F5 NGINX Plus R34 Release Now Available

We’re excited to announce the availability of F5 NGINX Plus Release 34 (R34). Based on NGINX Open Source, NGINX Plus is the only all-in-one software web server, load balancer, reverse proxy, content cache, and API gateway.

New and enhanced features in NGINX Plus R34 include:

Forward proxy support for NGINX usage reporting: With R34, NGINX Plus allows NGINX customers to send their license usage telemetry to F5 via an existing enterprise forward proxy in their environment.

Native support for OpenID Connect configuration: With this release, we would like to announce the availability of native OpenID Connect (OIDC) module in NGINX Plus.  The native module brings simplified configuration and better performance while addressing many of the complexities with the existing njs-based solution. 

SSL Dynamic Certificate Caching: NGINX Plus R34 builds upon the certificate caching improvements in R32 and introduces support for caching of dynamic certificates and preserving this cache across configuration reloads.

 

Important Changes In Behavior

Removal of OpenTracing Module: In NGINX Plus R32, we announced deprecation of the OpenTracing module in favor of OpenTelemetry module introduced in NGINX Plus R29. , and was marked to be removed with NGINX Plus R34. The OpenTracing is now being removed from NGINX Plus effective this release.

 

Changes to Platform Support

Added Platforms:

• Alpine Linux 3.21

Removed Platforms:

• Alpine Linux 3.17
• SLES12

Deprecated Platforms:

• Alpine Linux 3.18
• Ubuntu 20.04

 

New Features in Detail

 

Forward proxy support for NGINX usage reporting

 

In the previous NGINX Plus release (NGINX Plus R33), we introduced major changes to NGINX Plus licensing requiring all NGINX customers to report their commercial NGINX usage to F5. One of the prime feedback we received for this feature was the need to enable NGINX instances to send telemetry via existing outbound proxies, primarily for environments where NGINX instances cannot connect to the F5 licensing endpoint directly.  

We are pleased to note that NGINX Plus R34 introduces support for using existing forward proxy solutions in customers environment for sending licensing telemetry to F5. With this update, NGINX Plus can now be configured to use the HTTP CONNECT proxy to establish a tunnel to the F5 licensing endpoint to send the usage telemetry.

Configuration

The following snippet shows the basic NGINX configuration needed in the ngx_mgmt_module module for sending NGINX usage telemetry via a forward proxy solution.  

mgmt {
    proxy HOST:PORT;
    proxy_username USER;    #optional
    proxy_password PASS;    #optional
}

 

For complete details, refer the docs here.

 

Native support for OpenID Connect configuration

Currently, NGINX Plus relies on a njs-based solution for OpenID Connect (OIDC) implementation that involves intricate JavaScript files and advanced setup steps, which are error-prone. With NGINX Plus R34, we're thrilled to introduce native OIDC support in NGINX Plus. This native implementation eliminates many of the complexities of the njs-based approach, making it faster, highly efficient, and incredibly easy to configure, with no burdensome overheads of maintaining and upgrading the njs module. 

To this effect, a new module ngx_http_oidc_module is introduced in NGINX Plus R34 that implements authentication as a relying party in OIDC using the Authorization Code Flow. The native implementation allows the flexibility to enable OIDC authentication globally, or at a more granular, per-server or a per-location level. It also allows effortless auto-discovery and retrieval of the OpenID providers' configuration metadata without needing complex external scripts for each Identity Provider (IdP), greatly simplifying the configuration process. For a complete overview and examples of the features in the native implementation of OIDC in NGINX Plus and how it improves upon the njs based implementation, refer the blog.  

 

Configuration

The configuration to setup OIDC natively in NGINX Plus is relatively straightforward requiring minimal directives when compared to the njs based implementation.

http { 
    resolver 10.0.0.1; 
 
    oidc_provider my_idp { 
        issuer        "https://provider.domain"; 
        client_id     "unique_id"; 
        client_secret "unique_secret"; 
    } 
 
    server { 
        location / { 
            auth_oidc my_idp; 
 
            proxy_set_header username $oidc_claim_sub; 
            proxy_pass       http://backend; 
        } 
    } 
} 

 

The example assumes that the “https://<nginx-host>/oidc_callback” redirection URI is configured on the OpenID Provider's side. 

For instructions on how to configure the native OIDC module for various identity providers, refer the NGINX deployment guide.  

 

SSL Certificate Caching improvements 

In NGINX Plus R32, we introduced changes to cache various SSL objects and reuse the cached objects elsewhere in the configuration. This provided noticeable improvements in the initial configuration load time primarily where a small number of unique objects were being referenced multiple times. 

With R34, we are adding further enhancements to this functionality where cached SSL objects are reused across configuration reloads, making the reloads even faster. Also, SSL certificates with variables are now cached as well. Refer the blog for a detailed overview of this feature implementation. 

 

Other Enhancements and Bug Fixes

 

Keepalive timeout improvements

Prior to this release, idle keepalive connections could be closed any time the connection needed to be reused for another client or when the worker was gracefully shutting down.  

With NGINX Plus R34, a new directive keepalive_min_timeout is being introduced. This directive sets a timeout during which a keepalive connection will not be closed by NGINX for connection reuse or graceful worker shutdown. The change allows clients that send multiple requests over the same connection without delay or with a small delay between them, to avoid receiving a TCP RST in response to one of them, if not for network reasons or non-graceful worker shutdown.  

As a side-effect, it also addresses the TCP reset problem described in RFC 9112, Section 9.6, when the last sent HTTP response could be damaged by a followup TCP RST. It is important for non-idempotent requests, which cannot be retried by client.  

It is however recommended to not set keepalive_min_timeout to large values as this can introduce an additional delay during worker process shutdown and may restrict NGINX from effective connection reuse. 

 

Improved health check logging

NGINX Plus R34 adds logging enhancements in the error log for better visibility while troubleshooting upstream health check failures. The server status code is now logged on health check failures.

 

Increased session key size

Prior to R34, NGINX accepted an SSL session with maximum 4k(4096) bytes. With NGINX Plus R34, the maximum session size has been increased to 8k(8192) bytes to accommodate use cases where the sessions could be larger than 4k bytes. For ex. in cases where a client certificate is saved in the session, with tickets (in TLS v1.2 or older versions), or with stateless tickets (in TLS v1.3) the sessions maybe of noticeably large size. Certain stateless session resumption implementations may store additional data as well. One such case is with JDK, which is known to include server certificates in the session ticket data which roughly doubles the decoded session size.

The changes also include improved logging to capture cases when sessions are not saved in shared memory due to size.

 

Changes in the Open Telemetry Module

TLS support in OTEL traces: 

NGINX now allows enabling TLS for sending OTEL traces. It can be enabled by specifying "https" scheme in the endpoint as shown.

otel_exporter { endpoint "https://otel.labt.fp.f5net.com:4433"; trusted_certificate “path/to/custom/ca/bundle“; # optional }

 

By default, system CA bundle is used to verify endpoint's certificate which can be overridden with "trusted_certificate" directive if required.

For a complete list of changes to the OTEL module, refer the NGINX OTEL change log. 

  

Changes Inherited from NGINX Open Source

NGINX Plus R34 is based on  NGINX mainline release and inherits all functional changes, features, and bug fixes made since NGINX Plus R33 was released (in NGINX Open source 1.27.3 and 1.27.4 mainline versions)

Features:

• SSL Certificate Caching
• "keepalive_min_timeout" directive
• The "server" directive in the "upstream" block supports the "resolve" parameter.
• The "resolver" and "resolver_timeout" directives in the "upstream" block.
• SmarterMail specific mode support for IMAP LOGIN with untagged CAPABILITY response in the mail proxy module.

Changes:

• Now TLSv1 and TLSv1.1 protocols are disabled by default.
• An IPv6 address in square brackets and no port can be specified in the "proxy_bind", "fastcgi_bind", "grpc_bind", "memcached_bind", "scgi_bind", and "uwsgi_bind" directives, and as client address in ngx_http_realip_module.

Bug Fixes:

• gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng.
• nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used.
• QUIC connection might not be established when using 0-RTT; the bug had appeared in 1.27.1.
• NGINX now ignores QUIC version negotiation packets from clients.
• NGINX could not be built on Solaris 10 and earlier with the ngx_http_v3_module.
• Bugfixes in HTTP/3.
• Bugfixes in the ngx_http_mp4_module.
• The "so_keepalive" parameter of the "listen" directive might be handled incorrectly on DragonFly BSD.
• Bugfix in the proxy_store directive.

Security:

• Insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419).

 

For the full list of new changes, features, bug fixes, and workarounds inherited from recent releases, see the NGINX changes .

 

Changes to the NGINX Javascript Module

NGINX Plus R34 incorporates changes from the NGINX JavaScript (njs) module version 0.8.9. The following is a list of notable changes in njs since 0.8.7 (which was the version shipped with NGINX Plus R33).

Features:

• Added fs module for QuickJS engine.
• Implemented process object for the QuickJS engine.
• Implemented the process.kill() method.

Bug Fixes:

• Removed extra VM creation per server. Previously, when js_import was declared in http or stream blocks, an extra copy of the VM instance was created for each server block. This was not needed and consumed a lot of memory for configurations with many server blocks. This issue was introduced in 9b674412 (0.8.6) and was partially fixed for location blocks only in 685b64f0 (0.8.7).
• Fixed XML tests with libxml2 2.13 and later.
• Fixed promise resolving when Promise is inherited.
• Fixed absolute scope in cloned VMs.
• Fixed limit rated output.
• Optimized use of SSL contexts for the js_fetch_trusted_certificate directive.

 

For a comprehensive list of all the features, changes, and bug fixes, see the njs Changelog.