Nginx Freenginx

buik · Feb 15, 2024

After Angie, another Nginx fork: Freenginx is released, by former lead developer: Maxim Dounin.

As you probably know, F5 closed Moscow office in 2022, and I no
longer work for F5 since then. Still, we’ve reached an agreement
that I will maintain my role in nginx development as a volunteer.
And for almost two years I was working on improving nginx and
making it better for everyone, for free.
Click to expand...

Also the same reason why Nginx has been almost unreleased for years in terms of features and options. Since most of the original Nginx developers are out (Nginx is originally a Russian company).

One point of surprise, though. Maxim is now using the name ....Nginx, which is a brand name, for his own company. He could get a problem with that to Nginx brand holder: F5.

eva2000 · Feb 16, 2024

And for almost two years I was working on improving nginx and
making it better for everyone, for free
Click to expand...

Wow sad unfortunate situation [nginx-announce] announcing freenginx.org. But grateful for his dedication to Nginx!

Hello!

As you probably know, F5 closed Moscow office in 2022, and I no
longer work for F5 since then. Still, we’ve reached an agreement
that I will maintain my role in nginx development as a volunteer.
And for almost two years I was working on improving nginx and
making it better for everyone, for free.

Unfortunately, some new non-technical management at F5 recently
decided that they know better how to run open source projects. In
particular, they decided to interfere with security policy nginx
uses for years, ignoring both the policy and developers’ position.

That’s quite understandable: they own the project, and can do
anything with it, including doing marketing-motivated actions,
ignoring developers position and community. Still, this
contradicts our agreement. And, more importantly, I no longer able
to control which changes are made in nginx within F5, and no longer
see nginx as a free and open source project developed and
maintained for the public good.

As such, starting from today, I will no longer participate in nginx
development as run by F5. Instead, I’m starting an alternative
project, which is going to be run by developers, and not corporate
entities:

nginx news

The goal is to keep nginx development free from arbitrary corporate
actions. Help and contributions are welcome. Hope it will be
beneficial for everyone.
--
Maxim Dounin
nginx news
Click to expand...

buik said: ↑

One point of surprise, though. Maxim is now using the name ....Nginx, which is a brand name, for his own company. He could get a problem with that to Nginx brand holder: F5.
Click to expand...

Yeah tricky situation.

buik said: ↑

After Angie, another Nginx fork: Freenginx is released, by former lead developer: Maxim Dounin.
Click to expand...

Thanks for the heads up. Busy with client work so will have to look at Freenginx a bit later. Looks like Freenginx code right now is same just different download urls and Mercurial source control repo. So can add optional Freenginx support to Centmin Mod just like I did for Angie Nginx fork https://community.centminmod.com/th...-that-was-forked-from-nginx.24378/#post-98352

eva2000 · Feb 16, 2024

Maxim dev mailing list discussions The nginx-devel February 2024 Archive by thread

eva2000 · Feb 17, 2024

Looks like made the news on Phoronix too https://www.phoronix.com/news/Nginx-Forked-To-Freenginx and their comments https://www.phoronix.com/forums/node/1443374

Posts on HackerNews from someone who says they work for F5, suggests this is down to F5 allocating CVEs to security bugs, and Maxim not wanting that to happen, with some nuance around the features with the security bugs being experimental in nature.
Click to expand...

https://www.phoronix.com/forums/for...b-server-into-freenginx?p=1443452#post1443452

We (F5) published two CVEs today against NGINX+ & NGINX OSS. Maxim was against us assigning CVEs to these issues.

F5 is a CNA and follows CVE program rules and guidelines, and we will err on the side of security and caution. We felt there was a risk to customers/users and it warranted a CVE, he did not.
This seems like a much larger story than the fork, given the install base of nginx.

For clarity are you referring to CVE-2024-24989 and -24990 (HTTP/3)?
Yes, those are the two CVEs I was referring to. All I know is he objected to our decision to assign CVEs, was not happy that we did, and the timing does not appear coincidental.
I think you'd have to ask Maxim. My take is he felt experimental features should not get CVEs, which isn't how the program works. But that's just my take - I'm the primary representative for F5 to the CVE program and on the F5 SIRT, we handle our vuln disclosures.
Click to expand...

Knowing this info and why Official Nginx 1.25.4 was released today, I'm siding with F5 on this as I would want to know of security bugs even if Nginx HTTP/3 is experimental code still. Would also make me cautious using Maxim's Freenginx fork if his philosophy is not to assign CVE security labels to Nginx code that he thinks is experimental

eva2000 · Feb 17, 2024

Added to 130.00beta01 optional freenginx forked Nginx support via variable FREENGINX_INSTALL='y' that you can optionally set in the persistent config file /etc/centminmod/custom_config.inc (disabled by default), which will have Nginx version build tagged with -freengx

nginx -V
nginx version: nginx/1.25.3 (160224-171757-almalinux8-kvm-cc925a1-br-a71f931-freengx)
built by gcc 13.1.1 20230614 (Red Hat 13.1.1-4) (GCC)
built with OpenSSL 1.1.1w 11 Sep 2023
Click to expand...

eva2000 · Feb 17, 2024

More info at Nginx core developer quits project in security dispute, starts “freenginx” fork

MZMegaZone confirmed the relationship between security disclosures and Dounin's departure. "All I know is he objected to our decision to assign CVEs, was not happy that we did, and the timing does not appear coincidental," MZMegaZone wrote on Hacker News. He later added, "I don't think having the CVEs should reflect poorly on NGINX or Maxim. I'm sorry he feels the way he does, but I hold no ill will toward him and wish him success, seriously."

Dounin, reached by email, pointed to his mailing list responses for clarification. He added, "Essentially, F5 ignored both the project policy and joint developers' position, without any discussion."

MegaZone wrote to Ars (noting that he only spoke for himself and not F5), stating, "It's an unfortunate situation, but I think we did the right thing for the users in assigning CVEs and following public disclosure practices. Rational people can disagree and I respect Maxim has his own view on the matter, and hold no ill will toward him or the fork. I wish it hadn't come to this, but I respect the choice was his to make."
Click to expand...

Also comment on ARS article from a person familar with CNA

Background: started and ran a CNA at a prior employer.

It seems that the developer in question does not understand how the CVE program operates or what a CNA's responsibilities are. CVEs are not demerits. They are identifiers used to refer to specific vulnerabilities for the purpose of identification and communication. It does not matter if the vulnerability exists in the default configuration or not. There is also no obligation to fix CVEs in any particular way. A vendor is perfectly within its rights to say that the vulnerability exists in experimental code and that its security lifecycle policy does not cover this, while still assigning a CVE to refer to the vulnerability.

The important part is that as long as the vendor CNA (F5 in this case) assigns the CVE, they control the details of the CVE record and can specify in the description that the vulnerability exists in experimental code. If the vendor refuses to assign a CVE, another CNA can do so, and the vendor loses control over the CVE record. This is likely a big part of why F5 insisted on assigning the CVEs in question.

Open source projects may or may not work with a CNA to assign CVEs. A lot of times CVEs are assigned by independent researchers, and sometimes there's heated discussion (read: flaming) between the developers and the researchers. This might "work" in some sense, but most people in the security community would prefer not to have that sort of dispute happen.
Click to expand...

eva2000 · Feb 17, 2024

Freenginx: Core Nginx developer announces fork | Hacker News

Worth noting that there are only two active "core" devs, Maxim Dounin (the OP) and Roman Arutyunyan. Maxim is the biggest contributor that is still active. Maxim and Roman account for basically 99% of current development.
So this is a pretty impactful fork. It's not like one of 8 core devs or something. This is 50% of the team.

Edit: Just noticed Sergey Kandaurov isn't listed on GitHub "contributors" because he doesn't have a GitHub account (my bad). So it's more like 33% of the team. Previous releases have been tagged by Maxim, but the latest (today's 1.25.4) was tagged by Sergey
Click to expand...

buik · Feb 17, 2024

eva2000 said: ↑

Wow sad unfortunate situation [nginx-announce] announcing freenginx.org. But grateful for his dedication to Nginx!
Click to expand...

Very neat what he did those 2 years. If I were him I would never ever have done the same: Being fired and then continuing the same work voluntarily.

And as for the brand name. The website and domain are hosted in Europe. F5 (American), can do little in Russia. But Europe is a different story. Curious to see how that will play out.

eva2000 · Feb 18, 2024

Copyright holders have at their discretion the right to or not to pursue their rights. Not sure it would be wise to pursue Maxim legally for use of Nginx name and risk pissing off the Nginx developer/contributor/own staff/ community and users.

buik said: ↑

Very neat what he did those 2 years. If I were him I would never ever have done the same: Being fired and then continuing the same work voluntarily.
Click to expand...

I 100% understand his feelings as almost exact similar situation happened to me recently when a 12+ years old working client relationship ended with my client passing away and having eventually been taken advantage of by his relative who didn't pay me for my work in saving the server and site from overdue web hosting bill termination when no known relatives had been found yet and even wanted to take false unsubstantiated legal action against me. I did it anyway knowing there was a possibility of such outcome as 12yrs is a long time working on my deceased client's server and I considered it almost apart of set of babies and had a attachment to seeing them survive and continue in the way I designed and configured it for.

atomi · Feb 22, 2024

Freenginx 1.25.4 was released yesterday and the latest beta seems to work just fine with it
Code:
nginx version: nginx/1.25.4 (210224-203505-almalinux8-lxc-03cbe97-br-a71f931-freengx)
built with OpenSSL 1.1.1w+quic  11 Sep 2023
TLS SNI support enabled

eva2000 · Feb 22, 2024

Thanks for heads up. Notice the differences in Change logs! Clearly Maxmim doesn't like HTTP/3 security bugs being labelled with CVEs :LOL:

Personally I prefer CVE labelled security classed bugs for Nginx HTTP/3

http://freenginx.org/en/CHANGES

Code (Text):

Changes with freenginx 1.25.4                                    20 Feb 2024

   *) Change: now the "freenginx" name is used in responses.

   *) Bugfix: "open socket left" alerts might appear in logs during worker
      processes shutdown when using AIO.

   *) Bugfix: a segmentation fault might occur in a worker process if AIO
      was used in subrequests.

   *) Bugfix: a segmentation fault might occur in a worker process if the
      "image_filter" directive was used, and errors with code 415 were
      redirected with the "error_page" directive.

   *) Bugfix: a segmentation fault might occur in a worker process when
      handling cached responses with the "X-Accel-Redirect" header.
      Thanks to Jiří Setnička.

   *) Bugfix: a segmentation fault might occur in a worker process when
      using HTTP/3.

   *) Bugfixes and improvements in HTTP/3.

Nginx http://nginx.org/en/CHANGES

Code (Text):

Changes with nginx 1.25.4                                        14 Feb 2024

   *) Security: when using HTTP/3 a segmentation fault might occur in a
      worker process while processing a specially crafted QUIC session
      (CVE-2024-24989, CVE-2024-24990).

   *) Bugfix: connections with pending AIO operations might be closed
      prematurely during graceful shutdown of old worker processes.

   *) Bugfix: socket leak alerts no longer logged when fast shutdown was
      requested after graceful shutdown of old worker processes.

   *) Bugfix: a socket descriptor error, a socket leak, or a segmentation
      fault in a worker process (for SSL proxying) might occur if AIO was
      used in a subrequest.

   *) Bugfix: a segmentation fault might occur in a worker process if SSL
      proxying was used along with the "image_filter" directive and errors
      with code 415 were redirected with the "error_page" directive.

   *) Bugfixes and improvements in HTTP/3.

atomi · Jun 9, 2024

Freenginx released 1.27.1 and wanted to give it a try but it wasnt so easy with the latest 130.00beta01.b632.
I guess they have changed download name from "nginx-" to "freenginx-" and that resulted 404 error.
Well I thought I will just update package name in 'downloadlinks.inc' but it didnt help since 'nginx_upgrade.inc' has download link in line 811. Then I updated it and the extract command just to find its extracted to different directory which will cause issues while patching etc so in the end I just manually downloaded file from freenginx.org then extracted the file and renamed "freenginx-1.27.1" directory to "nginx-1.27.1". After this I was able to compile the latest freenginx with http3.
Code:
# nginx -V
nginx version: freenginx/1.27.1 (080624-145344-centos7-lxc-70631b1-br-a71f931-freengx)
built by gcc 11.2.1 20220127 (Red Hat 11.2.1-9) (GCC)
built with OpenSSL 1.1.1w+quic  11 Sep 2023
TLS SNI support enabled

eva2000 · Jun 9, 2024

atomi said: ↑

Freenginx released 1.27.1 and wanted to give it a try but it wasnt so easy with the latest 130.00beta01.b632.
Click to expand...

Just set in persistent config file /etc/centminmod/custom_config.inc
Code (Text):
FREENGINX_INSTALL='y'
Then run centmin.sh menu option 4 and input desired freenginx version

atomi · Jun 9, 2024

eva2000 said: ↑
Just set in persistent config file /etc/centminmod/custom_config.inc
Code (Text):
FREENGINX_INSTALL='y'
Then run centmin.sh menu option 4 and input desired freenginx version
Click to expand...
Yes, I had that added but it didnt work. I think its broken in all freenginx versions

eva2000 · Jun 9, 2024

atomi said: ↑

I guess they have changed download name from "nginx-" to "freenginx-" and that resulted 404 error.
Click to expand...

Ah i see what you mean they changed the name of the file downloaded too Index of /download/ from nginx- to freenginx- will need to update 130.00beta01 then

eva2000 · Jun 9, 2024

updated 130.00beta01 with fix you can pull down via cmupdate command

persistent config file using /etc/centminmod/custom_config.inc the variables to switch from official Nginx to forked freenginx and to use system OpenSSL on AlmaLinux 9 instead of compiling OpenSSL
Code (Text):
FREENGINX_INSTALL=y
OPENSSL_SYSTEM_USE=y
nginx -V
nginx version: freenginx/1.27.1 (080624-200305-almalinux9-kvm-70631b1-freengx)
built by gcc 13.2.1 20231205 (Red Hat 13.2.1-6) (GCC)
built with OpenSSL 3.0.7 1 Nov 2022
TLS SNI support enabled
configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/nginx-dep/lib -ljemalloc -Wl,-z,relro,-z,now -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/nginx-dep/lib -pie -flto=2 -flto-compression-level=3 -fuse-ld=gold' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/nginx-dep/include -m64 -march=native -fPIC -g -O3 -fstack-protector-strong -flto=2 -flto-compression-level=3 -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Wno-pointer-sign -Wimplicit-fallthrough=0 -Wno-implicit-function-declaration -Wno-cast-align -Wno-builtin-declaration-mismatch -Wno-deprecated-declarations -Wno-int-conversion -Wno-unused-result -Wno-vla-parameter -Wno-maybe-uninitialized -Wno-return-local-addr -Wno-array-parameter -Wno-alloc-size-larger-than -Wno-address -Wno-array-bounds -Wno-discarded-qualifiers -Wno-stringop-overread -Wno-stringop-truncation -Wno-missing-field-initializers -Wno-unused-variable -Wno-format -Wno-error=unused-result -Wno-missing-profile -Wno-stringop-overflow -Wno-free-nonheap-object -Wno-discarded-qualifiers -Wno-bad-function-cast -Wno-dangling-pointer -Wno-array-parameter -fcode-hoisting -Wno-cast-function-type -Wno-format-extra-args -Wp,-D_FORTIFY_SOURCE=2' --prefix=/usr/local/nginx --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=080624-200305-almalinux9-kvm-70631b1-freengx --without-pcre2 --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module --with-http_geoip_module --with-stream_ssl_preread_module --with-threads --with-stream --with-stream_ssl_module --with-http_realip_module --add-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.5.1 --add-module=../ngx_devel_kit-0.3.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../echo-nginx-module-0.63 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.4.0-cmm --add-module=../memc-nginx-module-0.19 --add-module=../srcache-nginx-module-0.33 --add-module=../headers-more-nginx-module-0.34 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.3 --with-zlib-opt=-fPIC --with-http_ssl_module --with-http_v2_module
Click to expand...

atomi · Jun 9, 2024

I tested with the same box that had issues yesterday.
After cmupdate I got version 130.00beta01.b635 but nginx update from menu 4 didnt work but went back to main menu. Luckily got small hint whats wrong when I first time ran ./centmin.sh and fixed it by changing line 632 from /usr/local/src/centminmod/inc/nginx_upgrade.inc

Old
Code:
if [[ "$ngver" = 'quic' || "$NGINX_QUIC_SUPPORT" = [yY] ]]
New
Code:
if [[ "$ngver" = 'quic' || "$NGINX_QUIC_SUPPORT" = [yY] ]]; then
After this change I was able to compile the latest freenginx without any issues. Thanks again for these changes and new PHP security updates!

eva2000 · Jun 10, 2024

Yeah the nginx_upgrade.inc bug was fixed in latest 130.00beta01 update

atomi · Jul 3, 2024

Not sure if this should work but tried install the latest freenginx with fresh 140.00beta01 installation by adding following parameters to custom_config.inc
Code:
FREENGINX_INSTALL='y'
NGINX_VERSION='1.27.1'
installer failed without any working nginx because if I understand correctly by looking code from this file its not possible install freenginx from start? probably failed since there is no 1.27.1 nginx version
/usr/local/src/centminmod/inc/nginx_install.inc

eva2000 · Jul 3, 2024

atomi said: ↑
Not sure if this should work but tried install the latest freenginx with fresh 140.00beta01 installation by adding following parameters to custom_config.inc
Code:
FREENGINX_INSTALL='y'
NGINX_VERSION='1.27.1'
installer failed without any working nginx because if I understand correctly by looking code from this file its not possible install freenginx from start? probably failed since there is no 1.27.1 nginx version
/usr/local/src/centminmod/inc/nginx_install.inc
Click to expand...
FREENGINX_INSTALL='y' works with FREENGINX_VERSION='1.27.1' not NGINX_VERSION='1.27.1' as official Nginx versions may not align with Freenginx versions. That would be one reason. The other is as you say FREENGINX_INSTALL='y' only works on centmin.sh menu option 4 upgrade runs and not initial install runs right now and work on such will be in future Centmin Mod 140.00beta01

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

Nginx Freenginx

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

atomi Member

eva2000 Administrator Staff Member

atomi Member

eva2000 Administrator Staff Member

atomi Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

atomi Member

eva2000 Administrator Staff Member

atomi Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

Nginx Freenginx

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

atomi Member

eva2000 Administrator Staff Member

atomi Member

eva2000 Administrator Staff Member

atomi Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

atomi Member

eva2000 Administrator Staff Member

atomi Member

eva2000 Administrator Staff Member

.