xref: /unit/CHANGES (revision 1891:5ae5e6619af9)
1
2Changes with Unit 1.24.0                                         27 May 2021
3
4    *) Change: PHP added to the default MIME type list.
5
6    *) Feature: arbitrary configuration of TLS connections via OpenSSL
7       commands.
8
9    *) Feature: the ability to limit static file serving by MIME types.
10
11    *) Feature: support for chrooting, rejecting symlinks, and rejecting
12       mount point traversal on a per-request basis when serving static
13       files.
14
15    *) Feature: a loader for automatically overriding the "http" and
16       "websocket" modules in Node.js.
17
18    *) Feature: multiple "targets" in Python applications.
19
20    *) Feature: compatibility with Ruby 3.0.
21
22    *) Bugfix: the router process could crash while closing a TLS
23       connection.
24
25    *) Bugfix: a segmentation fault might have occurred in the PHP module if
26       fastcgi_finish_request() was used with the "auto_globals_jit" option
27       enabled.
28
29
30Changes with Unit 1.23.0                                         25 Mar 2021
31
32    *) Feature: support for multiple certificate bundles on a listener via
33       the Server Name Indication (SNI) TLS extension.
34
35    *) Feature: "--mandir" ./configure option to specify the directory for
36       man page installation.
37
38    *) Bugfix: the router process could crash on premature TLS connection
39       close; the bug had appeared in 1.17.0.
40
41    *) Bugfix: a connection leak occurred on premature TLS connection close;
42       the bug had appeared in 1.6.
43
44    *) Bugfix: a descriptor and memory leak occurred in the router process
45       when processing small WebSocket frames from a client; the bug had
46       appeared in 1.19.0.
47
48    *) Bugfix: a descriptor leak occurred in the router process when
49       removing or reconfiguring an application; the bug had appeared in
50       1.19.0.
51
52    *) Bugfix: persistent storage of certificates might've not worked with
53       some filesystems in Linux, and all uploaded certificate bundles were
54       forgotten after restart.
55
56    *) Bugfix: the controller process could crash while requesting
57       information about a certificate with a non-DNS SAN entry.
58
59    *) Bugfix: the controller process could crash on manipulations with a
60       certificate containing a SAN and no standard name attributes in
61       subject or issuer.
62
63    *) Bugfix: the Ruby module didn't respect the user locale for defaults
64       in the Encoding class.
65
66    *) Bugfix: the PHP 5 module failed to build with thread safety enabled;
67       the bug had appeared in 1.22.0.
68
69
70Changes with Unit 1.22.0                                         04 Feb 2021
71
72    *) Feature: the ServerRequest and ServerResponse objects of Node.js
73       module are now compliant with Stream API.
74
75    *) Feature: support for specifying multiple directories in the "path"
76       option of Python apps.
77
78    *) Bugfix: a memory leak occurred in the router process when serving
79       files larger than 128K; the bug had appeared in 1.13.0.
80
81    *) Bugfix: apps could stop processing new requests under high load; the
82       bug had appeared in 1.19.0.
83
84    *) Bugfix: app processes could terminate unexpectedly under high load;
85       the bug had appeared in 1.19.0.
86
87    *) Bugfix: invalid HTTP responses were generated for some unusual status
88       codes.
89
90    *) Bugfix: the PHP_AUTH_USER, PHP_AUTH_PW, and PHP_AUTH_DIGEST server
91       variables were missing in the PHP module.
92
93    *) Bugfix: the router process could crash with multithreaded apps under
94       high load.
95
96    *) Bugfix: Ruby apps with multithreading configured could crash on start
97       under load.
98
99    *) Bugfix: mount points weren't unmounted when the "mount" namespace
100       isolation was used; the bug had appeared in 1.21.0.
101
102    *) Bugfix: the router process could crash while removing or
103       reconfiguring an app that used WebSocket.
104
105    *) Bugfix: a memory leak occurring in the router process when removing
106       or reconfiguring an application; the bug had appeared in 1.19.0.
107
108
109Changes with Unit 1.21.0                                         19 Nov 2020
110
111    *) Change: procfs is mounted by default for all languages when "rootfs"
112       isolation is used.
113
114    *) Change: any characters valid according to RFC 7230 are now allowed in
115       HTTP header field names.
116
117    *) Change: HTTP header fields with underscores ("_") are now discarded
118       from requests by default.
119
120    *) Feature: optional multithreaded request processing for Java, Python,
121       Perl, and Ruby apps.
122
123    *) Feature: regular expressions in route matching patterns.
124
125    *) Feature: compatibility with Python 3.9.
126
127    *) Feature: the Python module now supports ASGI 2.0 legacy applications.
128
129    *) Feature: the "protocol" option in Python applications aids choice
130       between ASGI and WSGI.
131
132    *) Feature: the fastcgi_finish_request() PHP function that finalizes
133       request processing and continues code execution without holding onto
134       the client connection.
135
136    *) Feature: the "discard_unsafe_fields" HTTP option that enables
137       discarding request header fields with irregular (but still valid)
138       characters in the field name.
139
140    *) Feature: the "procfs" and "tmpfs" automount isolation options to
141       disable automatic mounting of eponymous filesystems.
142
143    *) Bugfix: the router process could crash when running Go applications
144       under high load; the bug had appeared in 1.19.0.
145
146    *) Bugfix: some language dependencies could remain mounted after using
147       "rootfs" isolation.
148
149    *) Bugfix: various compatibility issues in Java applications.
150
151    *) Bugfix: the Java module built with the musl C library couldn't run
152       applications that use "rootfs" isolation.
153
154
155Changes with Unit 1.20.0                                         08 Oct 2020
156
157    *) Change: the PHP module is now initialized before chrooting; this
158       enables loading all extensions from the host system.
159
160    *) Change: AVIF and APNG image formats added to the default MIME type
161       list.
162
163    *) Change: functional tests migrated to the pytest framework.
164
165    *) Feature: the Python module now fully supports applications that use
166       the ASGI 3.0 server interface.
167
168    *) Feature: the Python module now has a built-in WebSocket server
169       implementation for applications, compatible with the HTTP & WebSocket
170       ASGI Message Format 2.1 specification.
171
172    *) Feature: automatic mounting of an isolated "/tmp" file system into
173       chrooted application environments.
174
175    *) Feature: the $host variable contains a normalized "Host" request
176       value.
177
178    *) Feature: the "callable" option sets Python application callable
179       names.
180
181    *) Feature: compatibility with PHP 8 RC 1. Thanks to Remi Collet.
182
183    *) Feature: the "automount" option in the "isolation" object allows to
184       turn off the automatic mounting of language module dependencies.
185
186    *) Bugfix: "pass"-ing requests to upstreams from a route was broken; the
187       bug had appeared in 1.19.0. Thanks to 洪志道 (Hong Zhi Dao) for
188       discovering and fixing it.
189
190    *) Bugfix: the router process could crash during reconfiguration.
191
192    *) Bugfix: a memory leak occurring in the router process; the bug had
193       appeared in 1.18.0.
194
195    *) Bugfix: the "!" (non-empty) pattern was matched incorrectly; the bug
196       had appeared in 1.19.0.
197
198    *) Bugfix: fixed building on platforms without sendfile() support,
199       notably NetBSD; the bug had appeared in 1.16.0.
200
201
202Changes with Unit 1.19.0                                         13 Aug 2020
203
204    *) Feature: reworked IPC between the router process and the applications
205       to lower latencies, increase performance, and improve scalability.
206
207    *) Feature: support for an arbitrary number of wildcards in route
208       matching patterns.
209
210    *) Feature: chunked transfer encoding in proxy responses.
211
212    *) Feature: basic variables support in the "pass" option.
213
214    *) Feature: compatibility with PHP 8 Beta 1. Thanks to Remi Collet.
215
216    *) Bugfix: the router process could crash while passing requests to an
217       application under high load.
218
219    *) Bugfix: a number of language modules failed to build on some systems;
220       the bug had appeared in 1.18.0.
221
222    *) Bugfix: time in error log messages from PHP applications could lag.
223
224    *) Bugfix: reconfiguration requests could hang if an application had
225       failed to start; the bug had appeared in 1.18.0.
226
227    *) Bugfix: memory leak during reconfiguration.
228
229    *) Bugfix: the daemon didn't start without language modules; the bug had
230       appeared in 1.18.0.
231
232    *) Bugfix: the router process could crash at exit.
233
234    *) Bugfix: Node.js applications could crash at exit.
235
236    *) Bugfix: the Ruby module could be linked against a wrong library
237       version.
238
239
240Changes with Unit 1.18.0                                         28 May 2020
241
242    *) Feature: the "rootfs" isolation option for changing root filesystem
243       for an application.
244
245    *) Feature: multiple "targets" in PHP applications.
246
247    *) Feature: support for percent-encoding in the "uri" and "arguments"
248       matching options and in the "pass" option.
249
250
251Changes with Unit 1.17.0                                         16 Apr 2020
252
253    *) Feature: a "return" action with optional "location" for immediate
254       responses and external redirection.
255
256    *) Feature: fractional weights support for upstream servers.
257
258    *) Bugfix: accidental 502 "Bad Gateway" errors might have occurred in
259       applications under high load.
260
261    *) Bugfix: memory leak in the router; the bug had appeared in 1.13.0.
262
263    *) Bugfix: segmentation fault might have occurred in the router process
264       when reaching open connections limit.
265
266    *) Bugfix: "close() failed (9: Bad file descriptor)" alerts might have
267       appeared in the log while processing large request bodies; the bug
268       had appeared in 1.16.0.
269
270    *) Bugfix: existing application processes didn't reopen the log file.
271
272    *) Bugfix: incompatibility with some Node.js applications.
273
274    *) Bugfix: broken build on DragonFly BSD; the bug had appeared in
275       1.16.0.
276
277
278Changes with Unit 1.16.0                                         12 Mar 2020
279
280    *) Feature: basic load-balancing support with round-robin.
281
282    *) Feature: a "fallback" option that performs an alternative action if a
283       request can't be served from the "share" directory.
284
285    *) Feature: reduced memory consumption by dumping large request bodies
286       to disk.
287
288    *) Feature: stripping UTF-8 BOM and JavaScript-style comments from
289       uploaded JSON.
290
291    *) Bugfix: negative address matching in router might work improperly in
292       combination with non-negative patterns.
293
294    *) Bugfix: Java Spring applications failed to run; the bug had appeared
295       in 1.10.0.
296
297    *) Bugfix: PHP 7.4 was broken if it was built with thread safety
298       enabled.
299
300    *) Bugfix: compatibility issues with some Python applications.
301
302
303Changes with Unit 1.15.0                                         06 Feb 2020
304
305    *) Change: extensions of dynamically requested PHP scripts were
306       restricted to ".php".
307
308    *) Feature: compatibility with Ruby 2.7.
309
310    *) Bugfix: segmentation fault might have occurred in the router process
311       with multiple application processes under load; the bug had appeared
312       in 1.14.0.
313
314    *) Bugfix: receiving request body over TLS connection might have
315       stalled.
316
317
318Changes with Unit 1.14.0                                         26 Dec 2019
319
320    *) Change: the Go package import name changed to "unit.nginx.org/go".
321
322    *) Change: Go package now links to libunit instead of including library
323       sources.
324
325    *) Feature: ability to change user and group for isolated applications
326       when Unit daemon runs as an unprivileged user.
327
328    *) Feature: request routing by source and destination addresses and
329       ports.
330
331    *) Bugfix: memory bloat on large responses.
332
333
334Changes with Unit 1.13.0                                         14 Nov 2019
335
336    *) Feature: basic support for HTTP reverse proxying.
337
338    *) Feature: compatibility with Python 3.8.
339
340    *) Bugfix: memory leak in Python application processes when the close
341       handler was used.
342
343    *) Bugfix: threads in Python applications might not work correctly.
344
345    *) Bugfix: Ruby on Rails applications might not work on Ruby 2.6.
346
347    *) Bugfix: backtraces for uncaught exceptions in Python 3 might be
348       logged with significant delays.
349
350    *) Bugfix: explicit setting a namespaces isolation option to false might
351       have enabled it.
352
353
354Changes with Unit 1.12.0                                         03 Oct 2019
355
356    *) Feature: compatibility with PHP 7.4.
357
358    *) Bugfix: descriptors leak on process creation; the bug had appeared in
359       1.11.0.
360
361    *) Bugfix: TLS connection might be closed prematurely while sending
362       response.
363
364    *) Bugfix: segmentation fault might have occurred if an irregular file
365       was requested.
366
367
368Changes with Unit 1.11.0                                         19 Sep 2019
369
370    *) Feature: basic support for serving static files.
371
372    *) Feature: isolation of application processes with Linux namespaces.
373
374    *) Feature: built-in WebSocket server implementation for Java Servlet
375       Containers.
376
377    *) Feature: direct addressing of API configuration options containing
378       slashes "/" using URI encoding (%2F).
379
380    *) Bugfix: segmentation fault might have occurred in Go applications
381       under high load.
382
383    *) Bugfix: WebSocket support was broken if Unit was built with some
384       linkers other than GNU ld (e.g. gold or LLD).
385
386
387Changes with Unit 1.10.0                                         22 Aug 2019
388
389    *) Change: matching of cookies in routes made case sensitive.
390
391    *) Change: decreased log level of common errors when clients close
392       connections.
393
394    *) Change: removed the Perl module's "--include=" ./configure option.
395
396    *) Feature: built-in WebSocket server implementation for Node.js module.
397
398    *) Feature: splitting PATH_INFO from request URI in PHP module.
399
400    *) Feature: request routing by scheme (HTTP or HTTPS).
401
402    *) Feature: support for multipart requests body in Java module.
403
404    *) Feature: improved API compatibility with Node.js 11.10 or later.
405
406    *) Bugfix: reconfiguration failed if "listeners" or "applications"
407       objects were missing.
408
409    *) Bugfix: applying a large configuration might have failed.
410
411
412Changes with Unit 1.9.0                                          30 May 2019
413
414    *) Feature: request routing by arguments, headers, and cookies.
415
416    *) Feature: route matching patterns allow a wildcard in the middle.
417
418    *) Feature: POST operation for appending elements to arrays in
419       configuration.
420
421    *) Feature: support for changing credentials using CAP_SETUID and
422       CAP_SETGID capabilities on Linux without running main process as
423       privileged user.
424
425    *) Bugfix: memory leak in the router process might have happened when a
426       client prematurely closed the connection.
427
428    *) Bugfix: applying a large configuration might have failed.
429
430    *) Bugfix: PUT and DELETE operations on array elements in configuration
431       did not work.
432
433    *) Bugfix: request schema in applications did not reflect TLS
434       connections.
435
436    *) Bugfix: restored compatibility with Node.js applications that use
437       ServerResponse._implicitHeader() function; the bug had appeared in
438       1.7.
439
440    *) Bugfix: various compatibility issues with Node.js applications.
441
442
443Changes with Unit 1.8.0                                          01 Mar 2019
444
445    *) Change: now three numbers are always used for versioning: major,
446       minor, and patch versions.
447
448    *) Change: now QUERY_STRING is always defined even if the request does
449       not include the query component.
450
451    *) Feature: basic internal request routing by Host, URI, and method.
452
453    *) Feature: experimental support for Java Servlet Containers.
454
455    *) Bugfix: segmentation fault might have occurred in the router process.
456
457    *) Bugfix: various potential memory leaks.
458
459    *) Bugfix: TLS connections might have stalled.
460
461    *) Bugfix: some Perl applications might have failed to send the response
462       body.
463
464    *) Bugfix: some compilers with specific flags might have produced
465       non-functioning builds; the bug had appeared in 1.5.
466
467    *) Bugfix: Node.js package had wrong version number when installed from
468       sources.
469
470
471Changes with Unit 1.7.1                                          07 Feb 2019
472
473    *) Security: a heap memory buffer overflow might have been caused in the
474       router process by a specially crafted request, potentially resulting
475       in a segmentation fault or other unspecified behavior
476       (CVE-2019-7401).
477
478    *) Bugfix: install of Go module failed without prior building of Unit
479       daemon; the bug had appeared in 1.7.
480
481
482Changes with Unit 1.7                                            20 Dec 2018
483
484    *) Change: now rpath is set in Ruby module only if the library was not
485       found in default search paths; this allows to meet packaging
486       restrictions on some systems.
487
488    *) Bugfix: "disable_functions" and "disable_classes" PHP options set via
489       Control API did not work.
490
491    *) Bugfix: Promises on request data in Node.js were not triggered.
492
493    *) Bugfix: various compatibility issues with Node.js applications.
494
495    *) Bugfix: a segmentation fault occurred in Node.js module if
496       application tried to read request body after request.end() was
497       called.
498
499    *) Bugfix: a segmentation fault occurred in Node.js module if
500       application attempted to send header twice.
501
502    *) Bugfix: names of response header fields in Node.js module were
503       erroneously treated as case-sensitive.
504
505    *) Bugfix: uncatched exceptions in Node.js were not logged.
506
507    *) Bugfix: global install of Node.js module from sources was broken on
508       some systems; the bug had appeared in 1.6.
509
510    *) Bugfix: traceback for exceptions during initialization of Python
511       applications might not be logged.
512
513    *) Bugfix: PHP module build failed if PHP interpreter was built with
514       thread safety enabled.
515
516
517Changes with Unit 1.6                                            15 Nov 2018
518
519    *) Change: "make install" now installs Node.js module as well if it was
520       configured.
521
522    *) Feature: "--local" ./configure option to install Node.js module
523       locally.
524
525    *) Bugfix: Node.js module might have crashed due to broken reference
526       counting.
527
528    *) Bugfix: asynchronous operations in Node.js might not have worked.
529
530    *) Bugfix: various compatibility issues with Node.js applications.
531
532    *) Bugfix: "freed pointer is out of pool" alerts might have appeared in
533       log.
534
535    *) Bugfix: module discovery did not work on 64-bit big-endian systems
536       like IBM/S390x.
537
538
539Changes with Unit 1.5                                            25 Oct 2018
540
541    *) Change: the "type" of application object for Go was changed to
542       "external".
543
544    *) Feature: initial version of Node.js package with basic HTTP
545       request-response support.
546
547    *) Feature: compatibility with LibreSSL.
548
549    *) Feature: --libdir and --incdir ./configure options to install libunit
550       headers and static library.
551
552    *) Bugfix: connection might be closed prematurely while sending
553       response; the bug had appeared in 1.3.
554
555    *) Bugfix: application processes might have stopped handling requests,
556       producing "last message send failed: Resource temporarily
557       unavailable" alerts in log; the bug had appeared in 1.4.
558
559    *) Bugfix: Go applications did not work when Unit was built with musl C
560       library.
561
562
563Changes with Unit 1.4                                            20 Sep 2018
564
565    *) Change: the control API maps the configuration object only at
566       "/config/".
567
568    *) Feature: TLS support for client connections.
569
570    *) Feature: TLS certificates storage control API.
571
572    *) Feature: Unit library (libunit) to streamline language module
573       integration.
574
575    *) Feature: "408 Request Timeout" responses while closing HTTP
576       keep-alive connections.
577
578    *) Feature: improvements in OpenBSD support. Thanks to David Carlier.
579
580    *) Bugfix: a segmentation fault might have occurred after
581       reconfiguration.
582
583    *) Bugfix: building on systems with non-default locale might be broken.
584
585    *) Bugfix: "header_read_timeout" might not work properly.
586
587    *) Bugfix: header fields values with non-ASCII bytes might be handled
588       incorrectly in Python 3 module.
589
590
591Changes with Unit 1.3                                            13 Jul 2018
592
593    *) Change: UTF-8 characters are now allowed in request header field
594       values.
595
596    *) Feature: configuration of the request body size limit.
597
598    *) Feature: configuration of various HTTP connection timeouts.
599
600    *) Feature: Ruby module now automatically uses Bundler where possible.
601
602    *) Feature: http.Flusher interface in Go module.
603
604    *) Bugfix: various issues in HTTP connection errors handling.
605
606    *) Bugfix: requests with body data might be handled incorrectly in PHP
607       module.
608
609    *) Bugfix: individual PHP configuration options specified via control
610       API were reset to previous values after the first request in
611       application process.
612
613
614Changes with Unit 1.2                                            07 Jun 2018
615
616    *) Feature: configuration of environment variables for application
617       processes.
618
619    *) Feature: customization of php.ini path.
620
621    *) Feature: setting of individual PHP configuration options.
622
623    *) Feature: configuration of execution arguments for Go applications.
624
625    *) Bugfix: keep-alive connections might hang after reconfiguration.
626
627
628Changes with Unit 1.1                                            26 Apr 2018
629
630    *) Bugfix: Python applications that use the write() callable did not
631       work.
632
633    *) Bugfix: virtual environments created with Python 3.3 or above might
634       not have worked.
635
636    *) Bugfix: the request.Read() function in Go applications did not
637       produce EOF when the whole body was read.
638
639    *) Bugfix: a segmentation fault might have occurred while access log
640       reopening.
641
642    *) Bugfix: in parsing of IPv6 control socket addresses.
643
644    *) Bugfix: loading of application modules was broken on OpenBSD.
645
646    *) Bugfix: a segmentation fault might have occurred when there were two
647       modules with the same type and version; the bug had appeared in 1.0.
648
649    *) Bugfix: alerts "freed pointer points to non-freeble page" might have
650       appeared in log on 32-bit platforms.
651
652
653Changes with Unit 1.0                                            12 Apr 2018
654
655    *) Change: configuration object moved into "/config/" path.
656
657    *) Feature: basic access logging.
658
659    *) Bugfix: 503 error occurred if Go application did not write response
660       header or body.
661
662    *) Bugfix: Ruby applications that use encoding conversions might not
663       have worked.
664
665    *) Bugfix: various stability issues.
666
667
668Changes with Unit 0.7                                            22 Mar 2018
669
670    *) Feature: Ruby application module.
671
672    *) Bugfix: in discovering modules.
673
674    *) Bugfix: various race conditions on reconfiguration and during
675       shutting down.
676
677    *) Bugfix: tabs and trailing spaces were not allowed in header fields
678       values.
679
680    *) Bugfix: a segmentation fault occurred in Python module if
681       start_response() was called outside of WSGI callable.
682
683    *) Bugfix: a segmentation fault might have occurred in PHP module if
684       there was an error while initialization.
685
686
687Changes with Unit 0.6                                            09 Feb 2018
688
689    *) Bugfix: the main process died when the "type" application option
690       contained version; the bug had appeared in 0.5.
691
692
693Changes with Unit 0.5                                            08 Feb 2018
694
695    *) Change: the "workers" application option was removed, the "processes"
696       application option should be used instead.
697
698    *) Feature: the "processes" application option with prefork and dynamic
699       process management support.
700
701    *) Feature: Perl application module.
702
703    *) Bugfix: in reading client request body; the bug had appeared in 0.3.
704
705    *) Bugfix: some Python applications might not have worked due to missing
706       "wsgi.errors" environ variable.
707
708    *) Bugfix: HTTP chunked responses might be encoded incorrectly on 32-bit
709       platforms.
710
711    *) Bugfix: infinite looping in HTTP parser.
712
713    *) Bugfix: segmentation fault in router.
714
715
716Changes with Unit 0.4                                            15 Jan 2018
717
718    *) Feature: compatibility with DragonFly BSD.
719
720    *) Feature: "configure php --lib-static" option.
721
722    *) Bugfix: HTTP request body was not passed to application; the bug had
723       appeared in 0.3.
724
725    *) Bugfix: HTTP large header buffers allocation and deallocation fixed;
726       the bug had appeared in 0.3.
727
728    *) Bugfix: some PHP applications might not have worked with relative
729       "root" path.
730
731
732Changes with Unit 0.3                                            28 Dec 2017
733
734    *) Change: the Go package name changed to "nginx/unit".
735
736    *) Change: in the "limits.timeout" application option: application start
737       time and time in queue now are not accounted.
738
739    *) Feature: the "limits.requests" application option.
740
741    *) Feature: application request processing latency optimization.
742
743    *) Feature: HTTP keep-alive connections support.
744
745    *) Feature: the "home" Python virtual environment configuration option.
746
747    *) Feature: Python atexit hook support.
748
749    *) Feature: various Go package improvements.
750
751    *) Bugfix: various crashes fixed.
752
753
754Changes with Unit 0.2                                            19 Oct 2017
755
756    *) Feature: configuration persistence.
757
758    *) Feature: improved handling of configuration errors.
759
760    *) Feature: application "timeout" property.
761
762    *) Bugfix: POST request for PHP were handled incorrectly.
763
764    *) Bugfix: the router exited abnormally if all listeners had been
765       deleted.
766
767    *) Bugfix: the router crashed under load.
768
769    *) Bugfix: memory leak in the router.
770
771
772Changes with Unit 0.1                                            06 Sep 2017
773
774    *) First public release.
775
776