Angie 1.7.0

• Feature: Forced closing of all connections to a proxied server when it’s removed from the group can be configured via the proxy_connection_drop, grpc_connection_drop, fastcgi_connection_drop, scgi_connection_drop, and uwsgi_connection_drop directives.

• Feature: Counters of sent DNS query types in the resolver statistics API, which is collected with the status_zone parameter of the resolver directive.

• Feature: The $ssl_server_cert_type variable that contains the type of selected certificate for a received TLS-connection.

• Feature: Disabling creation of the PID file with the off parameter of the pid directive, which might be beneficial with immutable images and direct control by a service manager. Thanks to Maxim Dounin (freenginx).

• Feature: Creation of the PID file made atomic via an intermediate temporary file, which removes a moment when the file is already in the directory but still empty, and allows external programs to handle it more easily and reliably.

• Feature: Now, during reconfiguration, no attempt is made to recreate the PID file if the name in the pid directive has changed but points to the same file via symlinks; in particular, it allows avoiding issues on systems that migrate from /var/run/angie.pid to /run/angie.pid. Thanks to Maxim Dounin (freenginx).

• Feature: Syslog logging errors are now reported no more than once per second; this helps avoid flooding the logs with such messages when the syslog server is down or overloaded. Thanks to Maxim Dounin (freenginx).

• Feature: In the Mail proxy module, the maximum number of commands during authentication, configured with the max_commands directive, is limited to better protect against DoS attacks. Thanks to Maxim Dounin (freenginx).

• Feature: The --feature-cache option of the ./configure script to cache its results for optimization when building multiple modules or cross-compiling.

• Feature: All functionality of nginx 1.27.1.

• Bugfix: PID file ... not readable (yet?) after start and Failed to parse PID from file... errors might appear when starting with systemd. Thanks to Maxim Dounin (freenginx).

• Change: Updated descriptions of HTTP status codes in conformance with RFC 9110. Thanks to Maxim Dounin (freenginx) and Michiel W. Beijen.

• Change: A maximum of one empty line is now allowed before an HTTP request to better protect against DoS attacks. Thanks to Maxim Dounin (freenginx).

• Change: HTTP/1.x header field names without a colon at the end are now prohibited; such invalid header fields from a client or a proxied server will now cause an error response. Thanks to Maxim Dounin (freenginx) and Maksim Yevmenkin.

• Change: When reading a request body using HTTP/1.1 chunked transfer encoding, the total size of ignored chunk extensions and trailer header fields is now limited by the client_max_body_size directive to better protect against DoS attacks. Thanks to Maxim Dounin (freenginx) and Bartek Nowotarski.

• Change: The MIME type in the mime.types configuration file has been changed to image/bmp for the bmp extension and application/vnd.rar for the rar extension; set to application/vnd.debian.binary-package for the deb and udeb extensions. Thanks to Yuriy Izorkin.

Angie 1.6.2

• Security: Processing a specially crafted MP4 file with the ngx_http_mp4_module could cause a worker process crash (CVE-2024-7347); the fix was ported from nginx 1.27.1.

Angie 1.6.1

Feature: A new passed counter in the API statistics of the stream module’s status_zone directive tracks connections passed to other sockets using pass directives.

Bugfix: When using virtual servers or the pass directives in the stream module, connections could be accounted incorrectly in the statistics API.

Bugfix: Worker processes could crash on configurations with 5 ACME clients or more; the bug had appeared in 1.6.0.

Bugfix: Handling cached responses with the X-Accel-Redirect header could crash the worker process. Thanks to Maxim Dounin (freenginx) and Jiří Setnička.

Angie 1.6.0

Feature: The sticky directive and related options in the stream module’s upstream block, which allow to configure sticky sessions mode where all connections in the session are routed to the same server.

Feature: Extraction of Cookie values from RDP connections using the rdp_preread directive in the stream module into $rdp_cookie and $rdp_cookie_NAME variables, which allows to log and stick RDP client sessions to particular servers while load balancing.

Feature: Support for multiple acme directives in a server block, which allows to configure obtaining two types of certificates at once for that virtual server.

Feature: Command line options -m and -M to list built-in and loaded modules.

Feature: Support for BoringSSL in the ACME module.

Feature: All functionality of nginx 1.27.0, including support for virtual servers in the stream module and the pass directive, which allows to pass accepted connections for handling to another listening sockets, including HTTP and Mail modules.

Bugfix: Certificate request via the ACME protocol could result in error on some configurations with a log message like [alert] getsockname() failed (9: Bad file descriptor).

Bugfix: Certificate request with large number of domain names via the ACME protocol could result in error with a log message like [error] JSON parser error.

Bugfix: ACME clients in configurations with multiple error_log directives could log messages to irrelevant logs.

Angie 1.5.2

Security: When using HTTP/3, processing of a specially crafted QUIC session could cause a worker process crash, worker process memory disclosure on systems with MTU larger than 4096 bytes, or have other impact (CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161); the fix has been ported from nginx 1.26.1.

Angie 1.5.1

Bugfix: the proxy_next_upstream mechanism did not work correctly when using the resolve option of the server directive in the HTTP block if the number of resolved IP addresses differed from the number of specified servers.

Bugfix: while requesting a certificate via the ACME protocol, a segmentation fault could occur in a worker process.

Bugfix: the slow_start mechanism did not work when proxying TCP connections in the stream module.

Bugfix: HTTP/3 requests could result in an error if received as TLS 1.3 early data; the bug had appeared in 1.4.0.

Bugfix: HTTP/3 connection could be prematurely closed while using 0-RTT in QUIC.

Bugfix: when reading a request body from a fast connection, reading for a long time was possible. Thanks to Maxim Dounin (freenginx).

Change: now ACME clients do not discard previously stored certificates that were expired or issued for a different domain list, but use them while renewing.

Angie 1.5.0

Feature: Basic support for automatically obtaining and updating certificates using the ACME protocol, configurable with the acme_client and acme directives, as well as variables of the form $acme_cert_* and $acme_cert_key_*.

Feature: Configuration of automatic redirection, which adds trailing slashes to request URIs, with the auto_redirect directive.

Feature: Output statistics metrics with dates in Epoch format instead of ISO 8601 for use in Prometheus and optionally in the JSON API with the ?date=epoch request argument.

Feature: New recovering state for upstream peers in the statistics API, indicating that a peer is slowly starting up after a failure, as suggested by the slow_start option.

Feature: Now the -V switch also shows the relevant version of nginx, which is useful for compatibility with third-party utilities, certbot in particular. Thanks to AdvTechnoKing.

Bugfix: If the SSL session reuse mechanism proxy_ssl_session_reuse was used and the list of proxied servers was dynamically updated, a leak could occur in the shared memory zone configured for the corresponding upstream block.

Angie 1.4.1

• Security: When using HTTP/3, a segmentation error may have occured in a worker process while processing a specially crafted QUIC session (CVE-2024-24989); note that Angie as of 1.4.0 is already not vulnerable to CVE-2024-24990.

Angie 1.4.0

Feature: Support for establishing HTTP/3 connections to upstream servers in the HTTP proxy module while allowing clients to use arbitrary HTTP versions. Configuration is done with the proxy_http_version directive and a set of proxy_quic_ and proxy_http3_ directives.

Feature: A mechanism for smoothly bringing the proxied server online after a failure using the slow_start option of the server directive in the upstream block.

Feature: mqtt_preread directive in the stream module, which allows extracting the username and client ID from the CONNECT packet of the MQTT protocol into the $mqtt_preread_username and $mqtt_preread_clientid variables.

Feature: Limiting the response rate of MP4 files transmission to the client proportionally to the bitrate using the mp4_limit_rate and mp4_limit_rate_after directives, which reduces the bandwidth load.

Feature: All functionality of nginx 1.25.3.

Bugfix: If a proxied server was the only one in a group, it could be incorrectly reported as unavailable in the metrics API even after recovery.

Angie 1.3.2

• Bugfix: possible incorrect values of metrics in Prometheus output that used variables other than $p8s_value for their values; in practice the issue could occur with angie_http_upstreams_peers_state and angie_stream_upstreams_peers_state from the standard prometheus_all.conf template.
• Bugfix: some connection attempts to upstream servers might not have been properly accounted for in the statistics API if they failed immediately; the bug had appeared in 1.3.0.