes:
- Ubuntu 24.04 LTS is new in this release
- CentOS 7 is deprecated
- RHEL 7 is deprecated
- Oracle Linux 7 is deprecated
- FreeBSD 12 is removed
- OpenTracing dynamic module (package name is
nginx-plus-module-opentracing-module
) is deprecated - ModSecurity WAF dynamic module (package name is
nginx-plus-module-modsecurity
) reached end of support and is no longer available
More information: Announcing NGINX Plus R32
NGINX Plus R32 Update
This is a security release for NGINX Plus R32.
NGINX Plus R32 P1
14 August 2024
-
Security:
-
In the MQTT Filter module, undisclosed requests can cause an increase in memory resource utilization (CVE-2024-39792)
-
In the MP4 module, a specially crafted
mp4
file can cause NGINX worker memory over-read resulting in its termination by using a specially craftedmp4
file (CVE-2024-7347)
-
-
Various fixes in SSL certificate caching
NGINX Plus Release 31 (R31)
19 December 2023
Based on NGINX Open Source 1.25.3
NGINX Plus R31 is a feature release:
-
Native usage reporting of NGINX Plus installations to NGINX Instance Manager
-
The $upstream_last_server_name variable that keeps the name of the last selected upstream server and allows passing it to the proxied server through SNI
-
Notable startup speedup when using a large number of locations
-
HTTP/3 and QUIC features and bugfixes:
-
Path MTU Discovery (PMTUD) feature
-
support for
TLS_AES_128_CCM_SHA256
cipher suite -
support for
server_tokens
with variables -
bugfixes and improvements
-
-
New features in njs:
-
MQTT bugfixes and improvements:
-
the
CONNECT
message was rejected when a password was not provided -
the
CONNECT
message parsing is stopped when the message length is less than the number of bytes received -
added the
Will
topic andWill
payload for MQTT Version 3.1.1 if theCONNECT
message is rewritten
-
-
Various bugfixes and improvements:
-
the
Status
response header line with an empty reason phrase from the backend was handled incorrectly -
memory leak during reconfiguration when using the PCRE2 library
-
improved detection of misbehaving clients when using HTTP/2
-
-
The OpenTracing module introduced in NGINX Plus R18 is deprecated, it recommended to use the OpenTelemetry Distributed Tracing module that incorporates all the features of the OpenTracing module.
NGINX Plus R31 is supported on:
- AlmaLinux 8, 9
- Alpine Linux 3.16, 3.17, 3.18, 3.19
- Amazon Linux 2 LTS, 2023
- CentOS 7.4+
- Debian 11, 12
- FreeBSD 12.1+, 13, 14
- Oracle Linux 7.4+, 8.1+, 9
- RHEL 7.4+, 8.1+, 9.0+
- Rocky Linux 8, 9
- SUSE Linux Enterprise Server 12 SP5, 15 SP2
- Ubuntu 20.04 LTS, 22.04 LTS
Notes:
- Alpine Linux 3.19 is new in this release
- FreeBSD 14 is new in this release
- Alpine Linux 3.15 is removed
- FreeBSD 12 is deprecated
- OpenTracing dynamic module (package name is
nginx-plus-module-opentracing-module
) is deprecated
More information: Announcing NGINX Plus R31
NGINX Plus R31 Update
This is an improvement release for NGINX Plus R31.
NGINX Plus R31 P1
14 February 2024
-
Security: a segmentation fault might occur in a worker process if HTTP/3 was used (CVE-2024-24989, CVE-2024-24990)
-
Management module: fixed a potential crash that might happen while using a system resolver
More information: Updating NGINX for the Vulnerabilities in the HTTP/3 Module
NGINX Plus R31 P2
29 May 2024
-
Security:
-
Heap Overflow w/ write (CVE-2024-32760): Undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause other possible impacts
-
Stack Overflow / Use after free (CVE-2024-31079): Undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other possible impacts. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over
-
Null Pointer Dereference w/ Empty Header (CVE-2024-35200): Undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other possible impacts
-
Memory Disclosure during QUIC handshake (CVE-2024-34161): When the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC messages can cause NGINX worker processes to terminate or cause leakage of previously freed memory
-
NGINX Plus R31 P3
14 August 2024
-
Security:
-
In the MQTT Filter module, undisclosed requests can cause an increase in memory resource utilization (CVE-2024-39792)
-
In the MP4 module, a specially crafted
mp4
file can cause NGINX worker memory over-read resulting in its termination by using a specially craftedmp4
file (CVE-2024-7347)
-
NGINX Plus Release 30 (R30)
15 August 2023
Based on NGINX Open Source 1.25.1
NGINX Plus R30 is a feature release:
-
Native support for HTTP/3 and QUIC
-
- Per-worker connection statistics including accepted, dropped, active and idle connections, total and current requests
-
The Prometheus-njs module now supports version
9
of the API -
DNS reload optimization: now DNS name expiry time for dynamically-resolved upstream hosts is preserved across reloads
-
The new
mqtt_buffers
directive in the MQTT Filter module that specifies the number of buffers allocated per connection, the directive also supersedes themqtt_rewrite_buffer_size
directive -
The
ssl
directive deprecated in NGINX Plus Release 16 was removed, thessl
parameter of thelisten
directive should be used instead -
The new
http2
directive obsoletes thehttp2
parameter of thelisten
directive which is now deprecated -
HTTP/2 server push removed, the
http2_push
,http2_push_preload
,http2_max_concurrent_pushes
directives are made obsolete -
Optional NGINX diagnostic scripts that collect the data required for troubleshooting are available as a separate download package
-
New features in njs:
-
global NGINX properties:
ngx.build
,ngx.conf_file_path
,ngx.error_log_path
,ngx.prefix
,ngx.version
,ngx.version_number
,ngx.worker_id
-
the
js_shared_dict_zone
directive for http and stream that allows declaring a dictionary shared between worker processes -
ES13-compliant
Array
methods:from()
,toSorted()
,toSpliced()
,toReversed()
-
CryptoKey
properties inWebCrypto
API:algorithm
,extractable
,type
,usages
-
-
The GeoIP2 module is no longer available for Amazon Linux 2 as the EPEL repository doesn’t provide the
libmaxminddb
library required to build the module
NGINX Plus R30 is supported on:
- AlmaLinux 8, 9
- Alpine Linux 3.16, 3.17, 3.18
- Amazon Linux 2 LTS, 2023
- CentOS 7.4+
- Debian 11, 12
- FreeBSD 12.1+, 13
- Oracle Linux 7.4+, 8.1+, 9
- RHEL 7.4+, 8.1+, 9.0+
- Rocky Linux 8, 9
- SUSE Linux Enterprise Server 12 SP5, 15 SP2
- Ubuntu 20.04 LTS, 22.04 LTS
Notes:
- Alpine Linux 3.18 is new in this release
- Debian 12 is new in this release
- Alpine Linux 3.15 is deprecated
- Alpine Linux 3.14 is removed
- Ubuntu 18.04 is removed
- The GeoIP2 dynamic module (package name is
nginx-plus-module-geoip2
) for Amazon Linux 2 is no longer provided
More information: Announcing NGINX Plus R30
NGINX Plus R30 Update
This is an improvement release for NGINX Plus R30.
NGINX Plus R30 P1
11 October 2023
- Additional protection against HTTP/2 Rapid Reset Attack vulnerability (CVE-2023-44487) that may affect NGINX only when it is configured with the keepalive requests value substantially higher than the default value. Limitations in HTTP/2 protocol allow clients to produce a higher RPS rate than expected from a configured HTTP/2 max concurrent streams setting which can be exploited to trigger a Denial-of-Service attack.
More information: HTTP/2 Rapid Reset Attack Impacting NGINX Products
NGINX Plus R30 P2
14 February 2024
- Security: a segmentation fault might occur in a worker process if HTTP/3 was used (CVE-2024-24990)
More information: Updating NGINX for the Vulnerabilities in the HTTP/3 Module
NGINX Plus Release 29 (R29)
02 May 2023
Based on NGINX Open Source 1.23.4
NGINX Plus R29 is a feature release:
-
MQTT messaging protocol support with the MQTT Preread and MQTT Filter modules
-
SAML Authentication reference implementation based on native njs XML support
-
OpenTelemetry Distributed Tracing module, distributed in NGINX Plus packages (package name is
nginx-plus-module-otel
) and is available as a dynamic module -
Experimental support for HTTP/3 and QUIC, distributed in NGINX Plus packages (package name is
nginx-plus-quic
) -
TLS 1.3 is enabled by default (the
TLSv1.3
parameter of the ssl_protocols directive) -
The internal_redirect directive and module that allows internal redirects after checking request and connection processing limits, and access limits
-
New feature in OpenID Connect reference implementation: support for access token
-
The Prometheus-njs module now supports version
8
of the API, including SSL extended statistics for each HTTP upstream and stream upstream, SSL extended statistics for each HTTP server zone and stream server zone, and extended statistics for SSL -
The NGINX JavaScript (njs) module for NGINX Plus was updated to version 0.7.12, featuring extended Fetch API and WebCrypto API, XML module to parse and modify XML documents, Zlib module to support compression
NGINX Plus R29 is supported on:
- AlmaLinux 8, 9
- Alpine Linux 3.15, 3.16, 3.17
- Amazon Linux 2 LTS, 2023
- CentOS 7.4+
- Debian 11
- FreeBSD 12.1+, 13
- Oracle Linux 7.4+, 8.1+, 9
- RHEL 7.4+, 8.1+, 9.0+
- Rocky Linux 8, 9
- SUSE Linux Enterprise Server 12 SP5, 15 SP2
- Ubuntu 20.04 LTS, 22.04 LTS
Notes:
- Amazon Linux 2023 is new in this release
- Alpine Linux 3.14 is deprecated
- Ubuntu 18.04 is deprecated
- Alpine Linux 3.13 is removed
- The ModSecurity dynamic module (package name is
nginx-plus-module-modsecurity
) is no longer supported
More information: Announcing NGINX Plus R29
NGINX Plus R29 Update
This is an improvement release for NGINX Plus R29.
NGINX Plus R29 P1
11 October 2023
- Additional protection against HTTP/2 Rapid Reset Attack vulnerability (CVE-2023-44487) that may affect NGINX only when it is configured with the keepalive requests value substantially higher than the default value. Limitations in HTTP/2 protocol allow clients to produce a higher RPS rate than expected from a configured HTTP/2 max concurrent streams setting which can be exploited to trigger a Denial-of-Service attack.
More information: HTTP/2 Rapid Reset Attack Impacting NGINX Products
NGINX Plus Release 28 (R28)
29 November 2022
Based on NGINX Open Source 1.23.2
NGINX Plus R28 is a feature release:
-
API version 8 update:
-
SSL extended statistics for each HTTP upstream and stream upstream
-
SSL extended statistics for each HTTP server zone and stream server zone
-
Extended statistics for SSL endpoint
-
-
PROXY protocol v2 TLV variables for Amazon Web Services, Google Cloud Platform, and Microsoft Azure in HTTP and stream
-
The
proxy_protocol_tlv_
variable for HTTP and stream that can keep different TLV types from the PROXY protocol header including SSL TLV types -
Sticky cookie load-balancing method now can accept variables in the SameSite attribute in addition to
Strict
,Lax
,orNone
values -
NGINX Plus live activity monitoring dashboard now supports HTTP status code statistics and extended SSL statistics for upstreams and server zones
-
TLS session tickets encryption keys are now automatically rotated when using shared memory in the
ssl_session_cache
directive -
Looking up of IPv4 addresses while resolving now can be disabled with the
ipv4=off
parameter of theresolver
directive. -
Changes in handling multiple headers with identical names.
-
Most of the known duplicate upstream response headers are now ignored with a warning.
-
Duplicate
Content-Length
andTransfer-Encoding
headers are now rejected as well as the responses with invalidContent-Length
orTransfer-Encoding
headers, or if bothContent-Length
andTransfer-Encoding
are present in the response.
-
NGINX Plus R28 is supported on:
- AlmaLinux 8, 9
- Alpine Linux 3.13, 3.14, 3.15, 3.16, 3.17
- Amazon Linux 2 LTS
- CentOS 7.4+
- Debian 11
- FreeBSD 12.1+, 13
- Oracle Linux 7.4+, 8.1+, 9
- RHEL 7.4+, 8.1+, 9.0+
- Rocky Linux 8, 9
- SUSE Linux Enterprise Server 12 SP5, 15 SP2
- Ubuntu 18.04 LTS, 20.04 LTS, 22.04 LTS
Notes:
- AlmaLinux 8 and 9 are new in this release
- Alpine Linux 3.17 is new in this release
- Oracle Linux 9 is new in this release
- Rocky Linux 8 and 9 are new in this release
- Debian 10 is removed
- Alpine Linux 3.13 is deprecated
More information: Announcing NGINX Plus R28
NGINX Plus Release 27 (R27)
28 June 2022
Based on NGINX Open Source 1.21.6
NGINX Plus R27 is a feature release:
-
API version 8:
-
SSL statistics for each HTTP server zone and stream server zone
-
JWT Authentication: error code can be customized with the
error
parameter of theauth_jwt_require
directive if any additional condition of JWT validation fails -
HTTP health checks: the
keepalive_time
parameter of thehealth_check
directive that enables keepalive connections for health checks and specifies the time during which requests can be processed through one keepalive connection -
The Prometheus-njs module now supports version
7
of the API, including/stream/limit_conns/
,/http/limit_conns/
,/http/limit_req/
data, and HTTP status code statistics for upstreams, server zones and location zones -
kTLS is now also available on RHEL 9.0 and Ubuntu 22.04
NGINX Plus R27 is supported on:
- Alpine Linux 3.13, 3.14, 3.15, 3.16
- Amazon Linux 2 LTS
- CentOS 7.4+
- Debian 10, 11
- FreeBSD 12.1+, 13
- Oracle Linux 7.4+, 8.1+
- RHEL 7.4+, 8.1+, 9.0+
- SUSE Linux Enterprise Server 12 SP5, 15 SP2
- Ubuntu 18.04 LTS, 20.04 LTS, 22.04 LTS
Notes:
- Alpine Linux 3.16 is new in this release
- RHEL 9.0+ is new in this release
- Ubuntu 22.04 LTS is new in this release
- Debian 10 is deprecated
- Alpine 3.12 is no longer supported
- CentOS 8 is no longer supported
- Power 8 architecture is no longer supported
More information: Announcing NGINX Plus R27
NGINX Plus R27 Update
This is a bug‑fix release for NGINX Plus R27.
NGINX Plus R27 P1
19 October 2022
- In HLS (CVE-2022-41743) and MP4 (CVE-2022-41741) modules when processing specially crafted video files a memory corruption, or a memory disclosure in MP4 module (CVE-2022-41742) could happen.
NGINX Plus Release 26 (R26)
15 February 2022
Based on NGINX Open Source 1.21.5
NGINX Plus R26 is a feature release:
-
JWT key caching with the
auth_jwt_key_cache
directive -
Enhanced ALPN support with the
ssl_alpn
directive for stream, and the$ssl_alpn_protocol
variable for HTTP and stream -
The
$ssl_curve
variable that returns the negotiated curve used for SSL handshake key exchange process -
The
proxy_half_close
directive for stream that allows closing one side of a connection while the data is still transmitted -
The
mp4_start_key_frame
directive in the MP4 module that forces a video to always start with a key frame
NGINX Plus R26 is supported on:
- Alpine Linux 3.12, 3.13, 3.14, 3.15
- Amazon Linux 2 LTS
- CentOS 7.4+, 8.1+
- Debian 10, 11
- FreeBSD 12.1+, 13
- Oracle Linux 7.4+, 8.1+
- RHEL 7.4+, 8.1+, 9.0+
- SUSE Linux Enterprise Server 12 SP5, 15 SP2
- Ubuntu 18.04 LTS, 20.04 LTS, 22.04 LTS
Notes:
- Alpine Linux 3.15 is new in this release
- Added support for IBM Z (s390x) for CentOS 8+, RHEL 8+, and Ubuntu 20.04 LTS
- RHEL 8.0+ was updated to RHEL 8.1+
- CentOS 8.0+ was updated to CentOS 8.1+
- CentOS 8 is deprecated
- Power 8 is deprecated
- Alpine 3.12 is deprecated
- Alpine 3.11 is no longer supported
- The
js_include
directive was removed, thejs_import
directive should be used instead - The
aio sendfile
directive was removed, thesendfile
directive should be used instead - The third-party
Cookie‑Flag
was removed from the dynamic modules repository, theproxy_cookie_flags
directive should be used instead - Swagger UI with REST API YAML specification is not included into NGINX Plus packages by default any more and now is a part of docs.nginx.com
More information: Announcing NGINX Plus R26
NGINX Plus R26 Update
This is a bug‑fix release for NGINX Plus R26.
NGINX Plus R26 P1
19 October 2022
- In HLS (CVE-2022-41743) and MP4 (CVE-2022-41741) modules when processing specially crafted video files a memory corruption, or a memory disclosure in MP4 module (CVE-2022-41742) could happen.
NGINX Plus Release 25 (R25)
28 September 2021
Based on NGINX Open Source 1.21.3
NGINX Plus R25 is a feature release:
-
JWT authentication:
-
support for signed and then encrypted Nested JWT with the
nested
parameter of the auth_jwt_type directive -
additional conditions for JWT validation can be specified with the auth_jwt_require directive
-
the $jwt_payload variable that returns either enclosed JWS token for Nested JWT, or JSON with claims for JWE
-
now it is possible to have multiple auth_jwt_key_file and auth_jwt_key_request directives within the same context
-
asymmetric RSA-OAEP cryptographic algorithms for JWE
-
-
API version 7: HTTP status code statistics are now collected per-code, in addition to aggregation per-class, for upstreams, server zones, and location zones
-
Stream health checks: introduced the persistent parameter in the health_check directive that enables persistence of mandatory health check status during configuration reload
-
TCP Fast Open support with the
fastopen
parameter of the listen directive in the stream module -
Mail proxy:
-
the number of errors before closing the connection can be specified with the max_errors directive to mitigate against ALPACA attack
-
support for POP3 and IMAP pipelining
-
the
Auth-SSL-Protocol
andAuth-SSL-Cipher
header lines are now passed to the mail proxy authentication server
-
-
Security hardening of HTTP request parsing. NGINX Plus will return an error if:
-
spaces or control characters are found in the request line, header names, or the
Host
request header line -
the
CONNECT
method is used -
both
Content-Length
andTransfer-Encoding
header lines are present in the request
-
-
Request body filters API now permits buffering of the data being processed.
-
Support for dynamic SSL certificate loading for http, grpc, and uwsgi backends
NGINX Plus R25 is supported on:
- Alpine Linux 3.11, 3.12, 3.13, 3.14
- Amazon Linux 2 LTS
- CentOS 7.4+, 8.0+
- Debian 10, 11
- FreeBSD 12.1+, 13
- Oracle Linux 7.4+
- RHEL 7.4+, 8.0+
- SUSE Linux Enterprise Server 12 SP5, 15 SP2
- Ubuntu 18.04 LTS, 20.04 LTS
Notes:
- Alpine 3.14 is new in this release
- Alpine 3.10 is no longer supported
- Amazon Linux (2018.03+) is no longer supported
- Debian 11 is new in this release
- FreeBSD 11.4+ is no longer supported
- Ubuntu 16.04 is no longer supported
More information: Announcing NGINX Plus R25
NGINX Plus R25 Update
This is a bug‑fix release for NGINX Plus R25.
NGINX Plus R25 P1
14 December 2021
- Swagger UI updated to version 4.1.2
- Fixed a crash that might happen when an upstream server was updated via the API
NGINX Plus Release 24 (R24)
27 April 2021
Based on NGINX Open Source 1.19.10
NGINX Plus R24 is a feature release:
-
Support for JSON Web Encryption added to the JSON Web Token (JWT) module
-
HTTP health checks: introduced the persistent parameter in the health_check directive that enables persistence to mandatory health checks after reload
-
Flags in the proxy_cookie_flags directive can now contain variables
-
Support for PROXY Protocol in mail (the
proxy_protocol
parameter of the listen directive, proxy_protocol and set_real_ip_from directives) -
If free worker connections are exhausted, NGINX Plus starts closing not only keepalive connections, but also connections in lingering_close
-
The maximum duration of a persistent connection can be limited with the
keepalive_time
directive for http and upstream servers -
New variable, $connection_time, that keeps connection time
NGINX Plus R24 is supported on:
- Alpine Linux 3.10, 3.11, 3.12, 3.13
- Amazon Linux (2018.03+), Amazon Linux 2 LTS
- CentOS 7.4+, 8.0+
- Debian 10
- FreeBSD 11.4+, 12.1+, 13
- Oracle Linux 7.4+
- RHEL 7.4+, 8.0+
- SUSE Linux Enterprise Server 12 SP5, 15 SP2
- Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS
Notes:
- FreeBSD 13 is new in this release
- Alpine 3.13 is new in this release
- SUSE Linux Enterprise Server 15 SP2 is new in this release
- CentOS 7 (aarch64) is new in this release
- Amazon Linux 1 (2018) is deprecated
- Ubuntu 16.04 is deprecated
- Alpine Linux 3.10 is deprecated
- Debian 9 is no longer supported
- Amazon Linux 2 now depends on OpenSSL 1.1 package.
Upgrade Note:
NGINX Plus repositories have been separated into individual repositories based on operating system distribution and license subscription. Before upgrading from previous NGINX Plus versions, you must first reconfigure your repositories to point to the correct location. To reconfigure your repository, follow the installation instructions for your operating system.
More information: Announcing NGINX Plus R24
NGINX Plus R24 Updates
These are bug‑fix releases for NGINX Plus R24.
NGINX Plus R24 P1
18 May 2021
- Resolver: an issue in NGINX resolver may allow an attacker who is able to forge UDP packets from the specified DNS server to cause a 1-byte memory overwrite, resulting in a worker process interruption or other unspecified impact (CVE-2021-23017)
NGINX Plus R24 P2
14 December 2021
- Swagger UI updated to version 4.1.2
NGINX Plus Release 23 (R23)
8 December 2020
Based on NGINX Open Source 1.19.5
NGINX Plus R23 is a feature release:
-
gRPC health checks: introduced the type=grpc parameter in the health_check directive that enables active health checks of gRPC upstream servers
-
Sticky cookie load-balancing method now can accept the SameSite attribute with
Strict
,Lax
,orNone
values -
Support for cookie flags with the proxy_cookie_flags and userid_flags directives
-
Introduced script that performs unprivileged installation of NGINX Plus
-
New command-line switch to redefine an error log file: -e
-
New set directive for stream that allows setting a value for a variable
-
Added support for arbitrary OpenSSL configuration commands with the ssl_conf_command directive
-
The ssl_reject_handshake directive that allows rejecting the SSL handshake in the
server
block -
Support for proxy_smtp_auth user authentication on the SMTP backend in mail proxy
-
Cache manager improved to monitor the minimum amount of free space (the
min_free
parameter of the proxy_cache_path directive)
NGINX Plus R23 is supported on:
- Alpine Linux 3.10, 3.11, 3.12
- Amazon Linux (2018.03+), Amazon Linux 2 LTS
- CentOS 7.4+, 8.0+
- Debian 9, 10
- FreeBSD 11.4+, 12.1+
- Oracle Linux 7.4+
- RHEL 7.4+, 8.0+
- SUSE Linux Enterprise Server 12, 15
- Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS
Notes:
- Alpine 3.12 is new in this release
- Alpine 3.9 is no longer supported
- CentOS/RHEL 6.x is no longer supported
- Debian 10 (aarch64) is new in this release
- Ubuntu 19.10 is no longer supported
More information: Announcing NGINX Plus R23
NGINX Plus R23 Update
This is a bug‑fix release for NGINX Plus R23.
NGINX Plus R23 P1
18 May 2021
- Resolver: an issue in NGINX resolver may allow an attacker who is able to forge UDP packets from the specified DNS server to cause a 1-byte memory overwrite, resulting in a worker process interruption or other unspecified impact (CVE-2021-23017)
NGINX Plus Release 22 (R22)
9 June 2020
Based on NGINX Open Source 1.19.0
NGINX Plus R22 is a feature release:
- Client certificate OCSP validation
- Realtime limit_conn and limit_req dashboard charts
- Delay on authentication failure
NGINX Plus R22 is supported on:
- Alpine Linux 3.9, 3.10, 3.11
- Amazon Linux (2018.03+), Amazon Linux 2 LTS
- CentOS 6.5+, 7.4+, 8.0+
- Debian 9, 10
- FreeBSD 11.3+, 12.1+
- Oracle Linux 6.5+, 7.4+
- RHEL 6.5+, 7.4+, 8.0+
- SUSE Linux Enterprise Server 12, 15
- Ubuntu 16.04 LTS, 18.04 LTS, 19.10, 20.04 LTS
Notes:
- Alpine 3.8 is no longer supported
More information: Announcing NGINX Plus R22
NGINX Plus Release 21 (R21)
7 April 2020
Based on NGINX Open Source 1.17.9
NGINX Plus R21 is a feature release:
- Support for a variable parameter to the grpc_pass directive enables dynamic gRPC routing
NGINX Plus R21 is supported on:
- Alpine Linux 3.8, 3.9, 3.10, 3.11
- Amazon Linux (2018.03+), Amazon Linux 2 LTS
- CentOS 6.5+, 7.4+, 8.0+
- Debian 9, 10
- FreeBSD 11.2+, 12.0+
- Oracle Linux 6.5+, 7.4+
- RHEL 6.5+, 7.4+, 8.0+
- SUSE Linux Enterprise Server 12, 15
- Ubuntu 16.04 LTS, 18.04 LTS, 19.10, 20.04 LTS
Notes:
- Alpine 3.11 is new in this release
- Ubuntu 20.04 is new in this release
- Ubuntu 19.04 is no longer supported
- NGINX Plus is no longer available for 32‑bit (i386) platforms. Applies to:
- CentOS/Oracle Linux/RHEL 6.5+ (x86_64 still supported)
- Debian 9, 10 (x86_64 still supported)
- Ubuntu 16.04 LTS (x86_64, aarch64, ppc64le still supported)
More information: Announcing NGINX Plus R21
NGINX Plus Release 20 (R20)
3 December 2019
Based on NGINX Open Source 1.17.6
NGINX Plus R20 is a feature release:
- Enhancements to rate limiting: endpoint in NGINX Plus API for real‑time metrics, $limit_req_status variable captures request’s rate‑limiting status in access log
- Enhancements to connection limiting: endpoint in NGINX Plus API for real‑time metrics, $limit_conn_status variable captures request’s connection‑limiting status in access log, dry‑run mode with limit_conn_dry_run directive
- Support in key‑value store for matching on start of character strings (new
type=prefix
parameter to keyval_zone directive) - Separate DNS resolution in each upstream group (resolver directive)
- PROXY Protocol variables capture IP address and port of original proxy server ($proxy_protocol_server_{addr,port})
- Security improvements for HTTP/2: better detection of invalid client behavior, improved error responses, improved functioning of proxy_request_buffering and worker_shutdown_timeout directives
NGINX Plus R20 R20 is supported on:
- Alpine Linux 3.8, 3.9, 3.10
- Amazon Linux (2018.03+), Amazon Linux 2 LTS
- CentOS 6.5+, 7.4+, 8.0+
- Debian 9, 10
- FreeBSD 11.2+, 12.0+
- Oracle Linux 6.5+, 7.4+
- RHEL 6.5+, 7.4+, 8.0+
- SUSE Linux Enterprise Server 12, 15
- Ubuntu 16.04 LTS, 18.04 LTS, 19.04, 19.10
Notes:
- CentOS 8.0+ is new in this release
- FreeBSD 12.1 is new in this release
- RHEL 8.1 is new in this release
- Ubuntu 19.10 is new in this release
More information: Announcing NGINX Plus R20
NGINX Plus Release 19 (R19)
13 August 2019
Based on NGINX Open Source 1.17.3
NGINX Plus R19 is a feature release:
- Metrics for individual location blocks (enabled by status_zone directive)
- Metrics about DNS resolver functionality (new
status_zone
parameter to resolver directive) - Two new tabs on NGINX Plus live activity monitoring dashboard for metrics about DNS and clustering; per‑location metrics are also reported
- Dry‑run mode for testing effects of request‑rate limits on production traffic without actually enforcing them (new limit_req_dry_run directive)
- Support in key‑value store for IP address ranges in CIDR notation as well as individual addresses (new
type=ip
parameter to keyval_zone directive) - Expiration time can be set for each key‑value entry to override default expiration time, either at creation time for new entry or as a modification to existing entry
- The parameter to the limit_rate, limit_rate_after, proxy_download_rate, and proxy_upload_rate directives can be a variable
NGINX Plus R19 is supported on:
- Alpine Linux 3.8, 3.9, 3.10
- Amazon Linux (2018.03+), Amazon Linux 2 LTS
- CentOS 6.5+, 7.4+
- Debian 9, 10
- FreeBSD 11.2+, 12.0
- Oracle Linux 6.5+, 7.4+
- RHEL 6.5+, 7.4+, 8
- SUSE Linux Enterprise Server 12, 15
- Ubuntu 16.04 LTS, 18.04 LTS, 19.04
Notes:
- Alpine Linux 3.10 is new in this release
- Debian 8 is no longer supported
- Debian 10 is new in this release
- Ubuntu 14.04 LTS and 18.10 are no longer supported
- Ubuntu 19.04 is new in this release
More information: Announcing NGINX Plus R19
NGINX Plus Release 18 (R18)
9 April 2019
Based on NGINX Open Source 1.15.10
NGINX Plus R18 is a feature release:
- Dynamic SSL certificate loading, either from file or from key-value storage (for the latter case, prefix the variable with
data:
) - New features in OpenID Connect reference implementation: opaque session tokens as a browser cookie, refresh tokens to refresh expired ID tokens without user interaction, and a logout URL
- Additional logic for verifying arbitrary variables in active health checks (new
require
parameter to match directive) - Wildcard support for listen directive means same zone_sync configuration can now be used for all instances in a cluster
- Port ranges supported for listen directive
- For TCP/UDP, existing connections to proxied upstream server can be explicitly closed after server is removed from upstream group due to health check failure, API call, or re-resolve action (new proxy_session_drop directive)
- New variable, $upstream_bytes_sent, contains number of bytes sent to an upstream server
- New or updated dynamic modules:
- Brotli (New): General‑purpose, lossless data compression algorithm
- OpenTracing (New): Ability to instrument NGINX Plus with OpenTracing‑compliant requests for a range of distributed tracing services, such as Datadog, Jaeger, and Zipkin
- Lua (Updated): Scripting language for NGINX Plus, updated to use LuaJIT 2.1
- NGINX JavaScript (Updated): JavaScript module for NGINX Plus, updated to version 0.3.0
NGINX Plus R18 is supported on:
- Alpine Linux 3.8, 3.9
- Amazon Linux (2018.03+), Amazon Linux 2 LTS
- CentOS 6.5+, 7.4+
- Debian 8.0, 9.0
- FreeBSD 11.2+, 12.0
- Oracle Linux 6.5+, 7.4+
- RHEL 6.5+, 7.4+, 8
- SUSE Linux Enterprise Server 12, 15
- Ubuntu 14.04 LTS, 16.04 LTS, 18.04, 18.10
Notes:
- Amazon Linux 2017.09 is no longer supported; minimum supported version is now 2018.03
- CentOS/Oracle/Red Hat Enterprise Linux 7.3 is no longer supported; minimum supported version is now 7.4
- Debian 8.0 will be removed at NGINX Plus R19
- Ubuntu 14.04 will be removed at NGINX Plus R19
More information: Announcing NGINX Plus R18
NGINX Plus R18 Update
This is a bug‑fix release for NGINX Plus R18.
NGINX Plus R18 P1
6 August 2019
- Security patch: When using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516)
NGINX Plus Release 17 (R17)
11 December 2018
Based on NGINX Open Source 1.15.7
NGINX Plus R17 is a feature release:
- Support for TLS 1.3 using
TLSv1.3
parameter to ssl_protocols directive - Two‑stage rate limiting with the new
delay=
parameter; excessive requests are initially delayed and then ultimately rejected - Support for the Ed25519 and Ed448 cryptographic algorithms added to the JSON Web Token (JWT) module
- Ability to fetch JSON Web Keys (JWK) directly from identity provider (IdP) when using OpenID Connect (new auth_jwt_key_request directive)
- TCP keepalives between NGINX Plus and the proxied server (new proxy_socket_keepalive directive)
- Control over how long HTTP keepalive connection between NGINX Plus and proxied server can be idle before being closed (new keepalive_timeout directive)
- For UDP, number of packets sent from NGINX Plus to proxied server before new UDP “session” to that server is started can be set explicitly (new proxy_requests directive)
- Zone Synchronization module can now pass server name using SNI when connecting to cluster nodes for server name verification (new zone_sync_ssl_server_name directive)
- The NGINX JavaScript module has been updated:
- Support for arguments objects
- Support for non‑integer fractions
- Support for additional time methods:
console.time()
andconsole.timeEnd()
- Variables and functions can be redeclared
- Integration with the NGINX Stream module for TCP/UDP applications has been refactored to use various return functions, including a
send()
method for modifying ingress trafficl egress traffic is now available through a callback
NGINX Plus R17 is supported on:
- Alpine Linux 3.8, 3.9
- Amazon Linux (2017.09), Amazon Linux 2 LTS
- CentOS 6.5+, 7.0+
- Debian 8.0, 9.0
- FreeBSD 11.2+, 12.0
- Oracle Linux 6.5+, 7.0+
- RHEL 6.5+, 7.0+
- SUSE Linux Enterprise Server 12, 15
- Ubuntu 14.04 LTS, 16.04 LTS, 18.04, 18.10
Notes:
- Alpine Linux 3.8 and 3.9 are new in this release
- CentOS/Oracle Linux/RHEL 7.3 will be removed at NGINX Plus R18
- FreeBSD 11.2 and 12.0 are new in this release; versions 10.4 and 11.1 are no longer supported
- Ubuntu 14.04 will be removed at NGINX Plus R19
- Ubuntu 18.10 is new in this release
More information: Announcing NGINX Plus R17
NGINX Plus Release 16 (R16)
5 September 2018
Based on NGINX Open Source 1.15.2
NGINX Plus R16 is a feature release:
- Rate limiting in a cluster using Zone Synchronization module
- Key-value store in a cluster using Zone Synchronization module
- Timeouts in Key-Value Store module
- New random load‑balancing algorithm with Random with Two Choices variant, for which least_time or least_conn can be used to decide between the two choices
- UDP load balancing (stream module) enhanced with support for multiple UDP packets from the client, enabling use of more complex UDP protocols such as OpenVPN, VoIP, and VDI
- Support for PROXY Protocol v2 (PPv2) header, and ability to inspect custom TLV values in header
- Support for AWS PrivateLink, Amazon’s technology for creating secure tunnels into a VPC
- opaque session token support in the OpenID Connect reference implementation
- New $ssl_preread_protocol variable to distinguish between SSL/TLS and other protocols when forwarding traffic using a TCP (stream) proxy
- New Encrypted Session dynamic module
- The NGINX JavaScript module has been updated:
- Single object (
r
) is used to access both request and response attributes associated with each HTTP request - New language support:
bytesFrom()
,padStart()
,padEnd()
,getrandom()
,getentropy()
, and binary literals
- Single object (
NGINX Plus R16 is supported on:
- Amazon Linux (2017.09), Amazon Linux 2 LTS
- CentOS 6.5+, 7.0+
- Debian 8.0, 9.0
- FreeBSD 10.4+, 11.1+
- Oracle Linux 6.5+, 7.0+
- RHEL 6.5+, 7.0+
- SUSE Linux Enterprise Server 12
- Ubuntu 14.04 LTS, 16.04 LTS, 18.04
Notes:
- FreeBSD 10.4+ and 11.1+ are new in this release; versions 10.3 and 11.0 are no longer supported
- Amazon Linux 2 (LTS) is updated to the GA version.
- Ubuntu 17.10 is no longer supported
- The Upstream Conf and Extended Status modules are superseded by the NGINX Plus API module and are no longer distributed in NGINX Plus (see our transition guide for details)
- The New Relic plug‑in for NGINX has been updated to use the new NGINX Plus API, but is no longer supported by NGINX, Inc.
More information: Announcing NGINX Plus R16
NGINX Plus R16 Update
This is a bug‑fix release for NGINX Plus R16.
NGINX Plus R16 P1
30 October 2018
- Security patch: When using HTTP/2 a client might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844)
- Security patch: Processing of a specially crafted MP4 file with the ngx_http_mp4_module might result in worker process memory disclosure (CVE-2018-16845)
NGINX Plus Release 15 (R15)
10 April 2018
Based on NGINX Open Source 1.13.10
NGINX Plus R15 is a feature release:
- Proxying, load balancing, and SSL-termination of gRPC traffic
- HTTP/2 server push
- Sticky learn session persistence in a cluster using new Zone Synchronization module, which synchronizes shared memory zones across a cluster of NGINX Plus instances
- OpenID Connect (OIDC) authorization code flow, enabling integration with CA Single Sign-On (formerly SiteMinder), ForgeRock OpenAM, Keycloak, Okta, and other identity providers
- Subrequests from the NGINX JavaScript module
- Crypto libraries in NGINX JavaScript module with support for common hash functions MD5, SHA-1, and SHA-256
- Inheritance of the
CAP_NET_RAW
Linux capability so that transparent proxying does not require worker processes to have root privileges - New auth_jwt_leeway directive to compensate for clock skew between NGINX Plus and identity provider
- Performance enhancements and bug fixes to NGINX WAF module
- Updates to LDAP authentication reference implementation
- New $upstream_queue_time variable to hold the amount of time a request spends in the upstream queue
- New $ssl_preread_alpn_protocols variable to hold the Application Layer Protocol Negotiation (ALPN) protocols presented by client
- New Cookie-Flag dynamic module
NGINX Plus R15 is supported on:
- Amazon Linux (2017.09), Amazon Linux 2 LTS
- CentOS 6.5+, 7.0+
- Debian 8.0, 9.0
- FreeBSD 10.3, 11.0
- Oracle Linux 6.5+, 7.0+
- RHEL 6.5+, 7.0+
- SUSE Linux Enterprise Server 12
- Ubuntu 14.04 LTS, 16.04 LTS, 17.10, 18.04
Notes:
- Ubuntu 17.04 is no longer supported
- nginScript is now known as the NGINX JavaScript module
- The NGINX Plus API version has been incremented to 3; all previous versions of the NGINX Plus API are still supported
- This is the last release to support the deprecated dynamic (on-the-fly) reconfiguration and extended status APIs (see our transition guide for details)
More information: Announcing NGINX Plus R15
NGINX Plus R15 Updates
These are bug‑fix releases for NGINX Plus R15.
NGINX Plus R15 P2
30 October 2018
- Security patch: When using HTTP/2 a client might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844)
- Security patch: Processing of a specially crafted mp4 file with the ngx_http_mp4_module might result in worker process memory disclosure (CVE-2018-16845)
NGINX Plus R15 P1
12 April 2018
- Third‑party modules might not be loaded due to signature incompatibility
NGINX Plus Release 14 (R14)
12 December 2017 NGINX Open Source build 1.13.7
NGINX Plus R14 is a feature release:
- Nested JSON Web Token (JWT) claims, array data, and longer key sizes (256‑, 384‑, and 512‑bit) for JWT signing algorithms, providing more flexibility and security when validating JWTs
- Clustering support for the sticky_learn method of session persistence, as a technology preview of distribution of session state data in a cluster
- Key‑value store and NGINX Plus API in the
stream
context, making the same key‑value store features are available for TCP/UDP applications as for HTTP applications - New NGINX Plus dashboard utilizing the NGINX Plus API which was introduced in NGINX Plus R13
- Improvements to NGINX JavaScript module, including the ability to manage JSON objects, read content from filesystems, and backtrace to errors and exceptions to further improve troubleshooting
- Ability to encode client certificates in a HTTP header and send them to backend applications with the $ssl_client_escaped_cert variable
- Enhanced DNS resolver that preserves the list of upstream IP addresses across a reload of the NGINX Plus configuration
- Ability to drain upstream servers extended to file‑based configurations with the drain parameter to the upstream
server
directive
NGINX Plus R14 is supported on:
- Amazon Linux (2016.09), Amazon Linux 2 (2017.12)
- CentOS 6.5+, 7.0+
- Debian 8.0, 9.0
- FreeBSD 10.3, 11.0
- Oracle Linux 6.5+, 7.0+
- RHEL 6.5+, 7.0+
- SUSE Linux Enterprise Server 12
- Ubuntu 14.04 LTS, 16.04 LTS, 17.04, 17.10
Notes:
- Debian 7.0 is no longer supported
- Ubuntu 17.10 is new in this release
- The Upstream Conf and Extended Status APIs were deprecated in NGINX Plus R13; support will continue only through NGINX Plus R15 (see our transition guide for details)
More information: Announcing NGINX Plus R14
NGINX Plus R14 Updates
This is a bug‑fix release for NGINX Plus R14.
NGINX Plus R14 P1
25 January 2018
- Live activity monitoring: Reinstated some missing tooltips for the dashboard
- NGINX Plus API: HTTP Basic Authentication support for read‑write mode
NGINX Plus Release 13 (R13)
29 August 2017
Based on NGINX Open Source 1.13.4
NGINX Plus R13 is a feature release:
- Ability to send duplicate all incoming traffic to a dedicated server (the mirror directive)
- Improvements to NGINX JavaScript module, including the new interactive shell to facilitate development of NGINX JavaScript code
- New NGINX Plus API that incorporates the functionality of the previous upstream_conf and (extended) status APIs; it includes a Swagger specification and adds support for key‑value stores
- New build tool (download here) that creates installable packages of the many third‑party modules available for NGINX and NGINX Plus
- Ability to gracefully shut down all live client connections when restarting NGINX Plus (the worker_shutdown_timeout directive)
- Support for adding HTTP trailers (the add_trailer directive)
- Improvement to session persistence: quicker establishment of sticky sessions between clients and upstream groups (the
header
parameter to the sticky learn directive) - Support for the third‑party HTTP Substitutions Filter module, distributed in NGINX Plus packages and available on the Dynamic Modules page
NGINX Plus R13 is supported on:
- Amazon Linux 2016.09+
- CentOS 6.5+, 7.0+
- Debian 7.0, 8.0, 9.0
- FreeBSD 10.3, 11.0
- Oracle Linux 6.5+, 7.0+
- RHEL 6.5+, 7.0+
- Ubuntu 14.04 LTS, 16.04 LTS, 17.04
Notes:
- CentOS/Oracle Linux/RHEL 5.10+ is no longer supported
- Ubuntu 12.04 LTS and 16.10 are no longer supported
- Ubuntu 17.04 is new in this release
- The
sticky_cookie_insert
directive (deprecated in NGINX Plus R2) has been removed - The upstream_conf and (extended) status APIs are deprecated by the new NGINX Plus API and will be removed in a future release
More information: Announcing NGINX Plus R13
NGINX Plus Release 12 (R12)
14 March 2017
Based on NGINX Open Source 1.11.10
NGINX Plus R12 is a feature release:
- Synchronization of NGINX Plus configuration across instances in a cluster, from a single primary node (new
nginx_sync
package) - Updates to Extended Status module data set, including NGINX Plus version (
nginx_build
), usage statistics for shared memory zones (under theslabs/
subtree), and additional upstream fields (name
,service
) - New statistics displayed on live activity monitoring dashboard: NGINX Plus version, response time metrics, shared memory zones usage, and server names for upstreams
- Support for the
stale-while-revalidate
andstale-if-error
extensions to theCache-Control
header, as defined by RFC 5861 - Ability to bypass cache for byte range requests after a specified offset (the proxy_cache_max_range_offset directive)
- Length of
Vary
andETag
cache headers increased to 128 bytes; note that the on‑disk cache format has changed, so cached content is invalidated after the upgrade and must be refreshed from the origin server mandatory
parameter to thehealth_check
directive (HTTP and Stream) which requires servers newly added to anupstream
group to pass the associated health check before receiving real traffic- “Zero config” UDP health check which does not require specifying a match block
- Support in the Stream module for verification of client SSL certificates for TCP applications
- SSL variables representing various details about client certificates and capabilities (
$ssl_ciphers
,$ssl_client_v_end
,$ssl_client_v_start
,$ssl_client_v_remain
, and$ssl_curves
) - The
$ssl_client_verify
variable includes the reason for failure - The
$ssl_client_i_dn
andssl_client_s_dn
variables comply with RFC 2253; legacy variants are available as$ssl_client_i_dn_legacy
and$ssl_client_s_dn_legacy
- Support for accessing arbitrary JWT fields as variables
- Support for JSON escaping in access logs (the
escape
parameter to the log_format directive) - WebP support in the Image-Filter module.
- Output from the
nginx
-T
command excludes duplicated sections of configuration - Improvements to memory usage and performance, including upstream queue optimization
NGINX Plus R12 is supported on:
- Amazon Linux 2016.09+
- CentOS 5.10+, 6.5+, 7.0+
- Debian 7.0, 8.0, 9.0
- FreeBSD 10.3, 11.0
- Oracle Linux 5.10+, 6.5+, 7.0+
- RHEL 5.10+, 6.5+, 7.0+
- SLES 12, 12 SP1
- Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS, 16.10
Notes:
- CentOS/Oracle Linux/RHEL 5.10+ will be removed at NGINX Plus R13
- Debian 9 is new in this release
- FreeBSD 9 is no longer supported
- Ubuntu 12.04 LTS will be removed at NGINX Plus R13
More information: Announcing NGINX Plus R12
NGINX Plus R12 Updates
These are bug‑fix releases for NGINX Plus R12.
NGINX Plus R12 P3
29 June 2017
- Content caching: Cache response might contain additional internal cache header data
NGINX Plus R12 P2
30 March 2017
- Live activity monitoring: Response time metric was miscalculated under certain conditions
NGINX Plus R12 P1
14 March 2017
- Live activity monitoring: Dashboard might hang with certain configurations
NGINX Plus Release 11 (R11)
25 October 2016
Based on NGINX Open Source 1.11.5
NGINX Plus R11 is a feature release:
- Dynamic modules binary compatibility between NGINX Plus and the corresponding version of open source NGINX
- Enhancements to the Stream module: custom logging with a number of additional variables, PROXY protocol support for incoming connections, support for obtaining real IP address and port from PROXY protocol header, and ability to extract the server name from SNI into a variable for purposes such as custom routing
- Updates to the Extended Status module data set, including additional Stream metrics (
sessions
,discarded
) - Cache manager support for iterative operations mode when deleting old cache files, reducing the disk load (see the
manager_files
,manager_threshold
, andmanager_sleep
parameters of the proxy_cache_path directive) - Support for variables in the
domain
parameter to the sticky directive - New variable
$upstream_bytes_received
for both Stream and HTTP)
NGINX Plus R11 is supported on:
- Amazon Linux 2016.03+
- CentOS 5.10+, 6.5+, 7.0+
- Debian 7.0, 8.0
- FreeBSD 9.3, 10.1+, 11.0
- Oracle Linux 5.10+, 6.5+, 7.0+
- RHEL 5.10+, 6.5+, 7.0+
- SLES 12, 12 SP1
- Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS, 16.10
Notes:
- FreeBSD 11.0 is new in this release
- Ubuntu 16.10 is new in this release
- The
nginx-plus-extras
package is no longer provided; migrate to thenginx-plus
package and then install the needed dynamic modules
More information: Announcing NGINX Plus R11
NGINX Plus Release 10 (R10)
23 August 2016
Based on NGINX Open Source 1.11.3
NGINX Plus R10 is a feature release:
-
New dynamic module: ModSecurity (package name is
nginx-plus-module-modsecurity
) built on an early release of ModSecurity 3.0 -
New dynamic module: nginScript (package name is
nginx-plus-module-njs
) -
Support for client authentication using JSON Web Tokens (JWT)
-
Enhancements to the Stream module used for TCP/UDP load balancing (more NGINX variables, resolver support, map module, geo module, geoip module, and split_clients A/B testing support)
-
Support for dual‑stack RSA/ECC certificates by defining multiple ssl_certificate and ssl_certificate_key directives on the same virtual server
-
Support for IP Transparency and Direct Server Return (DSR) using the
transparent
parameter to the proxy_bind directive. DSR only supported for UDP load balancing. -
Support for the
IP_BIND_ADDRESS_NO_PORT
socket option where available, allowing for many more upstream connections (requires Linux kernel 4.2 or later) -
HTTP/2 improvements: support for unbuffered upload,and various bug fixes
-
New NGINX variables: $request_id, $proxy_protocol_port, $realip_remote_port
-
Modules updated (both in
nginx-plus-extras
and as dynamic modules):- Headers-More module updated to version 0.31
- Lua module updated to version 0.10.6
- Phusion Passenger Open Source module updated to version 5.0.30
- Set-Misc module updated to version 0.31
NGINX Plus R10 is supported on:
- Amazon Linux 2016.03+
- CentOS 5.10+, 6.5+, 7.0+
- Debian 7.0, 8.0
- FreeBSD 9.3, 10.1+
- Oracle Linux 5.10+, 6.5+, 7.0+
- RHEL 5.10+, 6.5+, 7.0+
- SLES 12, 12 SP1
- Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS
Notes:
- Ubuntu 15.10 is no longer supported
- NGINX Plus R10 is the last release to include the
nginx-plus-extras
package; if using this package, migrate to thenginx-plus
package and then install the needed dynamic modules
More information: Announcing NGINX Plus R10
NGINX Plus Release 9 (R9)
12 April 2016
Based on NGINX Open Source 1.9.13
NGINX Plus R9 is a feature release:
-
Dynamic loading of modules (both NGINX‑authored and third‑party). The NGINX‑authored modules supported in this release:
- nginx-plus-module-geoip
- nginx-plus-module-image-filter
- nginx-plus-module-perl
- nginx-plus-module-xslt
The third‑party modules supported in this release:
-
UDP load balancing support, configured in the stream configuration context
-
Support for retrieving upstream servers configuration via DNS
SRV
records, configured with the newservice
parameter to the server directive -
Automatic retrying of DNS requests over TCP when UDP responses are truncated
-
Failed nonidempotent HTTP requests (
POST
,LOCK
,PATCH
) are no longer retried with the other servers in theupstream
group, unless thenon_idempotent
parameter is included in the proxy_next_upstream directive -
Improved cache metadata accounting
-
Automatic binding of worker processes to available CPUs using the new
auto
parameter of the worker_cpu_affinity directive -
Optional offloading of some cache write operations to thread pools, configured with the aio_write on directive
-
Support for customizing the
Server
response header, as well as the signature in standard error messages -
Updated live activity monitoring dashboard
-
In the
nginx-plus-extras
package:- Headers-More module updated to version .29
- Lua module updated to version 0.10.2
- Phusion Passenger Open Source module updated to version 5.0.26
NGINX Plus R9 is supported on:
- Amazon Linux 2016.03+
- CentOS 5.10+, 6.5+, 7.0+
- Debian 7.0, 8.0
- FreeBSD 9.3, 10.1+
- Oracle Linux 5.10+, 6.5+, 7.0+
- RHEL 5.10+, 6.5+, 7.0+
- SLES 12, 12 SP1
- Ubuntu 12.04 LTS, 14.04 LTS, 15.10, 16.04 LTS
Note:
- Ubuntu 15.04 is no longer supported.
More information: Announcing NGINX Plus R9
NGINX Plus R9 Updates
This is a bug‑fix release for NGINX Plus R9.
NGINX Plus R9 P1
25 May 2016
- Segmentation fault might occur when writing a client request body to a temporary file
- Specially crafted request might cause NGINX worker process to crash due to a NULL pointer dereference (CVE-2016-4450)
NGINX Plus Release 8 (R8)
19 January 2016
Based on NGINX Open Source 1.9.9
NGINX Plus R8 is a feature release:
- OAuth Technology Preview, which performs OAuth 2.0 processing for proxied applications
- Improved HTTP/2 implementation now included in the
nginx-plus
andnginx-plus-extras
packages; thenginx-plus-http2
package is deprecated - Caching improvements, including support for caching HEAD requests and more effective caching of large files with the Cache Slice module
- Changes to upstream groups made with the on‑the‑fly reconfiguration API can now be configured to persist across restarts and configuration reloads
- Support for sending health check requests to a specified port (the
port
parameter to the health_check directive) - Enhancement to the Real IP module: the new
$realip_remote_addr
variable represents the original client IP address - Enhancement to syslog logging: the
nohostname
parameter disables logging of the hostname field, which is unnecessary when logging to a localsyslog
server - Updated live activity monitoring dashboard
- In the
nginx-plus-extras
package:- Headers-More module updated to version 0.28
- Lua module updated to version 0.9.20
- Phusion Passenger Open Source module updated to version 5.0.22
- Redis module for Lua access updated to version 0.21
NGINX Plus R8 is supported on:
- Amazon Linux
- CentOS 5.10+, 6.5+, 7.0
- Debian 7.0, 8.0
- FreeBSD 9.3, 10.1+
- Oracle Linux 5.10+, 6.5+, 7.0
- RHEL 5.10+, 6.5+, 7.0
- SLES 12, 12 SP1
- Ubuntu 12.04 LTS, 14.04 LTS, 15.04, 15.10
NGINX Plus R8 does not include the nginx-plus-lua
package; if you previously used this package, migrate to the nginx-plus-extras
package
More information: Announcing NGINX Plus R8
NGINX Plus R8 Updates
These are bug‑fix releases for NGINX Plus R8.
NGINX Plus R8 P3
24 February 2016
- HTTP/2:
client_body_timeout
directive was not handled correctly
NGINX Plus R8 P2
11 February 2016
- Logging: Buffer over‑read might occur while logging invalid request headers
- HTTP/2: Various fixes
NGINX Plus R8 P1
26 January 2016
- Resolver: Limit
CNAME
resolutions to prevent remote attackers from causing a denial of service (CVE-2016-0747)
NGINX Plus Release 7 (R7)
15 September 2015
Based on NGINX Open Source 1.9.4
NGINX Plus R7 is a feature release:
-
Support for HTTP/2 in the new
nginx-plus-http2
package (thenginx-plus
andnginx-plus-extras
packages continue to support SPDY)Note: Before installing the
nginx-plus-http2
package, you must remove thespdy
parameter on alllisten
directives in your configuration (replace it with thehttp2
andssl
parameters to enable support for HTTP/2). NGINX Plus fails to start if anylisten
directives have thespdy
parameter. -
Support for proxying NTLM requests
-
Enhancements to TCP load balancing and proxying:
- Access controls
- Connection limiting
- Bandwidth limiting for upload and download
- Client‑side PROXY protocol support
- Ability to set local IP address of origin for outgoing connections
- New
backlog
parameter to listen directive to limit size of queue of pending connections - New tcp_nodelay directive to control use of OS
TCP_NODELAY
option
-
More efficient distribution of connections across NGINX Plus worker processes (new
reuseport
parameter to the listen directive) -
Thread pools for multithreaded reading and sending of files without blocking worker processes
-
Live activity monitoring dashboard redesigned to use tabs
-
Additional live activity monitoring metrics in the Status module (dataset version 6)
-
Additional arguments to playlist and fragment URIs in the HLS module (
start
,end
, andoffset
) -
New
-T
flag onnginx
command to dump the configuration to standard output in a standardized format -
New $upstream_connect_time variable to capture the connection time to upstream servers
-
sub_filter directive now supports variables in both the string being replaced and the replacement string; multiple
sub_filter
directives can appear at a configuration level -
In the
nginx-plus-extras
package:- New Redis module for access to Redis databases through Lua
- Headers-More module updated to version 0.26
- Lua module updated to version 0.9.16
- Phusion Passenger Open Source module updated to version 5.0.15
- Set-Misc module updated to version 0.29
NGINX Plus R7 is supported on:
- CentOS 5.10+, 6.5+, 7.0+
- Debian 7.0, 8.0
- FreeBSD 9.3, 10.1+
- Oracle Linux 5.10+, 6.5+, 7.0+
- RHEL 5.10+, 6.5+, 7.0+
- SLES 12
- Ubuntu 12.04 LTS, 14.04 LTS, 15.04
Notes:
- Debian 6.0 is no longer supported
- SLES 11 SP3 is no longer supported
- Ubuntu 10.04 LTS and 14.10 are no longer supported
- The
nginx-plus-extras
package has additional dependencies - NGINX Plus R7 is the last release that includes the
nginx-plus-lua
package; customers using the package will have to migrate to thenginx-plus-extras
package in NGINX Plus R8
More information and important upgrade information for users of the Phusion Passenger Open Source module: Announcing NGINX Plus Release 7
NGINX Plus Release 6 (R6)
14 April 2015
Based on NGINX Open Source 1.7.11
NGINX Plus R6 is a feature release:
- TCP proxy enhancements (health checks, dynamic reconfiguration, SSL support, logging, status counters)
- New Least-Time load‑balancing algorithm
- Support for unbuffered upload (proxy_request_buffering directive)
- Proxy SSL authentication support for HTTP and uwsgi
- Proxy cache enhancements (variables in value of proxy_cache directive, new
use_temp_path
parameter to proxy_cache_path directive) - Mail proxy supports client SSL certificates
- Enhancement to Autoindex module (new autoindex_format directive)
- New live activity monitoring dashboard
- In the
nginx-plus-extras
package:- Lua module updated to version 0.9.16rc1
- Phusion Passenger Open Source module updated to version 4.0.59
- Set-Misc module updated to version 0.28
NGINX Plus R6 is supported on:
- CentOS 5.10+, 6.5+, 7.0
- Debian 6.0, 7.0, 8.0
- FreeBSD 9.3, 10.1
- Oracle Linux 5.10+, 6.5+, 7.0
- RHEL 5.10+, 6.5+, 7.0
- SLES 11 SP3, 12
- Ubuntu 10.04 LTS, 12.04 LTS, 14.04 LTS, 14.10
The nginx-plus-extras
package has additional dependencies.
More information: Announcing NGINX Plus Release 6 with Enhanced Load Balancing, High Availability, and Monitoring Features
NGINX Plus Release 5 (R5)
2 December 2014
Based on NGINX Open Source 1.7.7
NGINX Plus R5 is a feature release:
- Proxying and load balancing of raw TCP traffic (the Stream module)
- Sticky session timeout now applies from the most recent request in the session
- Upstream “draining” can be used to remove an upstream server without interrupting any user sessions (new
drain
parameter to the upstream_conf directive) - Improved control over request retries in the event of failure, based on number of tries and time; also available for FastCGI, memcached, SCGI, and uwsgi modules
Vary
field in response header is correctly handled for caching (multiple variants of the same resource can be cached); note that the on‑disk cache format has changed, so upgrading to R5 invalidates cached content- Improved caching support for byte‑range requests
- Control of upstream bandwidth (new proxy_limit_rate directive)
- In the
nginx-plus-extras
package:- Lua module updated to version 0.9.13
- Phusion Passenger Open Source module updated to version 4.0.53
- In the nginx-plus-lua package:
- Lua module updated to version 0.9.13
NGINX Plus R5 is supported on:
- CentOS 5.9, 6.5, 7.0
- Debian 6.0, 7.0
- FreeBSD 9.3, 10.0
- Oracle Linux 5.10+, 6.5+, 7.0
- RHEL 5.9, 6.5, 7.0
- SLES 11 SP3, 12
- Ubuntu 10.04 LTS, 12.04 LTS, 14.04 LTS, 14.10
The nginx-plus-extras
and nginx-plus-lua
packages have additional dependencies.
More information: NGINX Plus R5 Released
NGINX Plus Release 4 (R4)
24 July 2014
Based on NGINX Open Source 1.7.3
NGINX Plus R4 is a feature release:
- Ability to verify backend SSL certificates
- Support for SNI while working with SSL backends
- Passphrases for SSL private keys can now be stored in an external file
- New load‑balancing method based on user‑defined keys with optional consistency (hash directive)
- New session affinity mechanism (sticky learn) based on server‑initiated sessions
- Cache revalidation now uses
If-None-Match
header field when possible - Conditional logging for requests (new
if
parameter to the access_log directive) - Ability to retrieve a subset of the live activity monitoring data
- MP4 module now supports the
end
argument in request URIs, which sets the end point of playback - In the
nginx-plus-extras
package:- Lua module updated to version 0.9.10
- Phusion Passenger Open Source module updated to version 4.0.45
- In the nginx-plus-lua package:
- Lua module updated to version 0.9.10
NGINX Plus R4 is supported on:
- CentOS 5.9, 6.5, 7.0
- Debian 6.0, 7.0
- FreeBSD 9.2, 10.0
- Oracle Linux 5.10+, 6.5+, 7.0
- RHEL 5.9, 6.5, 7.0
- SLES 11 SP3
- Ubuntu 10.04 LTS, 12.04 LTS, 14.04 LTS
The nginx-plus-extras
and nginx-plus-lua
packages have additional dependencies.
More information: NGINX Plus R4 Released
NGINX Plus Release 3 (R3)
2 April 2014
Based on NGINX Open Source 1.5.12‑1
NGINX Plus R3 is a feature release:
- Automatic re‑resolution of hostnames in upstream groups allows group members to be updated on‑the‑fly using DNS
- New connection limits and an internal connection queue protect servers from connection overload and improve connection scheduling by NGINX Plus’ load balancing
- Support for PROXY protocol
- SPDY support updated to comply with draft 3.1
- Additional controls over SSL have been added to control the use of session tickets and reduce time to first byte
- Support for IPv6 DNS resolution
NGINX Plus R3 is supported on:
- CentOS 5.9, 6.5
- Debian 6.0, 7.0
- FreeBSD 9.2, 10.0
- Oracle Linux 5.10+, 6.5+, 7.0
- RHEL 5.9, 6.5
- SLES 11 SP3
- Ubuntu 10.04 LTS, 12.04 LTS, 12.10, 13.10, 14.04 LTS
The nginx-plus-extras
and nginx-plus-lua
packages have additional dependencies.
More information: NGINX Plus R3 Released
NGINX Plus Release 2 (R2)
12 December 2013
Based on NGINX Open Source 1.5.7‑1
NGINX Plus R2 is a feature release:
- Enhanced sticky routing support
- Additional status metrics for virtual hosts and cache zones
- Cache purge support (also available for FastCGI)
- Support for cache revalidation
- Support for authorization based on the result of a subrequest (new ngx_http_auth_request_module module)
NGINX Plus R2 Updates
Security Update to NGINX Plus Release R2
21 March 2014
Based on NGINX Open Source 1.5.7‑4
- Fixes vulnerability in experimental SPDY implementation in NGINX Open Source 1.5.7‑3 and earlier.
Functional Update to NGINX Plus R2
5 March 2014
Based on NGINX Open Source 1.5.7‑3
- NGINX Plus now correctly applies the value set with the client_max_body_size directive when processing HTTP requests that contain chunk‑encoded body data.
Functional Update to NGINX Plus R2
13 February 2014
Based on NGINX Open Source 1.5.7‑2
- Updates to MP4 and HLS streaming functionality
- Fix for premature closing of connections when using SPDY with proxy cache
- Updates to implementation of SPDY/2
- Added status.html file for live activity monitoring, missing from some packages
NGINX Plus Initial Release (R1)
22 August 2013
Based on NGINX Open Source 1.5.3‑1
NGINX Plus is the fully supported, commercial version of NGINX. It includes most NGINX open source modules and adds further features:
- Application health checks
- Live activity monitoring (implemented in the Extended Status module)
- Advanced load balancing
- On‑the‑fly reconfiguration of load‑balanced upstream groups
- Extended logging capabilities
- High availability setup
- Adaptive media streaming