Last checked and updated on 10 Jun 2026
What Is New in NGINX 1.25
NGINX 1.25 introduces a major feature with HTTP/3 support, alongside significant protocol updates and core enhancements. This release focuses on modernizing the feature set and improving the proxy experience.
| Category | Key Changes |
|---|---|
| New Features | HTTP/3 support (QUIC), PROXY protocol v2 support for UDP, ssl_conf_command directive |
| Protocol Support | HTTP/3, PROXY protocol v2 for UDP, OCSP stapling for upstream servers |
| Core Improvements | Dynamic certificate loading, limit_rate_after for gRPC, proxy_timeout for UDP |
| Bug Fixes | Resolver, HTTP/2, stream, and mail module fixes |
How does HTTP/3 support change the game?
The headline feature is experimental HTTP/3 support using the QUIC transport protocol. You enable it with the quic parameter in the listen directive. This is a big deal for reducing latency and improving performance over lossy networks, especially for mobile users.
In practice, you'll need to build NGINX with the --with-http_v3_module configuration parameter. Remember, this is still experimental, so it's not recommended for mission-critical production traffic just yet.
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
ssl_http3 on;What are the new proxy and security enhancements?
This release beefs up protocol support and security flexibility. You can now use the PROXY protocol v2 with UDP traffic, which is essential for getting true client IP addresses in UDP-based load balancing setups.
For SSL fine-tuning, the new ssl_conf_command directive lets you pass arbitrary OpenSSL configuration commands. This gives you deep control over SSL context settings that weren't directly exposed before.
OCSP stapling now works for upstream servers too, not just the main server. This helps maintain end-to-end security and performance in more complex architectures.
What core functionality got upgraded?
Dynamic certificate loading is a standout improvement. NGINX can now reload SSL certificates without a full restart, which is a huge win for zero-downtime deployments and certificate rotation.
For rate limiting gRPC traffic, the new limit_rate_after directive lets you delay when the limit kicks in. This is useful for allowing initial data bursts before applying restrictions.
The proxy_timeout directive now applies to UDP proxies, giving you proper control over session timeouts for UDP traffic, which was previously missing.
Which bugs were squashed in this release?
The fixes cover a range of modules. The resolver had issues with handling oversized DNS responses that are now resolved. HTTP/2 saw fixes for potential problems with handling request bodies.
In the stream module, a bug that could cause a segmentation fault under specific conditions with the preread_buffer_size directive was patched. The mail module also received fixes for better stability.
FAQ
Is HTTP/3 production-ready in NGINX 1.25?
No, it's explicitly marked as experimental. You need to compile it with a specific flag (--with-http_v3_module), and it's not advised for critical production use until it's deemed stable.
How do I enable dynamic certificate loading?
This feature works automatically. When you update certificate files and send a SIGHUP signal to reload NGINX, the new certificates are loaded without terminating existing connections.
Can I use PROXY protocol with UDP load balancing now?
Yes, this was a key addition. The proxy_protocol parameter is now supported in the listen directive for UDP, enabling client information passthrough for protocols like DNS and RADIUS.
What is the ssl_conf_command directive used for?
It allows you to set low-level OpenSSL configuration options directly. For example, you could use it to configure security levels or specific cryptographic curves: ssl_conf_command Options KTLS;.
Were there any breaking changes in 1.25?
The release notes do not highlight any major breaking changes. The focus is on adding new features (HTTP/3, PROXYv2/UDP) and fixing bugs, so upgrades from 1.24 should be straightforward for most configurations.