Angie Version History#
2025#
Angie 1.8.2#
Release date: 13.02.2025. Insufficient validation while handling virtual servers with TLSv1.3 SNI
allowed SSL sessions to be reused in a different virtual server,
bypassing client SSL certificate verification (CVE-2025-23419);
the fix was ported from nginx 1.27.4. API requests to retrieve statistic values from an individual zone,
which was set via variables,
could cause a worker process to enter an infinite loop. HTTP/3 requests were not counted in zone statistics;
the bug had appeared in 1.8.0. TLS handshakes using QUIC protocol were not counted in SSL statistics. Certificate renewal via the ACME protocol could fail
for server names prefixed with a dot in the server_name directive. Dynamic modules added:Security#
Bugfixes#
Packages#
2024#
Angie 1.8.1#
Release date: 28.12.2024. Using the status_zone directive in the Decoding errors in HTTP/3 stream could cause a worker process crash when
closing a QUIC connection; the fix was ported from nginx 1.27.4. Sending QUIC protocol version negotiation packets could cause an infinite
packet exchange loop; the fix was ported from nginx 1.27.4. Using DNS-challenge without hooks in the ACME module could
cause a worker process crash in some configurations. Updated: angie-module-auth-jwt, to version 0.9.0 23.01.2025 Updated: angie-console-light, to version 1.6.0 27.01.2025 Dynamic modules added: Updated: angie-console-light, to version 1.6.1 angie-module-auth-spnego, to version v1.1.2 angie-module-headers-more, to version v0.38 angie-module-lua, to version 0.10.28 angie-module-njs, to version 0.8.9 angie-module-vts, to version v0.2.3 angie-module-wasm, to version v0.2-beta2Bugfixes#
server block of the
HTTP module caused excessive logging of empty requests in access_log on
TLS handshakes; the bug had appeared in 1.8.0.Packages#
Angie 1.8.0#
Release date: 19.12.2024. Support of Hooks system in the ACME module, configurable using the acme_hook
directive, which allows handling of domain name challenges using an external
application to provide integration with various services and DNS hosting
providers. The ACME module logs some additional information: why exactly the certificate
is being renewed, full domain name list, client's account ID, long periods of
inactivity (e.g. pollings), and the domain name being challenged; this
information simplifies troubleshooting and allows to specify the CAA DNS
record. The Support for variables in the status_zone directives in the stream and
HTTP modules allows to dynamically account statistics within several zones in
a single GZip HTTP compression module compatibility with the The max_headers directive that limits the number of HTTP request header
fields to better protect against DoS attacks. Thanks to Maxim Dounin
(freenginx) and Maksim Yevmenkin. The http3_max_table_capacity and proxy_http3_max_table_capacity
directives to configure the HTTP/3 dynamic header compression table limits. Cross-compilation support - the build system can now use a wrapper script to
run autotests, which enables to prepare a build without running test programs
directly on the target platform. All functionality of nginx 1.27.3. HTTP/3 clients could time out when using Proxying with HTTP/3 using variables in the proxy_pass directive and
without specifying an HTTP/3 upstreams using dynamic table could lead to worker process crash if
used with cache. Some SSL handshakes could be not counted in statistics for the Stream module. HTTP/3 proxy settings specified in The proxy_ssl_certificate directive didn't work when proxying via
HTTP/3 with NTLS support enabled. When gracefully shutting down old worker processes, keep-alive connections are
now closed only after the timeout specified by the lingering_timeout
directive has expired; this behaviour allows to avoid possible client errors
when receiving replies at that moment. Thanks to Maxim Dounin (freenginx). Disabled caching of the Stream module variables $ssl_server_name,
$ssl_server_cert_type, $ssl_preread_protocol, and
$ssl_preread_server_name, which allows to get actual values when using
virtual servers. Dynamic modules added: Updated: angie-module-auth-jwt, to version 0.8.0 angie-module-jwt, to version 3.4.2 angie-module-njs, to version 0.8.8 angie-module-opentracing, to version 0.38.0 angie-module-wasm, to version 0.1-beta5Features#
DNS-01 challenges by handling DNS queries from the ACME
server, which allows to automatically request certificates of any types,
including wildcard ones.account_key parameter of the acme_client directive, which
allows to reuse an existing key for the ACME server account instead of
auto-generating a new one.location or server block; in particular, it's
especially useful when a single server block is handling multiple
virtual hosts.zlib-ng versions
2.2.0 and above, which could previously cause [alert] gzip filter
failed to use preallocated memory messages in the error log.Bugfixes#
0-RTT; the bug was inherited
from nginx in version 1.7.0.upstream block could crash the worker process.http or server level might
be ignored.Changes#
Packages#
Angie 1.7.0#
Release date: 19.09.2024. Forced closing of all connections to a proxied server when it's removed from
the group can be configured via the proxy_connection_drop,
grpc_connection_drop, fastcgi_connection_drop,
scgi_connection_drop, and uwsgi_connection_drop directives. Counters of sent DNS query types in the resolver statistics API, which is
collected with the The $ssl_server_cert_type variable that contains the type of selected
certificate for a received TLS-connection. Disabling creation of the PID file with the Creation of the PID file made atomic via an intermediate temporary file, which
removes a moment when the file is already in the directory but still empty,
and allows external programs to handle it more easily and reliably. Now, during reconfiguration, no attempt is made to recreate the PID file if
the name in the pid directive has changed but points to the same file
via symlinks; in particular, it allows avoiding issues on systems that migrate
from Syslog logging errors are now reported no more than
once per second; this helps avoid flooding the logs with such messages when
the syslog server is down or overloaded. Thanks to Maxim Dounin (freenginx). In the Mail proxy module, the maximum number of commands during
authentication, configured with the max_commands directive, is limited
to better protect against DoS attacks. Thanks to Maxim Dounin (freenginx). The All functionality of nginx 1.27.1. Updated descriptions of HTTP status codes in conformance with RFC 9110. Thanks
to Maxim Dounin (freenginx) and Michiel W. Beijen. A maximum of one empty line is now allowed before an HTTP request to better
protect against DoS attacks. Thanks to Maxim Dounin (freenginx). HTTP/1.x header field names without a colon at the end are now prohibited;
such invalid header fields from a client or a proxied server will now cause an
error response. Thanks to Maxim Dounin (freenginx) and Maksim Yevmenkin. When reading a request body using HTTP/1.1 chunked transfer encoding, the
total size of ignored chunk extensions and trailer header fields is now
limited by the client_max_body_size directive to better protect against
DoS attacks. Thanks to Maxim Dounin (freenginx) and Bartek Nowotarski. The MIME type in the Updated: angie-module-opentracing, to version 0.36.0 angie-module-lua, to version 0.10.27 24.10.2024 Added packages for SberLinux. 29.11.2024 Added WASM support with the following packages:Features#
status_zone parameter of the resolver
directive.off parameter of the
pid directive, which might be beneficial with immutable images and
direct control by a service manager. Thanks to Maxim Dounin (freenginx)./var/run/angie.pid to /run/angie.pid. Thanks to Maxim
Dounin (freenginx).--feature-cache option of the
./configure script to cache its results for optimization when
building multiple modules or cross-compiling.Bugfixes#
PID file ... not readable (yet?) after start and Failed to
parse PID from file... errors might appear when starting with
systemd. Thanks to Maxim Dounin (freenginx).Changes#
mime.types configuration file has been changed to
image/bmp for the bmp extension and
application/vnd.rar for the rar extension; set to
application/vnd.debian.binary-package for the deb and
udeb extensions. Thanks to Yuriy Izorkin.Packages#
Angie 1.6.2#
Release date: 16.08.2024. Processing a specially crafted MP4 file with the
ngx_http_mp4_module
could cause a worker process crash
(CVE-2024-7347);
the fix was ported from nginx 1.27.1.Security#
Angie 1.6.1#
Release date: 08.08.2024. A new When using virtual servers or the pass directives in the
stream module,
connections could be accounted incorrectly in the statistics API. Worker processes could crash on configurations with 5 ACME
clients or more; the bug had appeared in 1.6.0. Handling cached responses with the Updated: angie-console-light, to version 1.4.0 angie-module-opentracing, to version 0.35.3 angie-module-zstd, to revision Features#
passed counter in the
API statistics
of the stream module's status_zone directive
tracks connections passed to other sockets
using pass directives.Bugfixes#
X-Accel-Redirect header
could crash the worker process.
Thanks to Maxim Dounin (freenginx) and Jiří Setnička.Packages#
f4ba115
Angie 1.6.0#
Release date: 28.06.2024. The sticky directive and related options
in the stream module's upstream block,
which allow to configure sticky sessions mode
where all connections in the session are routed to the same server. Extraction of Cookie values from RDP connections using the
rdp_preread directive in the stream module
into $rdp_cookie and $rdp_cookie_NAME variables,
which allows to log and stick RDP client sessions to particular servers
while load balancing. Support for multiple acme directives
in a server block,
which allows to configure obtaining two types of certificates at once
for that virtual server. Command line options All functionality of nginx 1.27.0,
including support for virtual servers in the stream module
and the Certificate request via the ACME protocol could result in
error on some configurations with a log message like
Certificate request with large number of domain names via the
ACME protocol could result in error with a log message like
ACME clients in configurations
with multiple error_log directives
could log messages to irrelevant logs. Updated: angie-module-auth-jwt, to version 0.7.0 angie-module-auth-ldap, to revision angie-module-jwt, to version 3.4.1 angie-module-keyval, to version 0.3.0 angie-module-lua:
angie-module-njs, to version 0.8.5Features#
-m and -M
to list built-in and loaded modules.pass directive,
which allows to pass accepted connections
for handling to another listening sockets,
including HTTP and Mail modules.Bugfixes#
[alert] getsockname() failed (9: Bad file descriptor).[error] JSON parser error.Packages#
241200estream_lua_module, to revision bea8a0c
Angie 1.5.2#
Release date: 03.06.2024. When using HTTP/3, processing of a specially crafted QUIC
session could cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or have other
impact (CVE-2024-32760,
CVE-2024-31079,
CVE-2024-35200,
CVE-2024-34161);
the fix has been ported from nginx 1.26.1. Updated: angie-module-opentracing, to version 0.35.2Security#
Packages#
Angie 1.5.1#
Release date: 16.05.2024. The While requesting a certificate via the ACME protocol, a
segmentation fault could occur in a worker process. The slow_start mechanism did not work when proxying TCP
connections in the stream module. HTTP/3 requests could result in an error if received as TLS
1.3 early data; the bug had appeared in 1.4.0. HTTP/3 connection could be prematurely closed while using
0-RTT in QUIC. When reading a request body from a fast connection, reading
for a long time was possible. Thanks to Maxim Dounin (freenginx). Now ACME clients do not discard previously stored
certificates that were expired or issued for a different domain list,
but use them while renewing. 27.05.2024 Added packages for Alpine 3.20.Bugfixes#
proxy_next_upstream mechanism did not work correctly when using
the resolve option of the server
directive in the HTTP block if
the number of resolved IP addresses differed from the number of specified
servers.Changes#
Packages#
Angie 1.5.0#
Release date: 27.03.2024. Basic support for automatically obtaining and updating certificates using the
ACME protocol, configurable with the
acme_client and acme directives, as well as variables of the
form $acme_cert_= and $acme_cert_key_=. Configuration of automatic redirection, which adds trailing
slashes to request URIs, with the auto_redirect directive. Output statistics metrics with dates in Epoch format
instead of ISO 8601 for use in Prometheus and optionally in the JSON API
with the New Now the All functionality of nginx 1.25.4. If the SSL session reuse mechanism proxy_ssl_session_reuse was used and
the list of proxied servers was dynamically updated, a leak could occur in the
shared memory zone configured for the corresponding Added packages for FreeBSD 13 (arm64),
RED OS 8 (x86-64). Dynamic modules added: Updated: angie-module-opentracing, to version 0.34.0 28.03.2024 Updated: angie-console-light, to version 1.3.0 16.04.2024 Dynamic modules added: Updated: angie-module-njs, to version 0.8.4 25.04.2024 Dynamic modules added: angie-module-vts: includes
module-vts,
module-sts,
module-stream-stsFeatures#
?date-epoch request argument.recovering state for upstream peers in the statistics API, indicating that a peer is slowly starting up after a failure, as
suggested by the slow_start option.-V switch also shows the relevant version of nginx, which is
useful for compatibility with third-party utilities, certbot in
particular. Thanks to AdvTechnoKing.Bugfixes#
upstream block.Packages#
Angie 1.4.1#
Release date: 15.02.2024. When using HTTP/3, a segmentation error may have occurred in a worker process
while processing a specially crafted QUIC session
(CVE-2024-24989);
note that Angie as of 1.4.0 is already not vulnerable to
CVE-2024-24990. Dynamic modules added: Updated: angie-module-njs, to version 0.8.3 angie-module-vod, to version 1.33Security#
Packages#
2023#
Angie 1.4.0#
Release date: 12.12.2023. Support for establishing HTTP/3 connections to upstream
servers in the HTTP proxy module while allowing clients
to use arbitrary HTTP versions. Configuration is done with the
proxy_http_version directive and a set of
A mechanism for smoothly bringing the proxied server online
after a failure using the mqtt_preread directive in the stream module, which
allows extracting the username and client ID from the CONNECT packet
of the MQTT protocol into the $mqtt_preread_username
and $mqtt_preread_clientid variables. Limiting the response rate of MP4 files transmission to the
client proportionally to the bitrate using the mp4_limit_rate
and mp4_limit_rate_after directives,
which reduces the bandwidth load. All functionality of nginx 1.25.3. If a proxied server was the only one in a group, it could be
incorrectly reported as Added packages for Alpine 3.19. Dynamic modules added: Updated: angie-module-auth-jwt, to version 0.36 angie-module-headers-more, to version 0.36 angie-module-ndk, to version 0.3.3 angie-module-opentracing, to version 0.33.0 18.12.2023 Updated: angie-console-light, to version 1.2.0 25.12.2023 Updated: angie-console-light, to version 1.2.1 22.01.2024 Dynamic modules added: Updated: angie-module-auth-jwt, to version 0.6.0 angie-module-headers-more, to version 0.37 angie-module-lua:
Features#
proxy_quic_ and proxy_http3_ directives.slow_start option of the server
directive in the upstream block.Bugfixes#
unavailable in the
metrics API
even after recovery.Packages#
http_lua_module, to version 0.10.26;
stream_lua_module, to version 0.0.14
Angie 1.3.2#
Release date: 23.11.2023. possible incorrect values of metrics in Prometheus output
that used variables other than some connection attempts to upstream servers might not have been properly
accounted for in the statistics API if they failed immediately;
the bug had appeared in 1.3.0. 04.12.2023 Dynamic modules added: 07.12.2023 Updated: angie-console-light, to version 1.1.1Bugfixes#
$p8s_value for their values; in practice
the issue could occur with angie_http_upstreams_peers_state and
angie_stream_upstreams_peers_state from the standard
prometheus_all.conf template.Packages#
Angie 1.3.1#
Release date: 18.10.2023. Added extra limitations to HTTP/2 stream handling for better protection
against the DoS attack known as "HTTP/2 Rapid Reset" (CVE-2023-44487). 26.10.2023 Dynamic modules added: 13.11.2023 Dynamic modules added: Updated: angie-console-light, to version 1.1.0 angie-module-headers-more, to version 0.35 angie-module-njs, to version 0.8.2 angie-module-vod, to version 1.32Security#
Packages#
Angie 1.3.0#
Release date: 19.09.2023. Ability to specify multiple match patterns in the Export of varied statistics metrics in Prometheus format with flexible
template configuration using the new prometheus and
prometheus_template directives. Detailed information and metrics for
groups of stream upstream servers in the statistics interface provided by the
api directive. The resolve option of the The service option of the Access to the contents of configuration files used by the current generation
of worker processes via the interface provided by the api directive
with the api_config_files directive enabled. Display of the configuration generation
number in process titles, which allows to monitor the success of
configuration reloads and the number of previous worker process generations
using the All functionality of nginx 1.25.2. Compilation failed when Now appname Updated: angie-module-njs, to version 0.8.1Features#
location directive,
which allows to combine several location
blocks with similar settings and therefore simplify configuration by reducing
duplication.server directive in the
stream module's upstream block that allows to
monitor changes to the list of IP addresses corresponding to a domain name,
and automatically update it without the need of reloading configuration.server directive in the
stream module's upstream block that allows to
retrieve lists of addresses from DNS SRV records, with basic priority
support.ps utility.Bugfix#
./configure options
--without-http_upstream_zone_module or
--without-stream_upstream_zone_module were used; the bug had appeared in 1.2.0.Changes#
angie is used
when loading the OpenSSL configuration.Packages#
Angie 1.2.0#
Release date: 30.05.2023. The sticky directive and related options in the HTTP module's upstream block that allow to configure
sticky sessions mode, where all requests of the session are routed to the
same server. The $upstream_sticky_status variable that takes either Support for NTLS in the HTTP
modules when using the TongSuo TLS library; the support can
be enabled via the In the HTTP proxy
modules, the ability to specify multiple certificates with different types
(RSA and ECDSA) and corresponding keys using the proxy_ssl_certificate
and proxy_ssl_certificate_key directives. Display of version and build name in the The gzip module's ability to compress "207 Multi-Status"
responses. Thanks to DBotThePony. All functionality of nginx 1.25.0,
including HTTP/3 support. Added packages for Ubuntu 23.04 "Lunar Lobster". Dynamic modules added: 13.06.2023 Added packages for Debian 12 "Bookworm" and
AlmaLinux. 12.07.2023 Dynamic modules added: Updated: angie-module-njs, to version 0.8.0. 28.07.2023 Dynamic modules added: 18.08.2023 Dynamic modules added:Features#
NEW,
HIT or MISS values depending on success of requesting related
upstream server with sticky sessions enabled.‑‑with‑ntls build time option and configured with the
corresponding ssl_ntls and proxy_ssl_ntls directives.master process title, which
allows to get this information about a running server instance using the
ps utility.Packages#
angie-module-lua package includes
http_lua_module
and
stream_lua_module.
Angie 1.1.0#
Release date: 24.01.2023. The resolve option of the server directive in the
HTTP module's upstream block that allows to
monitor changes to the list of IP addresses corresponding to a domain name,
and automatically update it without the need of reloading configuration. The service option of the server directive in the
HTTP module's upstream block that allows to
retrieve lists of addresses from DNS SRV records, with basic priority support. Detailed information and metrics for the groups of HTTP
upstream servers in the statistics interface provided by the api
directive. autoindex uses natural sorting order for directory listings. All functionality of nginx 1.23.3. Compilation failed due to false warning when using GCC 9 or older with the
-O2 or higher optimization. 15.03.2023 Dynamic modules added: 07.04.2023 Added packages for ALT Linux. 11.05.2023 Added packages for FreeBSD. Dynamic modules added: 26.05.2023 Added packages for Astra Linux Special Edition.Features#
Bugfix#
Packages#
2022#
Angie 1.0.0#
Release date: 27.10.2022. The api directive that provides HTTP RESTful interface for accessing
in JSON format basic information about a web server instance, as well as
metrics of client connections, shared memory zones, DNS
queries, HTTP requests, HTTP responses cache, TCP/UDP sessions of
stream module, and zones of limit_conn/limit_req modules. The status_zone directive in HTTP
module for specifying zone to collect request metrics in server and
location contexts. The status_zone directive in stream module for specifying zone to collect TCP/UDP session metrics. The status_zone parameter of the resolver
directive for specifying zone to collect metrics on DNS queries. The $angie_version variable with version of Angie. All functionality of nginx 1.23.2.Features#