HTTP/2 C library and tools

Nghttp2 v1.22.0

We have released nghttp2 v1.22.0.


lstefani fixed the bug which results in memory leak because of missing free call on error in inflight_settings_new().


Matt Way added the functionality to specify a stream priority via session::submit().


Use of is replaced with


nghttp now shows a warning if certificate verification fails.


${tls_sni} access log variable has been added.

All ${ssl_*} access log variables have been renamed as ${tls_*}. The old names still work for backward compatibility.

SNI based backend server selection has been added. To enable this feature, use sni-fwd parameter in frontend option. The requests received in that frontend address are forwarded based on server name sent via TLS SNI extension rather than HTTP Host header field.

signed_certificate_timestamp extension has been enabled with TLSv1.3.

Historically, nghttpx always stripped incoming X-Forwarded-Proto header field, and set its own one. In this release, 2 new options have been added to tweak this behaviour. --no-strip-incoming-x-forwarded-proto option prevents nghttpx from stripping the header field from a client. --no-add-x-forwarded-proto option prevents nghttpx from adding X-Forwarded-Proto value.

--single-process option has been added which make nghttpx run in a single process. Note that if neverlbeed is enabled, nghttpx still spawns the new process for it.

SSL_CTX_set_early_data_enabled is enabled for BoringSSL.

Nghttp2 v1.21.1

We have released nghttp2 v1.21.1.

The bug which causes libnghttp2_asio client to crash has been fixed.

The bug which causes nghttpx to respond to a client with 502 status code if it receives 204 status code from HTTP/1 backend has been fixed.

Nghttp2 v1.21.0

We have released nghttp2 v1.21.0.


The bug that nghttp2_session_want_write may return 0 if there is pending frames after GOAWAY frame is submitted has been fixed.


_U_ macro has been eliminated in favor of old school (void)VAR for better compiler compatibility.


The asio client now sends PING frame when it gets idle for 30 seconds.


Mozilla’s “Modern compatibility” ciphers are used by default.


The bug that -v option does not print out version number has been fixed.

The workaround of getaddrinfo failure with AI_ADDRCONFIG has been applied.

nghttpx now escapes certain characters in access log.

nghttpx now enables backend pattern matching with --http2-proxy option as well.

TLSv1.3 Endpoint Is Now Online

In order to contribute to the development of the TLSv1.3 protocol, we have enabled TLSv1.3 support in nghttpx, and made it publicly available at It is currently draft-19.

nghttpx uses OpenSSL as an underlying TLS backend. OpenSSL community has done a great job, and been developing TLSv1.3 support (they are still WIP), and it is available in OpenSSL master branch. So just building nghttpx with this bleeding edge version of OpenSSL could enable TLSv1.3 support. But we have taken one step further, and implemented 0-RTT early data support using new SSL_read_early_data API.

For those of you to build OpenSSL from their git repository, in order to enable TLSv1.3 support, pass enable-tls1_3 option to Configure script.

In order to enable 0-RTT support in nghttpx, check out nghttpx: Enable TLSv1.3 0-RTT early data support. Please note that this branch may be rebased time to time.

To send 0-RTT early data with openssl s_client, first save a session, like so:

$ openssl s_client -connect -sess_out session.dat

The session is saved in session.dat file. We use this file to resume the session. 0-RTT early data should be stored in file. We have the following file for this example:

$ cat http.txt
GET / HTTP/1.1

$ # Don't forget to the trailing empty line to terminate HTTP request!

Then run the following command to resume session, and send 0-RTT early data:

$ openssl s_client -connect -sess_out session.dat -sess_in session.dat -early_data http.txt

If 0-RTT early data is sent, and accepted by the server, you will see the HTTP response header fields and body sent from the server.

Nghttp2 v1.20.0

We have released nghttp2 v1.20.0.


Alexis La Goutte fixed the issue found by PVS Studio.

New API, nghttp2_option_set_no_closed_streams, has been added. By default, libnghttp2 retains closed streams as suggested by RFC 7540, Section 5.3.4. If this option is used, libnghttp2 discards closed streams from memory in order to save memory usage.


SPDY has been dropped by Chromium and Firefox, and the maintenance of SPDY related code becomes burden for us. To start deprecation process, now the detection for spdylay library, which does SPDY protocol handling, is disabled by default. For those of you who want to enable SPDY support, --with-spdylay option must be given to configure script.

Since systemd support is integrated into nghttpx (see nghttpx section below), --with-systemd option is added to configure script.


nghttp2 project has been accepted by OSS-Fuzz project. The fuzz directory of nghttp2 project contains the fuzz target source code. It also contains test corpus files which were generated by capturing communications during h2spec tests, and accessed by nghttp client.


Amir Pakdel added an ability to shut down server gracefully.

clemahieu fixed a crash in client code.

clemahieu fixed the infinite loop bug in acceptor handler.

clemahieu fixed the iterator invalidation bug in server.


If nghttp2 is built with OpenSSL master branch or BoringSSL, the applications, nghttp, nghttpd, nghttpx, and h2load, enable TLSv1.3 by default. Note that TLSv1.3 is not finalized yet, and TLSv1.3 support in OpenSSL is still WIP.


The server version number is now stripped from Server header field.

Previously, nghttpx will use only one single thread inside the worker process if --workers=1 (this is default). If --workers=N, N > 1, we use additional threads for accepting connections, or API request processing, etc. Now we use the same processing model for N > 1 even if N == 1. To restore the original single thread execution mode, --single-worker option is added.

We fixed the bug that API and mruby request did not participate graceful shutdown.

--frontend-max-requests option has been added to limit the number of requests per connection. For HTTP/1.1, this limits the nubmer of keep alive requests per single connection.

This release added configuration revision, which is considered opaque string, and changes after reloading configuration with SIGHUP. This revision is returned as a response to configrevision API endpoint. This allows external application to know whether nghttpx has finished reloading new configuration or not. Note that this revision does not change on backendconfig API calls.

redirect-if-not-tls parameter has been added to --backend option. nghttpx now responds to the request with 308 status code to redirect the request to https URI if frontend connection is not TLS encrypted, and redirect-if-no-tls parameter is used in --backend option. The port number in Location header field is 443 by default (thus omitted), but it can be configurable using --redirect-https-port option.

--tls-proto-list option has been deprecated, and instead, these 2 new options have been added: --tls-min-proto-version and --tls-max-proto-version to specify minimum and maximum TLS protocol version respectively. Versions between the two are enabled. The deprecated --tls-proto-list has empty default value, and acts like enabling only specific protocol versions in the range for now.

Previously, after sending SIGUSR2 to the original master process, and the new master process gets ready, user has to send SIGQUIT to the original master process to shut it down gracefully. With this release, the new master process automatically sends SIGQUIT to the original master process when it is ready to serve requests, eliminating for user to send SIGQUIT manually.

Tomasz Torcz added systemd support to nghttpx. Type=notify can be used in unit file, and it will send new master process PID to systemd around fork.

This release fixes the bug that nghttpx crashes on SIGHUP with multi thread configuration.

Nghttpx::Response#send_info method has been added to mruby scripting. When used, it sends 1xx non-final (informational) response.

nghttpx has supported multiple certificates using --subcert option. Previously, SNI hostname is used to select certificate. With this commit, signature algorithm presented by client is also taken into consideration. nghttpx now accepts certificates which share the same hostname (CN, SAN), but have different signature algorithm (e.g., ECDSA+SHA256, RSA+SHA256).

Now POST method is recommend for backendconfig API request.

Bernard Spil disabled PSK feature when nghttp2 is built with LibreSSL which has removed PSK.


Christoph Wolters added support for link rel=“preload” for --get-assets.


There was a bug in the code to calculate statistics. This bug was revealed when some connections were closed due to an error. It has been fixed in this release.

Nghttp2 v1.19.0

We have released nghttp2 v1.19.0.


We fixed memory leak bug which only occurs in server side session. Client side sessions are not affected. This bug was detected by LLVM libFuzzer with HTTP/2 corpus that h2o project uses. Due to the bad code path which nullifies next pointers of linked list in a certain condition, nghttp2_stream object is not going to be freed. We highly encourage to upgrade the existing installation to this latest version.

Alexis La Goutte sent series of patches to fix several issues found by PVS studio.


makovich sent a patch to state that building nghttp2 with jemalloc does not work on Alpine Linux due to its inability of replacing malloc.


Benedikt Christoph Wolters sent a patch to take into account authority specified in -H option to find links in HTML page (--get-assets option). Now authority and scheme are considered to find these links.


accesslog-write-early option has been added. If it is used, access log is written when response header block is sent, rather than after request transaction finishes.

client-ciphers option has been added. Previously, ciphers option sets cipher list for both frontend and backend TLS connections. Now ciphers option only sets cipher list for frontend connections. The new client-ciphers option sets cipher list for backend connection.

Similarly, we added client-no-http2-cipher-black-list option to disable HTTP/2 cipher black list enforcement on backend connection. The exiting no-http2-cipher-black-list option disables HTTP/2 cipher black list on frontend connection.

We fix the bug that no-http2-cipher-black-list (which is now client-no-http2-cipher-black-list) does not work on backend HTTP/2 connections.

We added PSK cipher suite support to nghttpx. Read this article to know how to use PSK cipher suites.

Now accept-proxy-protocol option was deprecated. To accept PROXY protocol, use proxyproto keyword in frontend option.

Nghttp2 v1.18.1

We have released nghttp2 v1.18.1.

This release fixes several bugs in nghttpx proxy server. Since v1.18.0 release, dynamic DNS feature has been added to nghttpx. This release fixes these DNS related bugs. User reported that nghttpx exited with assertion error in libev code when DNS was enabled. After investigating it, it turned out that this bug had existed well before DNS was added, but enabling DNS helped to trigger the bug.

Nghttp2 v1.18.0

We have released nghttp2 v1.18.0. The changes are summarized below.


Since the previous release, “Content-Length: 0” in 204 status response has been treated as error, as per RFC 7230. But it turned out that some widely used services send them. To workaround this issue, it is now allowed, but ignored. That is application never get “Content-Length” header field in 204 status response.


Because of dynamic DNS support for nghttpx, c-ares library is now required to build bundled applications.


tiny-nghttpd has been removed. Nowadays nghttpd does the better job in this area.


nghttpx gets backend dynamic DNS support. Previously, backend host name is resolved at start up or configuration reloading, and nghttpx keeps using those addresses through out its entire session. Now with “dns” parameter in backend option, nghttpx resolves host name dynamically. For performance reasons, nghttpx caches the resolved addresses for configured period of time (see dns-cache-timeout option). By default, this feature is not used. To use this feature, add “dns” parameter to backend option:


Previously, backend API request can only contain numeric addresses, but with “dns” parameter, it can contain non-numeric host name as well.

We reworked error log format. Now they are documented in nghttpx(1) manual page.

frontend-keep-alive-timeout option has been added to specify the period during which HTTP/1 keep alive connection stays open.

The bug that fetch-ocsp-response script cannot run with OpenSSL 1.1.0 has been fixed.

Nghttp2 v1.17.0

We have released nghttp2 v1.17.0. The changes are summarized below.


In this release, libnghttp2 by default disallows content-length header field in 1xx, 204, or 200 to a CONNECT request as described in RFC 7230.


Previously, server-side on_close callback was not called when connection was closed while streams were still alive. Now on_close callback is called for active streams on connection close.


Remo E provided a patch to include MSVC version resource in cmake Windows build.


We fixed the bug that sometimes made nghttpx crash if --backend-http-proxy-uri was used.

We fixed the bug that one HTTP header fields from HTTP/1.1 backend were split into multiple fields in some situations.

We fixed the bug that zero-length POST was not forwarded to HTTP/1.1 backend, causing dead lock.

We removed optional reason phrase from SPDY response header fields. This is OK since reason phrase is optional.

To align the changes made in libnghttp2 that disallows content-length in 1xx, 204, or 200 to a CONNECT request, we did the same thing to HTTP/1.1 backend. We also disallow transfer-encoding in those status codes as well.

dalf provided a patch to fix compile failure with BoringSSL.

nghttpd, nghttpx, and libnghttp2_asio

We fixed the bug that mandatory SP after status code wass missing in HTTP/1.1 status line.

Nghttp2 v1.16.1

We released nghttp2 v1.16.1.

We fixed the bug that nghttp2 HPACK decoder may decode wrong integer because of undefined behaviour.

We fixed the bug in nghttpx that may make nghttpx crash if final response after non-final response from origin server is forwarded to HTTP/1.1 client.