NGINX 1.30 Released as New Stable Branch: HTTP Early Hints ECH and Multipath TCP Arrive

NGINX has officially released version 1.30.0, establishing a new stable branch for the widely deployed open-source web server. The release consolidates all changes accumulated through the 1.29.x mainline series — including support for HTTP Early Hints, Encrypted ClientHello (ECH), upstream HTTP/2 connectivity, sticky sessions, and Multipath TCP — into a production-ready stable track that sysadmins and platform engineers can confidently deploy.

According to W3Tech data current as of April 2025, NGINX leads all web servers with a market share of 33.8%, ahead of Apache at 26.4% and Cloudflare Server at 23.4%. This update continues the project’s philosophy of steady, reliable progression — each stable branch representing the crystallisation of months of mainline experimentation.

The headline additions in 1.30 touch the core of how NGINX handles modern web traffic. Support for HTTP 103 Early Hints is now stable, enabling the server to prompt browsers to begin preloading critical resources — CSS, JavaScript, fonts — before the full response has been generated. Major browsers including Chrome have supported the Early Hints standard for some time; NGINX 1.30 brings full server-side implementation to the stable tier.

Equally significant is the arrival of HTTP/2 connections to upstream backends. Previously, NGINX communicated with upstream application servers using HTTP/1.x even when serving clients over HTTP/2; 1.30 closes that gap, allowing end-to-end HTTP/2 for scenarios that benefit from multiplexing and header compression on the proxy leg. Alongside this, upstream sticky sessions ensure that requests from a given client are consistently routed to the same backend instance — important for stateful applications.

Multipath TCP (MPTCP) support, introduced in mainline 1.29.7, is now part of the stable branch. MPTCP allows a single connection to leverage multiple network paths simultaneously, improving throughput and providing seamless failover when a path degrades. A subtler but operationally important change is that the default upstream HTTP protocol is now HTTP/1.1 with keep-alive enabled, replacing the previous HTTP/1.0 default — significantly improving connection reuse efficiency without requiring administrator configuration.

The most privacy-significant addition in this release is the integration of OpenSSL’s Encrypted ClientHello (ECH). ECH encrypts the initial TLS handshake metadata — including the server name indication — that was previously visible to network observers even on encrypted connections. Its inclusion moves NGINX meaningfully closer to full transport-layer privacy. Administrators should note that some older OpenSSL builds may require configuration adjustments to enable ECH without compatibility warnings.

Additional TLS improvements include:

• NewCertificate compression support, reducing TLS handshake data volume.
• NewLoading of private keys via OSSL_STORE, enabling integration with hardware security modules and external key stores.
• NewCompressed server certificate support for BoringSSL builds.
• NewVariables $ssl_sigalg and $ssl_client_sigalg for logging and conditional logic based on negotiated signature algorithms.
• ImprovedSNI processing via the ClientHello callback mechanism, improving virtual-host resolution accuracy.
• CompatCompatibility enhancements for OpenSSL 4.0.

Both modern HTTP versions receive targeted improvements. On the HTTP/2 side, the handling of repeated 103 Early Hints responses has been corrected, and flushing behaviour for Early Hints over HTTP/2 has been addressed. The release also resolves longstanding issues with :authority and Host header handling — a subtle but consequential correctness fix for reverse-proxy deployments.

HTTP/3 receives a cluster of stability fixes accumulated from the mainline series. These include: corrections to variable-length integer handling in QUIC frames, improved acknowledgment behaviour under congestion-window constraints, a segmentation fault fix during handshake failures, and more robust stateless reset handling. BPF compilation with newer Linux kernels is also fixed, and integration with the OpenSSL 3.5 QUIC API has been updated.

• HTTP/2Optimised Early Hints sending logic and flushing over HTTP/2.
• HTTP/3Indexed field line encoding added for 103 Early Hints responses.
• BothFixed :authority and Host header handling discrepancies.
• NewHTTP CONNECT infrastructure and max_headers directive introduced.
• HTTP/3Congestion control, stateless reset, and handshake-failure crash fixes.

Beyond new features, 1.30 resolves a set of practical issues that affected production deployments. Key among them is a fix for segmentation faults caused by URI changes during proxying — a crash that could affect any deployment using URI rewriting with proxy pass. Similarly, gRPC buffer chain reset on upstream reinit and request reinitialization issues in Early Hints scenarios have been corrected.

HTTP/2 upstream caching behaviour has also been corrected, addressing a scenario where cached responses could be incorrectly served under certain upstream reinit conditions. Control frame handling and the security of cache header parsing have been hardened, and pending HTTP/2 control frames are now properly reset on upstream reinitialization — preventing a subtle class of state corruption bug.

The most impactful silent performance change in 1.30 is that the upstream keepalive module is now enabled by default. In previous versions, connection reuse to upstream servers required explicit keepalive configuration; 1.30 makes this the baseline behaviour. The practical effect is reduced latency from connection establishment overhead and improved throughput under sustained load — without any configuration change needed from operators upgrading from 1.28.

Combined with the new Multipath TCP support and the HTTP/1.1 default on the proxy leg, 1.30 delivers a meaningfully more efficient connection model out of the box. Administrators running high-concurrency deployments should observe lower p99 latency on proxy connections after upgrading.