Updated: May 23rd, 2013
This communication is a “heads-up” about upcoming changes with Nginx and Passenger 3.
Nginx is the front-end for your web app, serving static assets, handling some redirects, and often handling SSL. Passenger is a Rails engine that attaches to Nginx to process Rails for customers who don't use Unicorn.
What's happening with Nginx and Passenger?
During the week of May 27th, 2013, we plan to upgrade Nginx from 1.2.3 to 1.2.9, and as part of that, Passenger is being bumped from 3.0.11 to 3.0.19. Both version increments are patch-level including recent security fixes, so we don't expect incompatibilities. We expect good things.
Important: As always, we recommend testing in a staging environment before applying changes in a production environment.
Your options now
We wanted to give you this heads-up so you can consider your alternatives now.
If you are ready for the new versions and want to start testing immediately, contact Engine Yard Support. Let us know which environments you want to upgrade and test.
If you need to stay on your current Nginx and Passenger versions, you must contact Engine Yard Support before you click the Upgrade button on your environment next week.
Note: By freezing on a specific Nginx version, you will no longer receive updates and security fixes; your goal should be to get onto these Nginx and Passenger versions as soon as possible, so you can get back on the main stack version.
If you are OK with waiting until the upgrade, then you can go with the new versions when we release next week. Remember that you should always test in a staging environment first, before applying the upgrade to production.
See below for more details about the changes to Nginx and Passenger.
What's new with Nginx?
Changes from Nginx 1.2.3 to 1.2.9
Numerous bug fixes
Feature: the $request_time and $msec variables can now be used not only in the "log_format" directive.
Feature: the "auto" parameter of the "worker_processes" directive.
Change: now if the "include" directive with mask is used on Unix systems, included files are sorted in alphabetical order.
Change: the "add_header" directive adds headers to 201 responses.
Note: We recently released this security advisory about Nginx. You might want to check it out, especially if you use proxy_pass to untrusted upstream HTTP servers (such as an external blog site hosted elsewhere).
What's new with Passenger?
Changes from Passenger 3.0.11 to 3.0.19
Summary: Passenger includes some minor changes
- 3.0.11 was targeted for Nginx 1.0.10, 3.0.19 targeted (and better tested) with 1.2.x
- Security fixes
- Ability to remove Phusion advertisements from headers without headers_more overrides now
- Bug fixes
[Nginx] Preferred Nginx version upgraded to 1.0.15.
[Nginx] Nginx is now installed with http_gzip_static_module by default.
[Nginx] Fixed a memory disclosure security problem.
The issue is documented at http://www.nginx.org/en/security_advisories.html and affects more modules than just Phusion Passenger. Users are advised to upgrade as soon as possible. Patch submitted by Gregory Potamianos.
[Nginx] passenger_show_version_in_header now hides the Phusion Passenger version number from the ‘Server:’ header too.
[Nginx] Preferred Nginx version to 1.2.2.
The previously preferred version was 1.2.1.
Fixed a Ruby 1.9 encoding-related bug in the memory measurer. (Phusion Passenger Enterprise only)
Upgraded preferred Nginx version to 1.2.3.
Nginx security fix: do not display Nginx version when server_tokens are off.