Custom Query (2297 matches)

Hi,

[Neverbleed](​https://github.com/h2o/neverbleed) is a privilege separation engine for OpenSSL / LibreSSL that runs RSA private key operations in an isolated process, thereby minimizing the risk of private key leak in case of vulnerability such as Heartbleed.

Please support it to increase the security of Nginx.

Thanks in advance,

see ​https://github.com/openssl/openssl/issues/9690

Starting with OpenSSL 1.1.1 with TLS 1.3 support there was a new ciphersuites option introduced - see ​https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html . Now there are two options - cipher list for TLS 1.2 and below and cipher suites for TLS 1.3.

This new cipher suites option needs to be supported by nginx, i.e. new option has to be introduced.

gRPC has multiple options for keepalive, which are especially relevant for streaming messages:

​https://github.com/grpc/grpc/blob/master/doc/keepalive.md

With these you are able to track disappearing clients and narrow connection latency. gRPC uses HTTP/2 ping messages for keepalives. When proxying through nginx, nginx does not passthrough ping messages to the client.

When using nginx with gRPC you currently have to implement a form of keepalive yourself. Send and receive timeouts from nginx are not helpful, as we use gRPC with long-lived streaming connections.

Possible solutions:

• Add an option to passthrough HTTP/2 ping messages to the gRPC backend: grpc_ping_passthrough yes/no.
• Add ability to send keepalive pings from nginx. In this case nginx would need additional options and nginx would have to terminate the connection if there is no response to the ping messages, similar to what gRPC does.