
Nginx 1.13 released with TLS 1.3 support - runesoerensen
http://mailman.nginx.org/pipermail/nginx-announce/2017/000195.html
======
nerdbaggy
I don't understand why all these free open source projects are using nginx
when it hides so many great features behind the premium option. HAProxy also
has a lua module and you even has monitoring abilities for free unlike nginx

edit: a project like Kong could easily be done with haproxy as far as I know
and you can actually monitor your server.
[https://getkong.org](https://getkong.org)

~~~
JTenerife
Informations about HAProxy on multi-core hardware (TLS de- and encryption are
CPU bound) are a bit discouraging. You can assign workers to cores, but
there's no shared memory and therefore the official docs warn about some
inconsistencies that might occur. There doesn't seem to be a consensus wether
to use the multi-core feature or not. Also nginx supports http/2.

Regarding the status of the backendservers - I use monitoring with health
checks for every backend server anyway.

That are the reasons I chose nginx as reverse proxy recently.

~~~
codinghorror
Lack of http/2 on haproxy by now is terribly limiting and very disappointing.

~~~
sofaofthedamned
Agreed, and I can find no roadmap for it. It's a real shame.

I'm looking at moving to something a bit more application aware now, such as
Traefik, which works better in my workflow anyway.

Will say though - HAProxy has been rock solid for me, and was a million times
easier to configure and manage than F5 LTM for our use case.

------
slivanes
Right now, nginx 1.13.x requires compiling against OpenSSL 1.1.1 or newer to
get TLSv1.3 supported in browsers.

You need to compile the "draft-18" branch of OpenSSL as current browsers are
on draft-18 (master is on draft-19).

~~~
therealmarv
that's the biggest weakness of nginx.... the whole compile stuff in a right
way to get things/features really running there. And don't tell me it's easy
to recompile nginx... you have to know a lot of nginx and switches to get the
compiler setup well done.

~~~
Neil44
Apache is also a giant pain in the ass to get http2 support, you have to
basically chuck out the distro packages and do everything from scratch
(including OpenSSL) unless you're on a bleeding edge distro.

~~~
virtualwhys
Not to mention that http2 is buggy in 2.4.25 (fixes in 2.4.26 will be out in
May). And yes, without a bleeding edge distro good luck.

Building apache from source is not only very straightforward but a great way
to maximimize httpd performance (all modules static, only include the modules
you need). OpenSSL on the other hand, that's distro specific, and definitely
more involved.

------
jaas
Good news. Now they should add ACME support directly to nginx so it can get
and manage TLS certificates seamlessly for you.

~~~
infinisil
You may be interested in NixOS' way. This is all what you need in your
configuration.nix to get a webserver running with an SSL certificate from
Let's Encrypt, including automatic refreshes before expired and everything:

    
    
        services.nginx = {
          enable = true;
          virtualHosts."example.com" = {
            root = "/webroot";
            enableACME = true;
          };
        };
    

[http://nixos.org/nixos/options.html#services.nginx](http://nixos.org/nixos/options.html#services.nginx)

------
tomschlick
Anyone know how quickly it will get pushed to the PPA here?:
[http://ppa.launchpad.net/nginx/development/ubuntu](http://ppa.launchpad.net/nginx/development/ubuntu)

~~~
alfredxing
If you want to use a precompiled version from a repository, nginx has its own,
which always stays up to date:
[http://nginx.org/en/linux_packages.html](http://nginx.org/en/linux_packages.html)

~~~
smackdab
Won't help, since you need to link it to OpenSSL 1.1.1-dev.

------
skyisblue
Are there any browsers that support TLS 1.3 yet?

~~~
hannob
Mozilla and Chrome do, but disabled by default. Chrome recently tried to
enable it and they had to notice that a bunch of crap-devices by bluecoat
prevented it from working:
[https://bugs.chromium.org/p/chromium/issues/detail?id=694593](https://bugs.chromium.org/p/chromium/issues/detail?id=694593)

------
floatboth
Still no server push though? :(

