Last checked and updated on April 15, 2026What is new in NGINX 1.27
NGINX 1.27 marks the start of a new mainline development branch released in May 2024. This version prioritizes security by addressing multiple vulnerabilities in the HTTP/3 implementation and introduces practical performance and configuration improvements.
It is particularly beneficial for users running QUIC and HTTP/3, as well as those who need more flexible rate limiting using variables.
Security Fixes
NGINX 1.27 includes important security updates for HTTP/3:
- Fixed multiple vulnerabilities in QUIC session processing that could lead to worker process crash, memory disclosure (on systems with MTU larger than 4096 bytes), or other potential impacts (CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161).
These fixes were contributed by Nils Bars of CISPA and are highly recommended for any deployment using HTTP/3.
New Features
The following new capabilities were added in NGINX 1.27:
| Feature | Description |
|---|---|
| Variables in rate limiting directives | Support for variables in proxy_limit_rate, fastcgi_limit_rate, scgi_limit_rate, and uwsgi_limit_rate directives. This allows dynamic rate limits based on request context. |
Improvements and Bug Fixes
NGINX 1.27 brings these enhancements and fixes:
- Reduced memory consumption for long-lived requests when using
gzip,gunzip,ssi,sub_filter, orgrpc_passdirectives. - Fixed build issue with GCC 14 when the
--with-libatomicoption is enabled. - Multiple bugfixes and stability improvements in the HTTP/3 implementation.
How can I use variables with rate limiting in NGINX 1.27?
Starting with NGINX 1.27, you can now use variables in rate limiting directives. This makes it possible to set different limits based on client IP, request headers, or other dynamic values.
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
server {
location /api/ {
proxy_limit_rate $limit_rate_var; # variable support added in 1.27
...
}
}
}Why is the HTTP/3 security fix in NGINX 1.27 important?
This release fixes several critical issues in QUIC processing. Without the update, specially crafted QUIC sessions could crash worker processes or leak memory on certain network configurations. Upgrading to 1.27 (or later) is strongly advised for any server enabling HTTP/3.
Who should upgrade to NGINX 1.27?
Users running HTTP/3 or QUIC should upgrade immediately for the security fixes. Teams needing more flexible rate limiting with variables will also benefit. For production environments preferring stability, consider waiting for the next stable branch (1.28).
FAQ
What is the main purpose of NGINX 1.27?
NGINX 1.27 is the first release of the new mainline branch. It focuses on fixing critical HTTP/3 security vulnerabilities and adding support for variables in rate limiting directives.
Does NGINX 1.27 include HTTP/3 improvements?
Yes. Besides the important security fixes, it contains multiple bugfixes that improve the stability of the HTTP/3 and QUIC implementation.
Can I use variables in limit_rate directives now?
Yes. NGINX 1.27 adds variable support to proxy_limit_rate, fastcgi_limit_rate, scgi_limit_rate, and uwsgi_limit_rate, allowing more dynamic traffic control.
Was there a build fix in NGINX 1.27?
Yes. The version resolves a compilation problem with GCC 14 when using the --with-libatomic configuration option.
Should I upgrade from NGINX 1.26 to 1.27?
If you use HTTP/3, upgrading is highly recommended due to the security patches. For other users, the reduced memory usage for long-lived requests and variable support in rate limits are useful additions.