What changed in nginx 1.30.0 and what it means for your upstream config

nginx 1.30.0 brings together features accumulated across the 1.29.x mainline series. The release covers a broad range of changes, from protocol support additions to security-relevant fixes and new configuration options.

nginx 1.30.0

Keepalive to upstreams is now on by default

One of the more operationally significant changes is that keepalive connections to upstream servers are now enabled by default, with the proxy HTTP version set to 1.1. Previously, operators had to configure this explicitly. The change affects any deployment using the proxy module and means persistent connections to backends are established without additional directives.

HTTP/2 to backend upstreams

nginx can now communicate with upstream servers over HTTP/2. Earlier versions were limited to HTTP/1.x on the upstream side regardless of the protocol used on the client-facing side. This lands alongside fixes for HTTP/2 upstream behavior with caching and for pending control frame handling on reinit.

Encrypted ClientHello

Support for Encrypted ClientHello (ECH) is included in 1.30.0. ECH encrypts the TLS ClientHello message, which prevents network observers from seeing the server name indication (SNI) in plaintext during connection setup. The implementation integrates with OpenSSL’s ECH API.

103 Early Hints

The 103 Early Hints status code is now supported. It allows nginx to send response headers to clients before the upstream has finished generating the full response, giving browsers an opportunity to preload resources earlier. The release also includes fixes for flushing early hints over HTTP/2 and for handling multiple 103 responses from upstreams.

Sticky sessions for upstreams

Load balancing gains sticky session support, allowing nginx to route repeat requests from a client to the same upstream server. This is a commonly requested feature for stateful applications that cannot be easily adapted to work across multiple backends.

Multipath TCP

nginx 1.30.0 adds Multipath TCP (MPTCP) support. MPTCP allows a single TCP connection to use multiple network paths simultaneously, which can improve throughput and resilience in environments where multiple interfaces are available.

TLS and certificate changes

TLS certificate compression is now supported for both OpenSSL and BoringSSL builds. The release also adds two new SSL variables, $ssl_sigalg and $ssl_client_sigalg, and adds SSL key loading via OSSL_STORE. Compatibility with OpenSSL 4.0 and AWS-LC is included. The OpenSSL 3.5 QUIC API is available but disabled by default.

New max_headers directive

A max_headers directive lets operators set a limit on the number of request headers nginx will accept. This adds a control point for mitigating certain classes of abusive or malformed requests.

Must read:

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!

More about