Hi,
As previously agreed on epel-devel and by the EPEL Steering Committee, I have pushed Nginx 1.10.x packages to epel-testing on EL7, EL6, and EL5. This resolves numerous security flaws that were too difficult to backport to ancient, unmaintained versions of Nginx.
These updates will sit in epel-testing for a significant period of time (probably ~8 weeks) to allow adequate notice and time for testing. I will send another announcement a week before pushing to stable.
Please see upstream release notes for a complete list of new features, bug fixes, and changes: http://nginx.org/en/CHANGES-1.10 One notable feature is HTTP/2 (except EL5, where OpenSSL is too old).
Nginx gained support for dynamic modules. As part of this update, dynamic modules have been split into subpackages. For the time being these are hard dependencies to aid the upgrade path. When you install nginx, all of these modules are installed and enabled by default: - nginx-mod-http-geoip - nginx-mod-http-image-filter - nginx-mod-http-perl - nginx-mod-http-xslt-filter - nginx-mod-mail - nginx-mod-stream
Please do test thoroughly, give positive/negative karma, and open bug reports. I will refrain from pushing anything to stable until there has been sufficient testing from several people.
You should review your configuration files in /etc/nginx to determine if there are any incompatibilities. Below is a summary of the main incompatible changes. Some nginx directives have been changed or removed, so you may need to modify your configuration.
Sections relevant to EL7/EL6/EL5: - Changes with nginx 1.10.x - Changes with nginx 1.8.x
Sections also relevant to EL6/EL5: - Changes with nginx 1.4.x - Changes with nginx 1.2.x
Sections also relevant to EL5: - Changes with nginx 1.0.x
Changes with nginx 1.10.x
*) Change: non-idempotent requests (POST, LOCK, PATCH) are no longer passed to the next server by default if a request has been sent to a backend; the "non_idempotent" parameter of the "proxy_next_upstream" directive explicitly allows retrying such requests.
*) Change: now the "output_buffers" directive uses two buffers by default.
*) Change: now nginx limits subrequests recursion, not simultaneous subrequests.
*) Change: now nginx checks the whole cache key when returning a response from cache. Thanks to Gena Makhomed and Sergey Brester.
*) Change: the "proxy_downstream_buffer" and "proxy_upstream_buffer" directives of the stream module are replaced with the "proxy_buffer_size" directive.
*) Change: duplicate "http", "mail", and "stream" blocks are now disallowed.
*) Change: now SSLv3 protocol is disabled by default.
*) Change: some long deprecated directives are not supported anymore.
*) Change: obsolete aio and rtsig event methods have been removed.
Changes with nginx 1.8.x
*) Change: the "sendfile" parameter of the "aio" directive is deprecated; now nginx automatically uses AIO to pre-load data for sendfile if both "aio" and "sendfile" directives are used.
*) Change: now the "If-Modified-Since", "If-Range", etc. client request header lines are passed to a backend while caching if nginx knows in advance that the response will not be cached (e.g., when using proxy_cache_min_uses).
*) Change: now after proxy_cache_lock_timeout nginx sends a request to a backend with caching disabled; the new directives "proxy_cache_lock_age", "fastcgi_cache_lock_age", "scgi_cache_lock_age", and "uwsgi_cache_lock_age" specify a time after which the lock will be released and another attempt to cache a response will be made.
*) Change: the "log_format" directive can now be used only at http level.
*) Change: now nginx takes into account the "Vary" header line in a backend response while caching.
*) Change: the deprecated "limit_zone" directive is not supported anymore.
*) Change: now the "stub_status" directive does not require a parameter.
*) Change: URI escaping now uses uppercase hexadecimal digits. Thanks to Piotr Sikora.
Changes with nginx 1.6.x
*) Change: improved hash table handling; the default values of the "variables_hash_max_size" and "types_hash_bucket_size" were changed to 1024 and 64 respectively.
*) Change: now nginx expects escaped URIs in "X-Accel-Redirect" headers.
*) Change: a logging level of auth_basic errors about no user/password provided has been lowered from "error" to "info".
*) Change: now nginx assumes HTTP/1.0 by default if it is not able to detect protocol reliably.
*) Change: the "js" extension MIME type has been changed to "application/javascript"; default value of the "charset_types" directive was changed accordingly.
*) Change: now the "image_filter" directive with the "size" parameter returns responses with the "application/json" MIME type.
*) Change in internal API: now u->length defaults to -1 if working with backends in unbuffered mode.
*) Change: now after receiving an incomplete response from a backend server nginx tries to send an available part of the response to a client, and then closes client connection.
Changes with nginx 1.4.x
*) Change: opening and closing a connection without sending any data in it is no longer logged to access_log with error code 400.
*) Change: a compiler with name "cc" is now used by default.
*) Change: domain names specified in configuration file are now resolved to IPv6 addresses as well as IPv4 ones.
*) Change: now if the "include" directive with mask is used on Unix systems, included files are sorted in alphabetical order.
*) Change: the "add_header" directive adds headers to 201 responses.
*) Change: the ngx_http_mp4_module module no longer skips tracks in formats other than H.264 and AAC.
*) Change: the "ipv6only" parameter is now turned on by default for listening IPv6 sockets.
*) Change: the "single" parameter of the "keepalive" directive is now ignored.
*) Change: SSL compression is now disabled when using all versions of OpenSSL, including ones prior to 1.0.0.
Changes with nginx 1.2.x
*) Change: now if the "include" directive with mask is used on Unix systems, included files are sorted in alphabetical order.
*) Change: the "add_header" directive adds headers to 201 responses.
*) Change: the "single" parameter of the "keepalive" directive is now ignored.
*) Change: SSL compression is now disabled when using all versions of OpenSSL, including ones prior to 1.0.0.
*) Change: keepalive connections are no longer disabled for Safari by default.
*) Change: the simultaneous subrequest limit has been raised to 200.
*) Change: a "proxy_pass" directive without URI part now uses changed URI after redirection with the "error_page" directive. Thanks to Lanshun Zhou.
*) Change: now double quotes are encoded in an "echo" SSI-command output. Thanks to Zaur Abasmirzoev.
*) Change: the ngx_http_limit_zone_module was renamed to the ngx_http_limit_conn_module.
*) Change: the "limit_zone" directive was superseded by the "limit_conn_zone" directive with a new syntax.
*) Change in internal API: now module context data are cleared while internal redirect to named location. Requested by Yichun Zhang.
*) Change: if a server in an upstream failed, only one request will be sent to it after fail_timeout; the server will be considered alive if it will successfully respond to the request.
*) Change: now the 0x7F-0x1F characters are escaped as \xXX in an access_log.
*) Change: now if total size of all ranges is greater than source response size, then nginx disables ranges and returns just the source response.
*) Change: now cache loader processes either as many files as specified by "loader_files" parameter or works no longer than time specified by the "loader_threshold" parameter during each iteration.
*) Change: now SIGWINCH signal works only in daemon mode.
Changes with nginx 1.0.x
*) Change: now double quotes are encoded in an "echo" SSI-command output. Thanks to Zaur Abasmirzoev.
*) Change: now the 0x7F-0x1F characters are escaped as \xXX in an access_log.
*) Change: now SIGWINCH signal works only in daemon mode.
*) Change: now if total size of all ranges is greater than source response size, then nginx disables ranges and returns just the source response.
*) Change: now default SSL ciphers are "HIGH:!aNULL:!MD5". Thanks to Rob Stradling.
*) Change: now regular expressions case sensitivity in the "map" directive is given by prefixes "~" or "~*".
*) Change: now the "split_clients" directive uses MurmurHash2 algorithm because of better distribution. Thanks to Oleg Mamontov.
*) Change: now long strings starting with zero are not considered as false values. Thanks to Maxim Dounin.
*) Change: now nginx uses a default listen backlog value 511 on Linux.
*) Change: now nginx uses a default listen backlog value -1 on Linux. Thanks to Andrei Nigmatulin.
*) Change: the "secure_link_expires" directive has been canceled.
*) Change: a logging level of resolver errors has been lowered from "alert" to "error".
Kind regards,
Hello Jamie,
On Sat, 02 Jul 2016, Jamie Nguyen wrote:
One notable feature is HTTP/2 (except EL5, where OpenSSL is too old).
I'm not sure if it helps in this specific case, but in general there is (additionally) the same version of OpenSSL for EL-5 available like EL-6 is shipping:
https://apps.fedoraproject.org/packages/openssl101e
Anyway, thank you very much for the time and work to drive this major Nginx update!
Greetings, Robert
Hi,
On Tuesday 6th September, these updates will be pushed from epel-testing to stable. Please do review and test the update before it gets rolled out, just in case your websites break. (ie, yum --enablerepo=epel-testing update nginx)
See the previous email for the full details.
Kind regards,
epel-devel@lists.fedoraproject.org