Last checked and updated on April 15, 2026What Is New in NGINX 1.21
NGINX 1.21 introduces key enhancements focused on HTTP/2 performance, security controls, and SSL/TLS flexibility. This release also includes important bug fixes to improve stability and reliability in production environments.
| Category | Key Changes |
|---|---|
| New Features | HTTP/2 server push preload, SSL_reject_handshake directive |
| Improvements | SSL_conf_command support, PROXY protocol to stream upstreams |
| Bug Fixes | HTTP/2, memory management, and SSL-related issues |
How does HTTP/2 server push preload work?
The new $http2_push_preload variable allows conditional HTTP/2 server pushes based on the "preload" header from upstream servers. This gives application developers more control over which resources get pushed to the client.
In practice, this means your backend can signal NGINX to push specific assets by including the Link header with preload directives. It's a smarter approach than blanket pushing everything, which can sometimes hurt performance.
What new SSL/TLS controls were added?
NGINX 1.21 adds the ssl_reject_handshake directive to block invalid SSL handshakes and the ssl_conf_command directive for low-level OpenSSL configuration.
The ssl_reject_handshake directive is particularly useful for preventing unauthorized connections to server blocks that shouldn't handle SSL traffic. Meanwhile, ssl_conf_command provides direct access to OpenSSL configuration options that weren't previously exposed through NGINX directives.
What PROXY protocol enhancements were made?
The stream module now supports PROXY protocol when connecting to upstream servers. This allows preserving original client connection information through multiple proxy layers.
This matters because it enables better logging and access control in complex network architectures where traffic passes through multiple proxies. You can now maintain client IP addresses and connection details all the way through your infrastructure.
What critical bugs were fixed?
Several important stability issues were resolved, including HTTP/2 memory leaks, SSL handshake problems, and connection handling defects that could cause worker process crashes.
One notable fix addresses a bug where HTTP/2 requests might hang when using certain proxy configurations. Another resolves memory corruption that could occur during SSL certificate verification under specific conditions.
FAQ
Does the HTTP/2 push preload feature work with existing applications?
Yes, it works with any upstream that sends the appropriate Link headers with preload directives. You'll need to modify your application to send these headers, but NGINX configuration changes are minimal.
Can ssl_reject_handshake help prevent SSL reconnaissance attacks?
Absolutely. The directive specifically helps against attacks that probe servers for SSL configuration details by rejecting handshakes before they complete, making it harder for attackers to gather information.
Is the PROXY protocol support backward compatible?
Yes, the PROXY protocol support in the stream module maintains backward compatibility. You need to explicitly enable it in your configuration for both listening servers and upstream connections.
What was the most significant performance improvement in this release?
The HTTP/2 memory management fixes significantly improve stability under heavy load. While not a feature addition, these fixes prevent memory leaks that could degrade performance over time.
Does ssl_conf_command replace existing SSL directives?
No, it complements them. Use ssl_conf_command for OpenSSL parameters that don't have dedicated NGINX directives, while continuing to use standard directives like ssl_ciphers and ssl_protocols for common settings.