Free talk hub
{{keywords}}
Register
okman
Newbie

Regarding Nginx 1.28 and 1.29, I need to explain something.

1.28 is a stable release, and initially, wnmp.org only integrated 1.28. However, stable releases are not the mainline version; 1.29 is the mainline version. This means the official version primarily receiving updates is 1.29, while stable releases only fix bugs.

SL upstream injection

Severity: medium

Advisory

CVE-2026-1642

Not vulnerable: 1.29.5+, 1.28.2+

Vulnerable: 1.3.0-1.29.4

This is the latest official advisory regarding a medium-severity SSL vulnerability. Only versions 1.29.5 and 1.28.2 are unaffected. Since the script previously integrated version 1.28.1, an update is required. Note: Critical vulnerabilities require immediate updates. Moderate-level vulnerabilities should be updated as a matter of principle, while low-level vulnerabilities are optional updates. To ensure server security, please update promptly.


Version 1.29 supports the HTTP/3 protocol, exclusive to the mainline version. HTTP/3 uses UDP instead of TCP, optimizing the initial client-server connection. Of course, HTTP/2 in 1.28 is already quite fast, but its TCP-based nature necessitates the three-way handshake, which is unavoidable. HTTP/3 in 1.29, however, uses the UDP protocol, which inherently eliminates handshake requirements. Yet, since it provides TCP-like functionality—including certificate encryption—it has undoubtedly been optimized and enhanced. You simply need to update immediately to benefit from HTTP/3 being faster than HTTP/2.


A critical point to note: When Nginx acts as an internal proxy for forwarding traffic within a network—typically as a reverse proxy or load balancer—version 1.28 only supports the http:// protocol. This is plaintext communication. Even for internal proxies, to ensure security, version 1.29 now supports https://. This is designed for users with heightened security requirements.


But that's not the main point. The key feature is this: https://blog.nginx.org/blog/nginx-open-source-1-29-3-and-1-29-4

Translated: Encrypted Client Hello (ECH) Support


NGINX 1.29.4 adds support for Encrypted Client Hello (ECH). ECH is a TLS 1.3 extension that encrypts the Server Name Indication (SNI) field during the TLS handshake. Without ECH, the SNI is sent in plaintext, potentially revealing the website a user is connecting to even if the rest of the connection is encrypted. ECH addresses this privacy vulnerability by encrypting the entire ClientHello message, including the SNI.


Example:


server {

ssl_ech_file /path/to/ech-keys.pem;

# ... other SSL configuration

}

The ssl_ech_file directive specifies a PEM file containing ECH configuration and private keys. Multiple files can be specified to support key rotation, a common operational practice. For example, Cloudflare rotates its ECH keys hourly.


Importance: ECH represents a significant advancement in internet privacy protection. It prevents passive observers from determining which websites users visit based on TLS handshake metadata. This is particularly crucial for privacy-focused deployments and environments at risk of metadata leaks.


Who it benefits:


Privacy-conscious organizations and services

Regions where operators are required to monitor connection metadata

Any entity or individual deploying services where user privacy is a top priority

Platform Requirements: To support ECH, NGINX must be built using OpenSSL's ECH feature branch. ECH is expected to be included in OpenSSL 4.0 (scheduled for release in April 2026). This feature applies to both HTTP and Stream modules. NGINX exposes the `$ssl_ech_status` variable for `$ssl_ech_outer_server_name` logging and conditional logic.




(Expected release: April 2026)



The primary reason wnmp.org defaults to NGINX version 1.29 is to support SNI encryption after April 2026.


This means that while HTTPS encrypts content, third parties can still see your IP address and the IP address of the website you're connecting to—this is SNI.


However, after April 2026, full data encryption will be possible, including metadata during connections.


Of course, merely upgrading to nginx 1.29 alone is insufficient. For true prevention of third-party SNI detection, all websites across the network must upgrade. Nevertheless, our scripts' immediate support for SNI encryption contributes to internet security by providing qualified deployment software!


0
226
0
Share
Login
{{error.username}}
{{error.password}}
Forget the password
Don’t have an account yet? Register now
Register
{{error.username}}
{{error.nickname}}
{{error.email}}
{{error.password}}
{{error.repassword}}
Already have an account?Login
Forget the password
{{error.email}}
{{error.code}}
Don’t have an account yet? Register now
Reply:{{reply.touser}}
Cancel
Edit
Cancel
Allow cookies on this browser?

All cookies currently used by FreeTalkHub are strictly necessary. Our cookies are employed for login authentication purposes and utilise Google's one-click login functionality, serving no other purpose.

Refuse optional cookiesAll permitted