Angie PRO Version History#

2025#

Angie PRO 1.8.2#

Release date: 13.02.2025.

Security#

  • Insufficient validation while handling virtual servers with TLSv1.3 SNI allowed SSL sessions to be reused in a different virtual server, bypassing client SSL certificate verification (CVE-2025-23419); the fix was ported from nginx 1.27.4.

Bugfixes#

  • Active probes configred with the upstream_probe (PRO) directive in the stream module could cause a worker process to crash.

  • API requests to retrieve statistic values from an individual zone, which was set via variables, could cause a worker process to enter an infinite loop.

  • HTTP/3 requests were not counted in zone statistics; the bug had appeared in 1.8.0.

  • TLS handshakes using QUIC protocol were not counted in SSL statistics.

  • Certificate renewal via the ACME protocol could fail for server names prefixed with a dot in the server_name directive.

Packages#

2024#

Angie PRO 1.8.1#

Release date: 28.12.2024.

Bugfixes#

  • Using the status_zone directive in the server block of the HTTP module caused excessive logging of empty requests in access_log on TLS handshakes; the bug had appeared in 1.8.0.

  • Decoding errors in HTTP/3 stream could cause a worker process crash when closing a QUIC connection; the fix was ported from nginx 1.27.4.

  • Sending QUIC protocol version negotiation packets could cause an infinite packet exchange loop; the fix was ported from nginx 1.27.4.

  • Using DNS-challenge without hooks in the ACME module could cause a worker process crash in some configurations.

Packages#

23.01.2025

27.01.2025

Angie PRO 1.8.0#

Release date: 19.12.2024.

Features#

  • HTTP session binding for a group of proxied servers with a request to external storage, configurable by the sticky directive in the learn mode using the remote_action and remote_result parameters; this allows to configure binding of client sessions to balanced servers in cluster mode, when a group of balancers is unified by shared storage and directs client requests within one session to the same server regardless of which balancer they hit.

  • Support of DNS-01 challenges by handling DNS queries from the ACME server, which allows to automatically request certificates of any types, including wildcard ones.

  • Hooks system in the ACME module, configurable using the acme_hook directive, which allows handling of domain name challenges using an external application to provide integration with various services and DNS hosting providers.

  • The ACME module logs some additional information: why exactly the certificate is being renewed, full domain name list, client's account ID, long periods of inactivity (e.g. pollings), and the domain name being challenged; this information simplifies troubleshooting and allows to specify the CAA DNS record.

  • The account_key parameter of the acme_client directive, which allows to reuse an existing key for the ACME server account instead of auto-generating a new one.

  • Support for variables in the status_zone directives in the stream and HTTP modules allows to dynamically account statistics within several zones in a single location or server block; in particular, it's especially useful when a single server block is handling multiple virtual hosts.

  • GZip HTTP compression module compatibility with the zlib-ng versions 2.2.0 and above, which could previously cause [alert] gzip filter failed to use preallocated memory messages in the error log.

  • The max_headers directive that limits the number of HTTP request header fields to better protect against DoS attacks. Thanks to Maxim Dounin (freenginx) and Maksim Yevmenkin.

  • The http3_max_table_capacity and proxy_http3_max_table_capacity directives to configure the HTTP/3 dynamic header compression table limits.

  • Cross-compilation support - the build system can now use a wrapper script to run autotests, which enables to prepare a build without running test programs directly on the target platform.

  • All functionality of nginx 1.27.3.

Bugfixes#

  • HTTP/3 clients could time out when using 0-RTT; the bug was inherited from nginx in version 1.7.0.

  • Proxying with HTTP/3 using variables in the proxy_pass directive and without specifying an upstream block could crash the worker process.

  • HTTP/3 upstreams using dynamic table could lead to worker process crash if used with cache.

  • Some SSL handshakes could be not counted in statistics for the stream module.

  • HTTP/3 proxy settings specified in http or server level might be ignored.

  • The proxy_ssl_certificate directive didn't work when proxying via HTTP/3 with NTLS support enabled.

Changes#

  • When gracefully shutting down old worker processes, keep-alive connections are now closed only after the timeout specified by the lingering_timeout directive has expired; this behaviour allows to avoid possible client errors when receiving replies at that moment. Thanks to Maxim Dounin (freenginx).

  • Disabled caching of the stream module variables $ssl_server_name, $ssl_server_cert_type, $ssl_preread_protocol, and $ssl_preread_server_name, which allows to get actual values when using virtual servers.

Packages#

Angie PRO 1.7.0#

Release date: 19.09.2024.

Features#

  • Forced closing all the connections to a proxied server when it's removed from the group; it can be configured via the proxy_connection_drop, grpc_connection_drop, fastcgi_connection_drop, scgi_connection_drop, and uwsgi_connection_drop directives, which value can be overridden locally with the connection_drop argument of an API request for server removal.

  • Counters of sent DNS query types in the resolver statistics API, which is collected with the status_zone parameter of the resolver directive.

  • The feedback (PRO) load balancing now can be used in the stream module; it distributes TCP/UDP sessions based on a specified variable, which can be obtained from proxied upstream servers or periodic requests to external services. This allows dynamic load balancing depending on arbitrary metrics of proxied servers, such as resource consumption, CPU/memory utilization, and queue length.

  • The last_byte option of the feedback (PRO) directive, which allows processing upstream server feedback after the entire response is received, rather than only the header.

  • The feedback (PRO) load balancing method now accepts floating-point numbers as the variable value.

  • The account parameter of the least_time (PRO) directive, which enables using a variable to specify which requests are considered for least_time balancing, including considering only upstream_probe (PRO) requests.

  • The factor parameter of the least_time (PRO) directive, which allows to specify an adjustable smoothing factor for the least_time balancer and overrides the value of the response_time_factor (PRO) used for statistics collection.

  • A drain mode that switches the proxied stream server to a new draining state, when only requests bound using the sticky module are sent to the server.

  • The $ssl_server_cert_type variable that contains the type of selected certificate for a received TLS-connection.

  • Disabling creation of the PID file with the off parameter of the pid directive, which might be beneficial with immutable images and direct control by a service manager. Thanks to Maxim Dounin (freenginx).

  • Creation of the PID file made atomic via an intermediate temporary file, which removes a moment when the file is already in the directory but still empty, and allows external programs to handle it more easily and reliably.

  • Now, during reconfiguration, no attempt is made to recreate the PID file if the name in the pid directive has changed but points to the same file via symlinks; in particular, it allows avoiding issues on systems that migrate from /var/run/angie.pid to /run/angie.pid. Thanks to Maxim Dounin (freenginx).

  • Syslog logging errors are now reported no more than once per second; this helps avoid flooding the logs with such messages when the syslog server is down or overloaded. Thanks to Maxim Dounin (freenginx).

  • In the Mail proxy module, the maximum number of commands during authentication, configured with the max_commands directive, is limited to better protect against DoS attacks. Thanks to Maxim Dounin (freenginx).

  • The --feature-cache option of the ./configure script to cache its results for optimization when building multiple modules or cross-compiling.

  • All functionality of nginx 1.27.1.

Bugfixes#

  • The wait timeout of a queued request configured by the queue (PRO) directive could crash the worker process.

  • PID file ... not readable (yet?) after start and Failed to parse PID from file... errors might appear when starting with systemd. Thanks to Maxim Dounin (freenginx).

Changes#

  • Updated descriptions of HTTP status codes in conformance with RFC 9110. Thanks to Maxim Dounin (freenginx) and Michiel W. Beijen.

  • A maximum of one empty line is now allowed before an HTTP request to better protect against DoS attacks. Thanks to Maxim Dounin (freenginx).

  • HTTP/1.x header field names without a colon at the end are now prohibited; such invalid header fields from a client or a proxied server will now cause an error response. Thanks to Maxim Dounin (freenginx) and Maksim Yevmenkin.

  • When reading a request body using HTTP/1.1 chunked transfer encoding, the total size of ignored chunk extensions and trailer header fields is now limited by the client_max_body_size directive to better protect against DoS attacks. Thanks to Maxim Dounin (freenginx) and Bartek Nowotarski.

  • The MIME type in the mime.types configuration file has been changed to image/bmp for the bmp extension and application/vnd.rar for the rar extension; set to application/vnd.debian.binary-package for the deb and udeb extensions. Thanks to Yuriy Izorkin.

Packages#

24.10.2024

Angie PRO 1.6.2#

Release date: 16.08.2024.

Security#

Angie PRO 1.6.1#

Release date: 08.08.2024.

Features#

Bugfixes#

  • When using virtual servers or the pass directives in the stream module, connections could be accounted incorrectly in the statistics API.

  • Worker processes could crash on configurations with 5 ACME clients or more; the bug had appeared in 1.6.0.

  • Handling cached responses with the X-Accel-Redirect header could crash the worker process. Thanks to Maxim Dounin (freenginx) and Jiří Setnička.

Packages#

Angie PRO 1.6.0#

Release date: 28.06.2024.

Features#

  • HTTP balancing by the value of a specified variable which can be obtained from proxied upstream servers or periodic requests to external services, using the feedback directive in the upstream block; this allows, in particular, to dynamically balance the load depending on arbitrary metrics of proxied servers: consumption of various resources, CPU/memory utilization, queue length, etc.

  • The sticky directive and related options in the stream module's upstream block, which allow to configure sticky sessions mode where all connections in the session are routed to the same server.

  • Extraction of Cookie values from RDP connections using the rdp_preread directive in the stream module into $rdp_cookie and $rdp_cookie_NAME variables, which allows to log and stick RDP client sessions to particular servers while load balancing.

  • The persistent option of the upstream_probe directive, which allows to avoid waiting on essential probes after configuration reload for previously healthy servers.

  • Support for multiple acme directives in a server block, which allows to configure obtaining two types of certificates at once for that virtual server.

  • Command line options -m and -M to list built-in and loaded modules.

  • The $upstream_probe variable that contains the name of the ongoing probe issued by upstream_probe.

  • Support for BoringSSL in the ACME module.

  • All functionality of nginx 1.27.0, including support for virtual servers in the stream module and the pass directive, which allows to pass accepted connections for handling to another listening sockets, including HTTP and Mail modules.

Bugfixes#

  • Active upstream_probe probes might've not worked on some configurations while logging error messages like [alert] getsockname() failed (9: Bad file descriptor).

  • Certificate request via the ACME protocol could result in error on some configurations with a log message like [alert] getsockname() failed (9: Bad file descriptor).

  • Certificate request with large number of domain names via the ACME protocol could result in error with a log message like [error] JSON parser error.

  • ACME clients in configurations with multiple error_log directives could log messages to irrelevant logs.

Packages#

Angie PRO 1.5.2#

Release date: 03.06.2024.

Security#

  • When using HTTP/3, processing of a specially crafted QUIC session could cause a worker process crash, worker process memory disclosure on systems with MTU larger than 4096 bytes, or have other impact (CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161); the fix has been ported from nginx 1.26.1.

Packages#

Angie PRO 1.5.1#

Release date: 16.05.2024.

Bugfixes#

  • The proxy_next_upstream mechanism did not work correctly when editing a group of proxied servers via the API, and when using the resolve option of the server directive in the HTTP block if the number of resolved IP addresses differed from the number of specified servers.

  • While requesting a certificate via the ACME protocol, a segmentation fault could occur in a worker process.

  • The sticky directive in the learn mode could work incorrectly when different numbers of lookup and create variables were specified.

  • The slow_start mechanism did not work when proxying TCP connections in the stream module.

  • HTTP/3 requests could result in an error if received as TLS 1.3 early data; the bug had appeared in 1.4.0.

  • HTTP/3 connection could be prematurely closed while using 0-RTT in QUIC.

  • When reading a request body from a fast connection, reading for a long time was possible. Thanks to Maxim Dounin (freenginx).

Changes#

  • Now ACME clients do not discard previously stored certificates that were expired or issued for a different domain list, but use them while renewing.

Packages#

27.05.2024

  • Added packages for Alpine 3.20.

Angie PRO 1.5.0#

Release date: 27.03.2024.

Features#

  • Basic support for automatically obtaining and updating certificates using the ACME protocol, configurable with the acme_client and acme directives, as well as variables of the form $acme_cert_= and $acme_cert_key_=.

  • A drain mode that switches the proxied HTTP server to a new draining state, when only requests bound using the sticky module are sent to the server.

  • Configuration of automatic redirection, which adds trailing slashes to request URIs, with the auto_redirect directive.

  • Output statistics metrics with dates in Epoch format instead of ISO 8601 for use in Prometheus and optionally in the JSON API with the ?date-epoch request argument.

  • Now the -V switch also shows the relevant version of nginx, which is useful for compatibility with third-party utilities, certbot in particular. Thanks to AdvTechnoKing.

  • All functionality of nginx 1.25.4.

Bugfixes#

  • If the SSL session reuse mechanism proxy_ssl_session_reuse was used and the list of proxied servers was dynamically updated, a leak could occur in the shared memory zone configured for the corresponding upstream block.

Packages#

28.03.2024

16.04.2024

25.04.2024

Angie PRO 1.4.1#

Release date: 15.02.2024.

Security#

  • When using HTTP/3, a segmentation error may have occurred in a worker process while processing a specially crafted QUIC session (CVE-2024-24989); note that Angie PRO as of 1.4.0 is already not vulnerable to CVE-2024-24990.

Packages#

2023#

Angie PRO 1.4.0#

Release date: 21.12.2023.

Features#

  • Support for establishing HTTP/3 connections to upstream servers in the HTTP proxy module while allowing clients to use arbitrary HTTP versions. Configuration is done with the proxy_http_version directive and a set of proxy_quic_ and proxy_http3_ directives.

  • The upstream_probe (PRO) directive to check the health of servers in the stream module's upstream block by periodically creating test connections or sending datagrams.

  • Additional learn mode of the sticky directive for binding sessions to proxied servers that allows to discover sessions and save them in the server's shared memory.

  • Waiting queue for requests that couldn't be load-balanced on the first try, configured using the queue (PRO) directive in the HTTP module's upstream block.

  • HTTP RESTful JSON interface for reconfiguring, adding, or deleting servers in the stream module's upstream blocks, and the state directive for persisting these changes.

  • Load balancing by average time to establish a connection, receive the first or last byte of a response of proxied stream upstream servers with an adjustable smoothing factor, using the least_time (PRO) and response_time_factor (PRO) directives in the upstream block.

  • Statistics of average time to establish a connection, receive the first and last byte of a response of proxied stream upstream servers in the interface provided by the api directive, with the ability to adjust the average smoothing factor via the response_time_factor (PRO) directive of the upstream block.

  • A mechanism for smoothly bringing the proxied server online after a failure using the slow_start option of the server directive in the upstream block.

  • mqtt_preread directive in the stream module, which allows extracting the username and client id from the CONNECT packet of the MQTT protocol into the $mqtt_preread_username and $mqtt_preread_clientid variables.

  • Limiting the response rate of MP4 files transmission to the client proportionally to the bitrate using the mp4_limit_rate and mp4_limit_rate_after directives, which reduces the bandwidth load.

  • All functionality of nginx 1.25.3.

Bugfixes#

  • If a proxied server was the only one in a group, it could be incorrectly reported as unavailable in the statistics API even after recovery.

Changes#

  • Now the time of proxied server being in the checking state isn't counted as downtime.

  • The standard prometheus_all.conf template includes all additional Prometheus metrics and possible state values of upstream peers that are only exposed by the PRO version.

Packages#

25.12.2023

22.01.2024

Angie PRO 1.3.2#

Release date: 23.11.2023.

Bugfixes#

  • Active health probes with the essential flag incorrectly handled the server's transition from checking to unhealthy when the initial check was failed, resulting in user requests being routed to the faulty server.

  • possible incorrect values of metrics in Prometheus output that used variables other than $p8s_value for their values; in practice the issue could occur with angie_http_upstreams_peers_state and angie_stream_upstreams_peers_state from the standard prometheus_all.conf template.

  • some connection attempts to upstream servers might not have been properly accounted for in the statistics API if they failed immediately; the bug had appeared in 1.3.0.

Packages#

04.12.2023

07.12.2023

12.12.2023

Angie PRO 1.3.1#

Release date: 18.10.2023.

Security#

  • Added extra limitations to HTTP/2 stream handling for better protection against the DoS attack known as "HTTP/2 Rapid Reset" (CVE-2023-44487).

Packages#

26.10.2023

13.11.2023

Angie PRO 1.3.0#

Release date: 03.10.2023.

Features#

  • Ability to specify multiple match patterns in the location directive, which allows to combine several location blocks with similar settings and therefore simplify configuration by reducing duplication.

  • Load balancing by average time to receive the response header or full response from proxied HTTP servers with an adjustable smoothing factor, using the least_time (PRO) and response_time_factor (PRO) directives in the upstream block.

  • Export of varied statistics metrics in Prometheus format with flexible template configuration using the new prometheus and prometheus_template directives.

  • Statistics of average time to receive the response header and full response of proxied HTTP servers in the interface provided by the api directive, with the ability to adjust the average smoothing factor via the response_time_factor (PRO) directive of the upstream block.

  • Detailed information and metrics for groups of stream upstream servers in the statistics interface provided by the api directive.

  • The resolve option of the server directive in the stream module's upstream block that allows to monitor changes to the list of IP addresses corresponding to a domain name, and automatically update it without the need of reloading configuration.

  • The service option of the server directive in the stream module's upstream block that allows to retrieve lists of addresses from DNS SRV records, with basic priority support.

  • Support for binding a client connection to a backend server connection using the bind_conn (PRO) directive in the http module's upstream blocks, particularly for proxying connections with NT LAN Manager (NTLM) authentication.

  • Access to the contents of configuration files used by the current generation of worker processes via the interface provided by the api directive with the api_config_files directive enabled.

  • Display of the configuration generation number in process titles, which allows to monitor the success of configuration reloads and the number of previous worker process generations using the ps utility.

  • All functionality of nginx 1.25.2.

Changes#

  • Now appname angie is used when loading the OpenSSL configuration.

Packages#

Angie PRO 1.2.0#

Release date: 15.08.2023.

Features#

  • HTTP RESTful JSON interface for reconfiguring, adding, or deleting servers in the HTTP module's upstream blocks, and the state directive for persisting these changes.

  • The upstream_probe (PRO) directive to check the health of servers in the HTTP module's upstream block by periodically sending probe requests.

  • Support for cache sharding in the HTTP proxy module, which enables caching responses in different directories (drives) depending on an arbitrary response parameter, configured with variables in the new path- option of the proxy_cache directive.

  • Support for NTLS in the HTTP modules when using the TongSuo TLS library; the support can be enabled via the ‑‑with‑ntls build time option and configured with the corresponding ssl_ntls and proxy_ssl_ntls directives.

  • In the HTTP proxy modules, the ability to specify multiple certificates with different types (RSA and ECDSA) and corresponding keys using the proxy_ssl_certificate and proxy_ssl_certificate_key directives.

  • Display of version and build name in the master process title, which allows to get this information about a running server instance using the ps utility.

  • The gzip module's ability to compress "207 Multi-Status" responses. Thanks to DBotThePony.

  • All functionality of nginx 1.25.0, including HTTP/3 support.

Changes#

Packages#

Angie PRO 1.1.0-p1#

Release date: 01.03.2023.

Features#

  • The sticky directive and related options in the HTTP module's upstream block that allow to configure sticky sessions mode, where all requests of the session are routed to the same server.

  • The $upstream_sticky_status variable that can be either new, hit or miss depending on the success of requesting the related upstream server with sticky sessions enabled.

Angie PRO 1.1.0#

Release date: 07.02.2023.

Features#

  • The api directive that provides HTTP RESTful interface for accessing in JSON or Prometheus formats basic information about a web server instance, as well as metrics of client connections, shared memory zones, DNS queries, HTTP requests, HTTP responses cache, TCP/UDP sessions of stream module, zones of limit_conn/limit_req modules, and groups of HTTP upstream servers.

  • The resolve option of the server directive in the HTTP module's upstream block that allows to monitor changes to the list of IP addresses corresponding to a domain name, and automatically update it without the need of reloading configuration.

  • The service option of the server directive in the HTTP module's upstream block that allows to retrieve lists of addresses from DNS SRV records, with basic priority support.

  • The status_zone directive in HTTP module for specifying zone to collect request metrics in server and location contexts.

  • The status_zone directive in stream module for specifying zone to collect TCP/UDP session metrics.

  • The status_zone parameter of the resolver directive for specifying zone to collect metrics on DNS queries.

  • autoindex uses natural sorting order for directory listings.

  • Arbitrary configuration of the signature on default error pages and the Server response header field via the server_tokens directive.

  • The $angie_version variable with version of Angie.

  • All functionality of nginx 1.23.3.

Packages#

07.04.2023

  • Added packages for ALT Linux.

12.05.2023

26.05.2023

  • Added packages for Astra Linux Special Edition.

13.06.2023

12.07.2023

31.07.2023