This commit deprecates --tls-proto-list option, and adds 2 new
options: --tls-min-proto-version and --tls-max-proto-version to
specify minimum and maximum protocol version respectively. Versions
between the two are enabled. The deprecated --tls-proto-list has
empty default value, and acts like enabling only specific protocol
versions in the range for now.
Previously, after sending SIGUSR2 to the original master process, and
the new master process gets ready, user has to send SIGQUIT to the
original master process to shut it down gracefully. With this commit,
the new master process sends SIGQUIT to the original master process
when it is ready to serve requests, eliminating for user to send
SIGQUIT manually.
This works nicely with systemd, because now you can replace nghttpx
binary with new one by "systemctl kill -s USR2 --kill-who=main
nghttpx".
nghttpx supports multiple certificates using --subcert option.
Previously, SNI hostname is used to select certificate. With this
commit, signature algorithm presented by client is also taken into
consideration. nghttpx now accepts certificates which share the same
hostname (CN, SAN), but have different signature algorithm (e.g.,
ECDSA+SHA256, RSA+SHA256).
Currently, this feature requires OpenSSL >= 1.0.2. BoringSSL, and
LibreSSL do not work since they lack required APIs.
--accesslog-write-early option is analogous to HAProxy's logasap. If
used, nghttpx writes access log when response header fields are
received from backend rather than when request transaction finishes.
Previously, ciphers option sets cipher list for both frontend and
backend TLS connections. With this commit, ciphers option only sets
cipher list for frontend connections. The new client-ciphers option
sets cipher list for backend connection.
This commit adds client-no-http2-cipher-black-list option to disable
enforcement of HTTP/2 cipher black list on backend HTTP/2 connection.
Previously, existing no-http2-cipher-black-list option disables it for
both frontend and backend connections. Now no-http2-cipher-black-list
option only disables it for frontend connection.
Previously, global accept-proxy-protocol option enables PROXY protocol
support for all frontend listeners, but this was inflexible. To fix
this issue, accept-proxy-protocol option is now deprecated, and
instead proxyproto parameter in frontend option enables PROXY protocol
support per frontend.
We have added "dns" parameter to backend option. If specified, name
lookup is done dynamically. If not, name lookup is done at start up,
or configuration reloading. nghttpx caches DNS result including error
case in 30 seconds in this commit. Later commit makes this
configurable.
DNS resolution is done asynchronously using c-ares library.
This option requires OpenSSL >= 1.0.2. With OpenSSL 1.0.2, the
default value is "P-256". With OpenSSL 1.1.0 or later, the default
value is "X25519:P-256".
We added --frontend-http2-window-size,
--frontend-http2-connection-window-size, --backend-http2-window-size,
and --backend-http2-connection-window-size option to replace existing
*-bits options. The old options are not flexible because they only
specify number of bits. Now we can specify integer value, with
possible g, m, and k unit. The old options are still available for
backend compatibility, but are deprecated.
Tatsuhiro Tsujikawa
Tomasz Torcz