diff --git a/source/CHANGES.txt b/source/CHANGES.txt index 6549597a..1b9f04bc 100644 --- a/source/CHANGES.txt +++ b/source/CHANGES.txt @@ -1,3 +1,38 @@ +Changes with Unit 1.35.0 03 Sep 2025 + + *) Security: fix missing websocket payload length validation in the Java + language module which could lead to Java language module processes + consuming excess CPU. (CVE-2025-1695). + + *) Change: if building with njs, version 0.9.0 or later is now required. + + *) Feature: HTTP compression. + + *) Feature: PHP 8.5 compatibility. + + *) Feature: Ruby 3.4 compatibility. + + *) Feature: Django 5.x compatibility. + + *) Feature: Python Litestar WebSockets compatibility. + + *) Feature: GCC 15 compatibility. + + *) Bugfix: set SERVER_PORT to the actual value. + + *) Bugfix: fix issue in node.js with duplicate headers in response. + + *) Bugfix: fix WebSockets with Firefox. + + *) Bugfix: fix incorrect websocket payload length calculation in the + Java language module. + + *) Bugfix: fix instability issues due to OpenTelemetry (OTEL) support. + + *) Bugfix: fix issues with building OpenTelemetry (OTEL) support on + various platforms, including macOS. + + Changes with Unit 1.34.2 26 Feb 2025 *) Security: fix missing websocket payload length validation in the Java diff --git a/source/conf.py b/source/conf.py index fd98aafd..e0f18114 100644 --- a/source/conf.py +++ b/source/conf.py @@ -5,8 +5,8 @@ project = 'NGINX Unit' author = 'NGINX, Inc.' copyright = '2017-2025' -version = '1.34.2' -release_date = 'Feb 26, 2025' +version = '1.35.0' +release_date = 'Aug 26, 2025' release = version needs_sphinx = '6.2' diff --git a/source/configuration/index.rst b/source/configuration/index.rst index 5630b3b1..7bb9acc3 100644 --- a/source/configuration/index.rst +++ b/source/configuration/index.rst @@ -5476,6 +5476,12 @@ In turn, the **http** option exposes the following settings: The default is 30. + * - **compression** + - Object: + HTTP compression configuration + + *(since 1.35.0)* + * - **discard_unsafe_fields** - Boolean; controls header field name parsing. @@ -5594,6 +5600,75 @@ In turn, the **http** option exposes the following settings: **.webp**, **.woff2**, **.woff**, **.xml**, and **.zip**. +The **compression** option exposes the following settings: + +.. list-table:: + :header-rows: 1 + + * - Option + - Description + + * - **types** + - Array: + list of MIME types that are considered for compression. + + * - **compressors** + - Array: + list of compressors to enable. + +The **compressors** option exposes the following settings: + +.. list-table:: + :header-rows: 1 + + * - Option + - Description + + * - **encoding** (required) + - The compression method to enable. + + Depending on how Unit was built, the supported encodings are any or all + of; gzip, deflate, zstd & br. + + * - **level** + - The compression level to use. + + If not specified the default of the specified encoder is used. + + * - **min_length** + - The minimumn length of data to be considreed for compression. + + If set to 0 or not specified then there is no minimum amount of data + that will be considreed before compressing. + +Example: + +.. code-block:: json + + "compression": { + "types": [ + "text/*" + ], + "compressors": [ + { + "encoding": "gzip", + "level": 3, + "min_length": 4096 + }, + { + "encoding": "deflate", + "min_length": 0 + }, + { + "encoding": "zstd", + }, + { + "encoding": "br", + "min_length": 1024 + } + ] + } + The **telemetry** option exposes the following settings: .. list-table:: diff --git a/source/news/2025/index.rst b/source/news/2025/index.rst index 7c49c49c..e0a7a262 100644 --- a/source/news/2025/index.rst +++ b/source/news/2025/index.rst @@ -5,6 +5,14 @@ News of 2025 News archive for the year 2025. +.. nxt_news_entry:: + :author: Unit Team + :description: Version 1.35.0 includes initial HTTP compression support. + :email: unit-owner@nginx.org + :title: Unit 1.35.0 Released + :url: news/2025/unit-1.35.0-released + :date: 2025-08-26 + .. nxt_news_entry:: :author: Unit Team :description: Version 1.34.2 is a maintenance release that fixes a couple diff --git a/source/news/2025/unit-1.35.0-released.rst b/source/news/2025/unit-1.35.0-released.rst new file mode 100644 index 00000000..6442e8db --- /dev/null +++ b/source/news/2025/unit-1.35.0-released.rst @@ -0,0 +1,200 @@ +:orphan: + +#################### +Unit 1.35.0 Released +#################### + +We are pleased to announce the release of NGINX Unit 1.35.0. This release +includes a number of new features and changes: + +************************ +HTTP compression support +************************ + +We are pleased to release the initial implementation of HTTP compression +support, an oft-asked for feature. + +It supports any or all of zlib (deflate, gzip), zstd and brotli. + +It will compress both static and application (with some restrictions) +responses. + +If building from source, support can be enabled by specifying any or all +of + +.. code-block:: + + --zlib --zstd --brotli + +to ``./configure`` + +zlib can use either the traditional zlib library or the new +zlib-ng-compat library. + +This can then be configured via the standard Unit configuration. + +There is a new '/settings/http/compression' object that is used to +describe the compression configuration. E.g. + +.. code-block:: json + + "compression": { + "types": [ + "text/*" + ], + "compressors": [ + { + "encoding": "gzip", + "level": 3, + "min_length": 4096 + }, + { + "encoding": "deflate", + "min_length": 0 + }, + { + "encoding": "zstd", + }, + { + "encoding": "br", + "min_length": 1024 + } + ] + } + +The first item ``types`` is an array of MIME types that are considered for +compression. + +These are MIME types as recognised by Unit, you may need to add your own +via the ``/settings/http/static/mime_types`` object. + +Then we have ``compressors`` this is an array of objects describing the +compression methods to enable, if you specify a compression method here +that hasn't been built into Unit, you will get a configuration error. + +Each compression object has a *required* ``encoding`` member that defines +the compression method to enable. + +An optional ``level`` member with defines the compression level to use, +this value is specific to each compressor, if it's not specified then +the default for that compression method will be used. + +An optional ``min_length`` member that specifies the minimum amount of +data to be considered for compression. If set to 0 or not specified then +there is no minimum amount before compression may happen. + +Compression will happen for both static and application responses. + +For application responses, compressed responses will be sent chunked. +Also with application responses we will only consider compressing output +where we know the content length. + +********************** +Improved compatibility +********************** + +Unit 1.35.0 introduces support for PHP 8.5, Ruby 3.4 and Django 5.x + +Websockets with the Python Litestar framework has been fixed. Also a +long standing issue related to Firefox and websockets has also been +fixed. + +*** +njs +*** + +This version of Unit requires njs >= 0.9.0 + +******* +Changes +******* + +We now flow the correct server listen socket port number through to +applications via SERVER_PORT rather than hard coding it to 80. + +Thus the SERVER_PORT variable will now contain the port number that the +connection was accept(2)ed on. + +********** +Developers +********** + +GCC 15 introduced a new warning, *Wunterminated-string-initialization* to +catch things like + +.. code-block:: c + + static const char str[11] = "Hello World"; + +which will now produce a warning with +``-Wunterminated-string-initialization`` or ``-Wextra`` + +However there are often times when you want non-NUL terminated string +literals. E.g. + +.. code-block:: c + + static const char hex[16] = "0123456789ABCDEF"; + +which is used as a lookup table and will only ever be accessed via +individual indices 0-15. + +To accommodate such things we introduce a new macro + +.. code-block:: c + + NXT_NONSTRING + +which is an alias for + +.. code-block:: c + + __attribute__((__nonstring__)) + +which will quell the warning, e.g. + +.. code-block:: c + + static const char hex[16] NXT_NONSTRING = "0123456789ABCDEF"; + +************** +Full Changelog +************** + +.. code-block:: none + + Changes with Unit 1.35.0 03 Sep 2025 + + *) Security: fix missing websocket payload length validation in the + Java language module which could lead to Java language + module processes consuming excess CPU. (CVE-2025-1695). + + *) Change: if building with njs, version 0.9.0 or later is now + required. + + *) Feature: HTTP compression. + + *) Feature: PHP 8.5 compatibility. + + *) Feature: Ruby 3.4 compatibility. + + *) Feature: Django 5.x compatibility. + + *) Feature: Python Litestar WebSockets compatibility. + + *) Feature: GCC 15 compatibility. + + *) Bugfix: set SERVER_PORT to the actual value. + + *) Bugfix: fix issue in node.js with duplicate headers in response. + + *) Bugfix: fix WebSockets with Firefox. + + *) Bugfix: fix incorrect websocket payload length calculation in the + Java language module. + + *) Bugfix: fix instability issues due to OpenTelemetry (OTEL) + support. + + *) Bugfix: fix issues with building OpenTelemetry (OTEL) support on + various platforms, including macOS.