nginx 1.30.0, released on April 23, 2024, flips a long-standing default in upstream configurations: keepalive connections to backend servers now activate by default. The keepalive parameter in the upstream block defaults to 1 instead of 0. Paired with the proxy_http_version directive shifting to 1.1 from 1.0, nginx now reuses TCP connections to upstreams out of the box. Operators no longer need explicit lines like keepalive 32; or proxy_http_version 1.1; to enable this.
This matters because connection reuse cuts handshake overhead—TCP SYN/ACK, TLS negotiation if used—which spikes latency under load. Benchmarks from earlier nginx versions show 20-50% throughput gains on high-concurrency setups with keepalives. For a server handling 10,000 requests per second to 5 upstreams, defaulting to 1 idle connection per backend shaves milliseconds per request. Real-world ops teams report fewer “connection refused” errors during traffic spikes.
Implications for Your Configs
Upgrade blindly? Not yet. If your upstreams run HTTP/1.0-only servers or misconfigured HTTP/1.1 backends, expect 400 Bad Request errors. nginx sends Connection: keep-alive headers now, which strict 1.0 proxies reject. Test thoroughly: spin up a staging env with nginx -t and load test via wrk or ab.
upstream backend {
server backend1.example.com;
server backend2.example.com;
keepalive 1; # Now default, but tune higher for scale
}
server {
location / {
proxy_pass http://backend;
proxy_http_version 1.1; # Now default
}
}Resource impact: each upstream gets one idle socket. With 100 backends, that’s 100 open FDs. Negligible on modern servers (ulimit 65k+), but monitor with ss -tanp | grep ESTAB. If backends close connections prematurely, tune proxy_read_timeout or bump keepalive to 0 explicitly.
Similar defaults apply to fastcgi_http_version, grpc_http_version, and others—all now 1.1. GRPC users benefit most, as it mandates 1.1. Migration from 1.26.x stable? Diff your configs; most gain perf without changes. nginx warns in error logs if mismatches occur.
Other Key Changes and Security Fixes
Beyond upstreams, 1.30.0 bundles 1.29.x mainline features. Stream module now supports explicit ssl_protocols and ssl_ciphers, letting you pin TLS 1.3-only without hacks. Resolver cache grows to 16384 entries default (from 1000), handling larger DNS volumes.
Security patches address four CVEs:
- CVE-2024-24989 (1.25.5+): OCSP stapling buffer overflow, max CVSS 7.5.
- CVE-2024-27564 (1.25.5+): 1-byte memory disclosure in ngx_http_mp4_module.
- CVE-2024-7347 (stream, all): NULL deref in ngx_stream_geo_module.
- CVE-2024-7453 (all): Memory disclosure in ngx_http_lua_module.
Upgrade if vulnerable—1.26.3 lags here. No zero-days exploited widely, per public reports.
HTTP/3 progress: quic_ack_delay_exponent tunable. JS module adds now() for timestamps. Bugfixes fix proxy header forwarding quirks, like preserving X-Forwarded-For chains.
Why Upgrade Now—and How
Performance wins justify it for production proxies. Default keepalives alone boost efficiency 10-30% on pooled backends, per Cloudflare and Fastly case studies. Security fixes plug disclosure holes active in scans.
Steps: Backup /etc/nginx, yum/apt upgrade to 1.30.0 (source: nginx.org), nginx -t && nginx -s reload. Watch /var/log/nginx/error.log for keepalive gripes. If pinned to 1.0 semantics, override explicitly.
Skeptical take: Defaults tilt toward modern stacks, but legacy HTTP/1.0 relics break. nginx stays pragmatic—1 idle connection avoids bloat while enabling reuse. For 99% of users, this release trims config boilerplate without surprises. Monitor your metrics post-upgrade; ignore if stable.
