Nginx's new versions: More speed, less Heartbleed

Newly released Web servers support version 3.1 of experimental SPDY Web protocol and include post-Heartbleed SSL fixes

Nginx has two new full-point releases of its Web server out, both with changes that are part of the industry's post-Heartbleed cleanup efforts. The new releases are split between a 1.6 "stable" version and a 1.7 "mainline" version, both with Linux and Windows binaries available.

In 1.6, the changes since the last version are minimal; in 1.7, most of the new features revolve around better support for many SSL features and support for draft version 3.1 of the SPDY protocol. Nginx's most recent previous version came out on April 8, concomitant with a memo about the effects of the Heartbleed bug on Nginx and how to deal with copies of OpenSSL that exhibited the buggy behavior.

This kind of mitigation isn't always as straightforward as it might seem. Most of the time, Nginx would simply rely on the presence of OpenSSL as provided by the host operating system. But in cases where Nginx was compiled with a statically linked copy of OpenSSL -- typically only done for a custom deployment of Nginx -- the Web server would have to be recompiled from scratch. (The latest Windows binaries provided through Nginx's site are statically linked to OpenSSL version 1.0.1g, which is nonvulnerable.)

Issues like these haven't cooled the overall growing enthusiasm for Nginx, though. Since its appearance in 2002, it has grown to claim 15 percent of the total market share for Web server. More importantly, Nginx is included with many leading Linux distributions as an out-of-the-box installation choice. It was added to Ubuntu as a standard addition to that OS's repositories, which previously featured only Apache's httpd server, and is now part of Red Hat's Software Collections, enabling its use with Red Hat Enterprise Linux.

As for SPDY 3.1, the experimental Web acceleration protocol drafted by Google, it's supported by both Apache and Nginx, but few websites actually deploy it in production. Microsoft's IIS doesn't support it directly, but instead supports its own SPDY-derived variant called Microsoft S+M. Nginx supporting the most recent version of SPDY works as a precursor to supporting HTTP 2.0 when that particular standard is baked, especially since SPDY and HTTP 2.0 are nearly identical in many respects. (Microsoft has its own experimental HTTP 2, "Katana," available on GitHub.)

Microsoft might actually pose the biggest ongoing obstacle to Nginx's uptake, according to the statistics. Netcraft's most recent Web server market share survey shows Nginx third behind Apache and Microsoft (in that order), but with most of Apache's losses apparently going to Microsoft, rather than to Nginx directly. Still, Nginx has enjoyed adding users to its base each month, and the trend shows no sign of slowing down no matter who's in the way.

This story, "Nginx's new versions: More speed, less Heartbleed," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.

How to choose a low-code development platform