nghttp3 1.2.0, ngtcp2 1.3.0 released

nghttp3 1.2.0, ngtcp2 1.3.0 rpms released and added to all supported platforms

nghttp3 1.2.0:

Clarify the behavior when a stream is not found by @tatsuhiro-t in #181 Fix typo by @tatsuhiro-t in #183 cmake: restore ENABLE_STATIC_CRT and ENABLE_ASAN options by @vszakats in #184 Migrate to munit form cunit by @tatsuhiro-t in #187 Pull sfparse via git submodule by @tatsuhiro-t in #188 Update .gitignore by @tatsuhiro-t in #190 Update git submodule by @tatsuhiro-t in #189 Add nghttp3_conn_update_ack_offset by @tatsuhiro-t in #191 Add include path to munit directory by @tatsuhiro-t in #192 Bump munit by @tatsuhiro-t in #193 Shrink nghttp3_stream size by @tatsuhiro-t in #194 Fix typo by @tatsuhiro-t in #195 Bump munit by @tatsuhiro-t in #196 Bump submodules by @tatsuhiro-t in #198

ngtcp2 1.3.0:

Do not run docker-build on tag by @tatsuhiro-t in #1085 Speed up git clone by @tatsuhiro-t in #1086 Use cmake -B consistently by @tatsuhiro-t in #1087 Bump actions/cache from 3 to 4 by @dependabot in #1088 Optimize STOP_SENDING by @tatsuhiro-t in #1089 Fix retransmit frames on stream by @tatsuhiro-t in #1090 Set NGTCP2_STRM_FLAG_RESET_STREAM when RESET_STREAM is sent by @tatsuhiro-t in #1091 Add helper functions to encode/decode zero length transport parameter by @tatsuhiro-t in #1092 Verify decoding truncated frames by @tatsuhiro-t in #1093 Use typed frame type rather than ngtcp2_frame by @tatsuhiro-t in #1094 Verify decoding truncated packet headers by @tatsuhiro-t in #1095 Open a remote stream if RESET_STREAM is received by @tatsuhiro-t in #1096 nghttp3 now requires git submodule by @tatsuhiro-t in #1098 Migrate to munit from cunit by @tatsuhiro-t in #1099 Rewrite ngtcp2_cbrt by @tatsuhiro-t in #1100 Add missing munit header file to HFILES by @tatsuhiro-t in #1101 Bump munit by @tatsuhiro-t in #1102 Fix typo by @tatsuhiro-t in #1103 Bump microsoft/setup-msbuild from 1 to 2 by @dependabot in #1104 Remove pthread from BORINGSSL_LIBS by @tatsuhiro-t in #1105 boringssl: Add certificate compression by @tatsuhiro-t in #1106 Rewrite hexdump by @tatsuhiro-t in #1107 hexdump: Add an extra whitespace after address by @tatsuhiro-t in #1108 hexdump: Fix the last address is not shown by @tatsuhiro-t in #1110 examples: Add include in GnuTLS example by @atlesn in #1111 Use assert_stdsv_equal and print title by @tatsuhiro-t in #1112 examples: Minor fixup by @tatsuhiro-t in #1113 Bump aws-lc to v1.21.0 by @tatsuhiro-t in #1115 Add security policy by @tatsuhiro-t in #1116 Bump boringssl by @tatsuhiro-t in #1117 Bump openssl by @tatsuhiro-t in #1119 examples: Fix operator precedence error by @tatsuhiro-t in #1120 Bump munit by @tatsuhiro-t in #1121

mc 4.8.31 released

mc 4.8.31 rpms released and added to all supported platforms

Core

  • Minimal version of GLib is 2.32.0.

VFS

  • fish: drop support of native FISH server and protocol. Rename VFS to shell
  • extfs;
    • uc1541 extfs: update up to 3.6 version
    • s3+: port to Python3
  • Support for LZO/LZOP compression format

Misc

  • Skins: add color for non-printable characters in editor

Fixes

  • FTBFS on FreeBSD with ext2fs attribute support
  • Broken stickchars (-a) mode
  • Wrong timestamp after resuming of file copy operation
  • Editor: wrong deletion of marked column
  • Diff viewer: segfault when display of line numbers is enabled
  • Tar VFS: broken handling of hard links
  • Sftp VFS: failure establishing SSH session due hashed host names in ~/.ssh/known_hosts
  • Shell VFS: incorrect file names with cyrillic or diacritic symbols
  • mc.ext.ini: incorrect description of of how multiple sections and keys with same names are processed
  • mc.ext.ini: unescaped backslash \ is treated as invalid escape sequence in glib-2.77.3 and glib-2.79
  • mc.ext.ini: file “Makefile.zip” is handled as Makefile not as zip-arhive

ngtcp2 1.2.0, nghttp2 1.59.0 released

ngtcp2 1.2.0, nghttp2 1.59.0 rpms released and added to all supported platforms

ngtcp2 1.2.0:
cmake: Require nghttp3 >= v1.0.0 by @tatsuhiro-t in #1026
examples: Clarify stream limits by @tatsuhiro-t in #1032
Bump actions/stale from 8 to 9 by @dependabot in #1033
Avoid detecting OpenSSL 3.2 as quictls by @tatsuhiro-t in #1035
Clarify the behavior when a stream is not found by @tatsuhiro-t in #1036
Do not recognize boringssl as quictls by @tatsuhiro-t in #1038
Bump github/codeql-action from 2 to 3 by @dependabot in #1037
docker: Switch to bsslclient and bsslserver by @tatsuhiro-t in #1039
interop: Switch to wolfssl by @tatsuhiro-t in #1040
Revert “docker: Switch to bsslclient and bsslserver” by @tatsuhiro-t in #1041
docker: Switch to wolfssl by @tatsuhiro-t in #1042
Use wolfSSL in a README example by @tatsuhiro-t in #1043
Add aws-lc as BoringSSL alternative by @tatsuhiro-t in #1044
wolfSSL: Disable deprecated signature algorithms by @tatsuhiro-t in #1046
Remove use of SSL_set_quic_transport_version by @tatsuhiro-t in #1047
examples: Build with libressl by @tatsuhiro-t in #1048
Fix zero len file by @tatsuhiro-t in #1049
Assert that _BitScanReverse64 never fail by @tatsuhiro-t in #1051
Revert “wolfSSL: Disable deprecated signature algorithms” by @tatsuhiro-t in #1052
wolfssl: Enable –enable-keylog-export by @tatsuhiro-t in #1053
h09client: Fix display ecn bits by @tatsuhiro-t in #1054
Bump wolfSSL to v5.6.6-stable by @tatsuhiro-t in #1055
ngtcp2_pkt_adjust_pkt_num: Take bytes rather than bits by @tatsuhiro-t in #1056
Initial and Handshake packets are immediately acknowledged by @tatsuhiro-t in #1057
Refactor by @tatsuhiro-t in #1058
examples: Print remote HTTP/3 settings by @tatsuhiro-t in #1059
Fix assertion failure on immediate migration by @tatsuhiro-t in #1060
Add ngtcp2_window_filter tests by @tatsuhiro-t in #1061
Fix gcc-13 warning by @tatsuhiro-t in #1062
Fix persistent congestion by @tatsuhiro-t in #1064
Port missing changes to h09server by @tatsuhiro-t in #1065
Fix typo by @tatsuhiro-t in #1066
Update docker by @tatsuhiro-t in #1067
Fix docker build-arg by @tatsuhiro-t in #1069
Revert “Send RESET_STREAM if stream is reset by client” by @tatsuhiro-t in #1071
Return early when STOP_SENDING is received more than once by @tatsuhiro-t in #1072
Do not send STOP_SENDING if RESET_STREAM has been received by @tatsuhiro-t in #1073
Update doc by @tatsuhiro-t in #1074
wolfssl: Just use QUIC v1 transport parameter codepoint by @tatsuhiro-t in #1075
wolfssl: Disable ECH by @tatsuhiro-t in #1076
Bump boringssl by @tatsuhiro-t in #1077
Bump picotls by @tatsuhiro-t in #1078
Remove sample_offset field from ngtcp2_ppe by @tatsuhiro-t in #1079
ci: Build and verify aws-lc flavored builds by @tatsuhiro-t in #1080
Update boringssl build procedure by @tatsuhiro-t in #1081
Bump aws-lc to v1.20.0 by @tatsuhiro-t in #1082
Update doc by @tatsuhiro-t in #1083

nghttp2 1.59.0:
Bump clang to 15 by @tatsuhiro-t in #1986
Bump clang format by @tatsuhiro-t in #1987
Bump quictls to 3.1.4+quic by @tatsuhiro-t in #1988
Update ax_cxx_compile_stdcxx.m4 by @tatsuhiro-t in #1989
nghttpx: Prefer FILE_NAME if defined by @tatsuhiro-t in #1990
Add API to get and parse RFC 9218 priority by @tatsuhiro-t in #1991
nghttpx: Propagate stream priority from backend to frontend by @tatsuhiro-t in #1992
Check whether CLOCK_MONOTONIC is declared by @tatsuhiro-t in #1995
Bump go packages by @tatsuhiro-t in #2001
cmake: Remove itprep target by @tatsuhiro-t in #2002
h2load: Fix IPv6 address in :authority by @tatsuhiro-t in #2000
Bump ngtcp2 and nghttp3 by @tatsuhiro-t in #2006
Bump libbpf to v1.3.0 by @tatsuhiro-t in #2007
Use nghttp3_pri_parse_priority added since nghttp3 v1.1.0 by @tatsuhiro-t in #2008
cmake: Set minimum quic package versions by @tatsuhiro-t in #2009
Use #include <windows.h> instead of #include <sysinfoapi.h> by @hrxi in #1997
build(deps): bump actions/setup-go from 4 to 5 by @dependabot in #2010
cmake: bring back ENABLE_STATIC_CRT by @bwncp in #2011
Avoid detecting OpenSSL 3.2 as quictls by @tatsuhiro-t in #2012
build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 by @dependabot in #2015
build(deps): bump actions/upload-artifact from 3 to 4 by @dependabot in #2014
src: Support building with aws-lc by @tatsuhiro-t in #2013
boringssl has SSL_CTX_set1_groups_list by @tatsuhiro-t in #2016
Drop old OpenSSL support by @tatsuhiro-t in #2017
Drop old OpenSSL support part 2 by @tatsuhiro-t in #2019
Remove NPN by @tatsuhiro-t in #2020
Remove end_to_end.py by @tatsuhiro-t in #2021
cmake: Require OpenSSL >= 1.1.1 by @tatsuhiro-t in #2022
nghttpx: OpenSSL needs SSL_CTX_set_recv_max_early_data by @tatsuhiro-t in #2023
App fix by @tatsuhiro-t in #2024
nghttpx: Remove a trailing whitespace by @tatsuhiro-t in #2025
H2load header ttfb fix by @tatsuhiro-t in #2026
Not finding packages when ENABLE_LIB_ONLY is set by @anthonyalayo in #2027
Have less stuff in config.h by @hrxi in #1996
Update minimum CMake version to 3.5 by @anthonyalayo in #2030
build(deps): bump github.com/quic-go/quic-go from 0.35.1 to 0.37.7 by @dependabot in #2032
Fix typo by @tatsuhiro-t in #2033
Specify DEBIAN_FRONTEND=noninteractive by @tatsuhiro-t in #2034
Revert “nghttpx: Shutdown h3 stream write if reset by a remote endpoint” by @tatsuhiro-t in #2036
ci: Add aws-lc builds by @tatsuhiro-t in #2037
Bump go modules by @tatsuhiro-t in #2038
Bump neverbleed by @tatsuhiro-t in #2039
Bump go-nghttp2 and go mod tidy by @tatsuhiro-t in #2040
Bump ngtcp2 to v1.2.0 by @tatsuhiro-t in #2041
src: Avoid copies by @tatsuhiro-t in #2042

NGINX 1.25.3 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.12, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

NGINX 1.25.3 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.12.

Major changes:

  • Changes and fixes in HTTP/2
  • Changes and fixes in HTTP/3

RHEL 7 / CentOS 7:

yum upgrade -y codeit-repo-release
yum-config-manager --disable CodeIT-quic --save
yum-config-manager --enable CodeIT-mainline --save

RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9 repos are modular now.  To install nginx with HTTP/3 support, you need to enable the appropriate stream:

dnf module reset -y nginx
dnf module enable -y nginx:codeit-mainline

We build OpenSSL+QUIC 3.0 separately since v1.21.6, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries.

Exerimental HTTP/3 support added in NGINX 1.25.0 Mainline. We build it with the corresponding module (–with-http_v3_module).

Apache httpd 2.4.58 with brotli support, TLS 1.3, OpenSSL 3.0.11 with http2, mod_http2 2.0.24 and ALPN for Red Hat Enterprise Linux 7/8/9, CentOS 7, Alma Linux 8/9, Rocky Linux 8/9

Apache httpd 2.4.58-1 with brotli compression library from Google, TLS 1.3, http2 (HTTP/2) support for Red Hat Enterprise Linux and CentOS 7/8, Alma Linux 8/9, Rocky Linux 8/9 added to repository. mod_http2 2.0.13 and mod_ssl are built dynamically against OpenSSL 3.0.11.

We build OpenSSL+QUIC 3.0.11 separately since v2.4.56-2, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries. You can safely delete openssl111* packages. On EL8 and EL9 please enable httpd module:

dnf module enable httpd:codeit

Since 2.4.33 we added brotli compression library. Since 2.4.35 release we start building Apache httpd against OpenSSL 1.1.1*. Since 2.4.37 release TLS 1.3 final version (not to be confused with any draft versions) is supported and enabled by default. Please note that TLS 1.3 final version is supported in Chrome 70+ and Mozilla Firefox 63+. brotli support is already included in base RPM file. All you need is to add filters like

AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript

Changes:

                                                         -*- coding: utf-8 -*-
Changes with Apache 2.4.58

  *) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
     memory not reclaimed right away on RST (cve.mitre.org)
     When a HTTP/2 stream was reset (RST frame) by a client, there
     was a time window were the request's memory resources were not
     reclaimed immediately. Instead, de-allocation was deferred to
     connection close. A client could send new requests and resets,
     keeping the connection busy and open and causing the memory
     footprint to keep on growing. On connection close, all resources
     were reclaimed, but the process might run out of memory before
     that.
     This was found by the reporter during testing of CVE-2023-44487
     (HTTP/2 Rapid Reset Exploit) with their own test client. During
     "normal" HTTP/2 use, the probability to hit this bug is very
     low. The kept memory would not become noticeable before the
     connection closes or times out.
     Users are recommended to upgrade to version 2.4.58, which fixes
     the issue.
     Credits: Will Dormann of Vul Labs

  *) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
     initial windows size 0 (cve.mitre.org)
     An attacker, opening a HTTP/2 connection with an initial window
     size of 0, was able to block handling of that connection
     indefinitely in Apache HTTP Server. This could be used to
     exhaust worker resources in the server, similar to the well
     known "slow loris" attack pattern.
     This has been fixed in version 2.4.58, so that such connection
     are terminated properly after the configured connection timeout.
     This issue affects Apache HTTP Server: from 2.4.55 through
     2.4.57.
     Users are recommended to upgrade to version 2.4.58, which fixes
     the issue.
     Credits: Prof. Sven Dietrich (City University of New York)

  *) SECURITY: CVE-2023-31122: mod_macro buffer over-read
     (cve.mitre.org)
     Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
     Server.This issue affects Apache HTTP Server: through 2.4.57.
     Credits: David Shoon (github/davidshoon)

  *) mod_ssl: Silence info log message "SSL Library Error: error:0A000126:
     SSL routines::unexpected eof while reading" when using
     OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
     available. [Rainer Jung]

  *) mod_http2: improved early cleanup of streams.
     [Stefan Eissing]

  *) mod_proxy_http2: improved error handling on connection errors while
     response is already underway.
     [Stefan Eissing]

  *) mod_http2: fixed a bug that could lead to a crash in main connection
     output handling. This occured only when the last request on a HTTP/2
     connection had been processed and the session decided to shut down.
     This could lead to an attempt to send a final GOAWAY while the previous
     write was still in progress. See PR 66646.
     [Stefan Eissing]

  *) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value.
     Fixes PR66752.
     [Stefan Eissing]

  *) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as
     described in RFC 8441. A new directive 'H2WebSockets on|off' has been
     added. The feature is by default not enabled.
     As also discussed in the manual, this feature should work for setups
     using "ProxyPass backend-url upgrade=websocket" without further changes.
     Special server modules for WebSockets will have to be adapted,
     most likely, as the handling if IO events is different with HTTP/2.
     HTTP/2 WebSockets are supported on platforms with native pipes. This
     excludes Windows.
     [Stefan Eissing]

  *) mod_rewrite: Fix a regression with both a trailing ? and [QSA].
     in OCSP stapling. PR 66672. [Frank Meier , covener]

  *) mod_http2: fixed a bug in flushing pending data on an already closed
     connection that could lead to a busy loop, preventing the HTTP/2 session
     to close down successfully. Fixed PR 66624.
     [Stefan Eissing]

  *) mod_http2: v2.0.15 with the following fixes and improvements
     - New directive 'H2EarlyHint name value' to add headers to a response,
       picked up already when a "103 Early Hints" response is sent. 'name' and
       'value' must comply to the HTTP field restrictions.
       This directive can be repeated several times and header fields of the
       same names add. Sending a 'Link' header with 'preload' relation will
       also cause a HTTP/2 PUSH if enabled and supported by the client.
     - Fixed an issue where requests were not logged and accounted in a timely
       fashion when the connection returns to "keepalive" handling, e.g. when
       the request served was the last outstanding one.
       This led to late appearance in access logs with wrong duration times
       reported.
     - Accurately report the bytes sent for a request in the '%O' Log format.
       This addresses #203, a long outstanding issue where mod_h2 has reported
       numbers over-eagerly from internal buffering and not what has actually
       been placed on the connection.
       The numbers are now the same with and without H2CopyFiles enabled.
     [Stefan Eissing]

  *) mod_proxy_http2: fix retry handling to not leak temporary errors.
     On detecting that that an existing connection was shutdown by the other
     side, a 503 response leaked even though the request was retried on a
     fresh connection.
     [Stefan Eissing]

  *) mod_rewrite: Add server directory to include path as mod_rewrite requires
     test_char.h. PR 66571 [Valeria Petrov ]

  *) mod_http2: new directive `H2ProxyRequests on|off` to enable handling
     of HTTP/2 requests in a forward proxy configuration.
     General forward proxying is enabled via `ProxyRequests`. If the
     HTTP/2 protocol is also enabled for such a server/host, this new
     directive is needed in addition.
     [Stefan Eissing]

  *) core: Updated conf/mime.types:
     - .js moved from 'application/javascript' to 'text/javascript'
     - .mjs was added as 'text/javascript'
     - add .opus ('audio/ogg')
     - add 'application/vnd.geogebra.slides'
     - add WebAssembly MIME types and extension
     [Mathias Bynens <@mathiasbynens> via PR 318,
      Richard de Boer , Dave Hodder ,
      Zbynek Konecny ]

  *) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend
     connection when sending data on the frontend one. This caused crashes
     or infinite loops in rare situations.
  *) mod_proxy_http2: fixed a bug in retry/response handling that could lead
     to wrong status codes or HTTP messages send at the end of response bodies
     exceeding the announced content-length.
  *) mod_proxy_http2: fix retry handling to not leak temporary errors.
     On detecting that that an existing connection was shutdown by the other
     side, a 503 response leaked even though the request was retried on a
     fresh connection.
  *) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in
     the wrong order when a bucket_beam was destroyed.
     [Stefan Eissing]

  *) mod_http2: avoid double chunked-encoding on internal redirects.
     PR 66597 [Yann Ylavic, Stefan Eissing]

  *) mod_http2: Fix reporting of `Total Accesses` in server-status to not count
     HTTP/2 requests twice. Fixes PR 66801.
     [Stefan Eissing]

  *) mod_ssl: Fix handling of Certificate Revoked messages
     in OCSP stapling. PR 66626. []

  *) mod_http2: fixed a bug in handling of stream timeouts.
     [Stefan Eissing]

  *) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
     Checking in configure for proper version installed. Code
     fixes for changed clienthello member name.
     [Stefan Eissing]

  *) mod_md:
     - New directive `MDMatchNames all|servernames` to allow more control over how
       MDomains are matched to VirtualHosts.
     - New directive `MDChallengeDns01Version`. Setting this to `2` will provide
       the command also with the challenge value on `teardown` invocation. In version
       1, the default, only the `setup` invocation gets this parameter.
       Refs #312. Thanks to @domrim for the idea.
     - For Managed Domain in "manual" mode, the checks if all used ServerName and
       ServerAlias are part of the MDomain now reports a warning instead of an error
       (AH10040) when not all names are present.
     - MDChallengeDns01 can now be configured for individual domains.
       Using PR from JГ©rГґme Billiras (@bilhackmac) and adding test case and fixing proper working
     - Fixed a bug found by JГ©rГґme Billiras (@bilhackmac) that caused the challenge
       teardown not being invoked as it should.

  *) mod_ldap: Avoid performance overhead of APR-util rebind cache for
     OpenLDAP 2.2+.  PR 64414.  [Joe Orton]

  *) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum
     amount of response body bytes put into a single HTTP/2 DATA frame.
     Setting this to 0 places no limit (but the max size allowed by the
     protocol is observed).
     The module, by default, tries to use the maximum size possible, which is
     somewhat around 16KB. This sets the maximum. When less response data is
     available, smaller frames will be sent.

  *) mod_md: fixed passing of the server environment variables to programs
     started via MDMessageCmd and MDChallengeDns01 on *nix system.
     See .
     [Stefan Eissing]

  *) mod_dav: Add DavBasePath directive to configure the repository root
     path.  PR 35077.  [Joe Orton]

  *) mod_alias: Add AliasPreservePath directive to map the full
     path after the alias in a location. [Graham Leggett]

  *) mod_alias: Add RedirectRelative to allow relative redirect targets to be
     issued as-is. [Eric Covener, Graham Leggett]

  *) core: Add formats %{z} and %{strftime-format} to ErrorLogFormat, and make
     sure that if the format is configured early enough it applies to every log
     line.  PR 62161.  [Yann Ylavic]

  *) mod_deflate: Add DeflateAlterETag to control how the ETag
     is modified. The 'NoChange' parameter mimics 2.2.x behavior.
     PR 45023, PR 39727. [Eric Covener]

  *) core: Optimize send_brigade_nonblocking(). [Yann Ylavic, Christophe Jaillet]

  *) mod_status: Remove duplicate keys "BusyWorkers" and "IdleWorkers".
     Resolve inconsistency between the previous two occurrences by
     counting workers in state SERVER_GRACEFUL no longer as busy,
     but instead in a new counter "GracefulWorkers" (or on HTML
     view as "workers gracefully restarting"). Also add the graceful
     counter as a new column to the existing HTML per process table
     for async MPMs. PR 63300. [Rainer Jung]

NGINX 1.25.2 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.10, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

NGINX 1.25.2 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.10.

Major changes:

  • Feature: the “http2” directive, which enables HTTP/2 on a per-server basis; the “http2” parameter of the “listen” directive is now deprecated.
  • Change: HTTP/2 server push support has been removed.
  • Change: the deprecated “ssl” directive is not supported anymore.
  • Bugfix: in HTTP/3 when using OpenSSL.

RHEL 7 / CentOS 7:

yum upgrade -y codeit-repo-release
yum-config-manager --disable CodeIT-quic --save
yum-config-manager --enable CodeIT-mainline --save

RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9 repos are modular now.  To install nginx with HTTP/3 support, you need to enable the appropriate stream:

dnf module reset -y nginx
dnf module enable -y nginx:codeit-mainline

We build OpenSSL+QUIC 3.0 separately since v1.21.6, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries.

Exerimental HTTP/3 support added in NGINX 1.25.0 Mainline. We build it with the corresponding module (–with-http_v3_module).

NGINX 1.25.1 Mainline with Brotli, TLS 1.3, OpenSSL 3.0.9, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9

NGINX 1.25.1 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.9.

Major changes:

  • Feature: the “http2” directive, which enables HTTP/2 on a per-server basis; the “http2” parameter of the “listen” directive is now deprecated.
  • Change: HTTP/2 server push support has been removed.
  • Change: the deprecated “ssl” directive is not supported anymore.
  • Bugfix: in HTTP/3 when using OpenSSL.

RHEL 7 / CentOS 7:

yum upgrade -y codeit-repo-release
yum-config-manager --disable CodeIT-quic --save
yum-config-manager --enable CodeIT-mainline --save

RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9 repos are modular now.  To install nginx with HTTP/3 support, you need to enable the appropriate stream:

dnf module reset -y nginx
dnf module enable -y nginx:codeit-mainline

We build OpenSSL+QUIC 3.0 separately since v1.21.6, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries.

Exerimental HTTP/3 support added in NGINX 1.25.0 Mainline. We build it with the corresponding module (–with-http_v3_module).