HTTP/2 C library and tools

Nghttp2 v1.51.0

We have released nghttp2 v1.51.0.


This release adds casts to silence implicit conversion warnings for windows build.


Updated packages described in README based on Ubuntu 22.04.

Android documentation has been updated.


The following dependencies have been updated:

  • Android NDK
  • libbpf
  • OpenSSL
  • ngtcp2

Python bindings are now disabled by default because it has been deprecated.


llhttp has been updated.


This release fixes affinity-cookie-stickiness parameter handling.


This release adds http3 integration test.

Nghttp2 v1.50.0

We have released nghttp2 v1.50.0.


This release adds nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation which disables checking leading and trailing white spaces against HTTP field value.


nghttpx now respects backend-address-family option when dynamically resolving backend host with dns parameter in backend option.

Nghttp2 v1.49.0

We have released nghttp2 v1.49.0.


This release adds nghttp2_check_header_value_rfc9113 which complains leading and trailing white spaces. The library now uses this function instead of nghttp2_check_header_value when checking HTTP header fields.


libnghttp2_asio has been moved to its own repository and got new maintainer. libnghttp2_asio related code in nghttp2 repository will not get any updates and be removed at the end of 2022.


Python bindings have been deprecated, and will not get any updates and be removed at the end of 2022 due to the maintenance issues.


Randomizing backend server selection has been added again.

The broken PROXY-protocol when TLS is used has been fixed.

nghttpx now removes trailing white spaces from HTTP header fields to align with RFC 9113.

Nghttp2 v1.48.0

We have released nghttp2 v1.48.0.


This release adds RFC9218 Extensible Prioritization Scheme for HTTP. It is enabled by submitting NGHTTP2_SETTINGS_NO_RFC7540_PRIORITIES via nghttp2_submit_settings(). See Stream priorities section of Programmers’ Guide.

It fixes the stream stall bug when the initial window size is decreased.


Now applications can be built with Libressl 3.5.

If --enable-lib-only configure option is used, no application libraries are checked.


The default TLS cipher suites are updated.

ktls support has been added to nghttp, nghttpd, nghttpx, and h2load if they are built with OpenSSL >= 3.0.0.


This release fixes the bug that stalls TLS read operation.


nghttpx by default disables RFC 7540 tree based HTTP/2 priorities and uses RFC 9218 priorities instead. It has a fallback mechanism to RFC 7540 if client does not send SETTINGS_NO_RFC7540_PRIORITIES.

affinity-cookie-stickiness backend parameter has been added.

The session affinity feature which had been broken for quite some time has been fixed.


llhttp has been updated to the latest version.

mruby has been updated to 3.1.0.

neverbleed has been updated the latest version with some amends.

Nghttp2 v1.47.0

We have released nghttp2 v1.47.0.


This release fixes the incorrect HPACK decoder table size update, which lead to incorrectly require Dynamic Table Size Update from an encoder when it is not needed.


cmake build now disables libbpf by default.


Now maximum allowed maximum frame size is configurable with --max-frame-size.


--require-http-scheme option is added. It requires http or https scheme in HTTP request. It also requires that https scheme must be used for an encrypted connection. Otherwise, http scheme must be used. This option is recommended for a server deployment which directly faces clients and the services it provides only require http or https scheme.

BBR2 congestion control algorithm is added to QUIC connection.

libbpf is now bumped to v0.7.0 and turn on all strict features.

The qlog file extension is changed to .sqlog.

The bug that causes h3 stream ends prematurely has been fixed.

The issue that a forwarded h3 GET request to HTTP/1.1 hop always has chunked transfer-encoding: chunked has been fixed.

QUIC connection now sends and receives ECN bits.

HTTP/3 trailer fields support has been added.

Nghttp2 v1.46.0

We have released nghttp2 v1.46.0.


A workaround is added to avoid the broken version check in AX_PYTHON_DEVEL macro.

It adds the missing cmake files to EXTRA_DIST.


HTTP/3 feature is now available with BoringSSL.

SCT data is now available with BoringSSL.

New QUIC and HTTP/3 related options were added: --frontend-quic-initial-rtt, --quic-server-id, and --rlimit-memlock.

--frontend-quic-connection-id-encryption-key has been removed, and the new option --frontend-quic-secret-file has been added which specifies initial keying materials to generate QUIC secrets and keys for connection ID and tokens. It also supports the rotation of keying materials.

HTTP/3 ALPN h3-29 is now supported.

--worker-process-grace-shutdown-period option was added to set the maximum grace period to wait for a worker process to terminate gracefully.

--max-worker-processes option was added to limit the number of the lingering worker processes.


HTTP/3 feature is now available with BoringSSL.

Nghttp2 v1.45.1

We have released nghttp2 v1.45.1.


This release fixes packaging issues which lack some configuration files in tar archives.

Nghttp2 v1.45.0

We have released nghttp2 v1.45.0.


Stricter checks for :method: and :path pseudo header fields are introduced.


nghttp2 applications can be compiled with OpenSSL v3.0.0.

Fix warning about systemd when cmake is used.

Added build options to enable HTTP/3 and eBPF.


The experimental HTTP/3 support has been added.

“dnf” (= “do not forward”) parameter is added to backend option.


The experimental HTTP/3 support has been added.

SSLKEYLOGFILE environment variable support has been added.

Nghttp2 v1.44.0

We have released nghttp2 v1.44.0.


More --with-* configure options have been added:

  • --with-jannson
  • --with-zlib
  • --with-libevent-openssl
  • --with-libcares
  • --with-openssl
  • --with-libev
  • --with-cunit

The following precious variables have been added:



Bump llhttp to v6.0.2.


The bug which prevents a backend which is excluded from a load balancing group temporarily from being restored.

The word master is replaced main. The nghttpx master process is now called main process.

--no-http2-cipher-black-list and --client-no-http2-cipher-black-list are deprecated and replaced with --no-http2-cipher-block-list and --client-no-http2-cipher-block-list respectively.

Remove trailing white space after $method log variable.


--rps option has been added.

The time unit (e.g., ms) is now allowed in -D option.

Nghttp2 v1.43.0

We have released nghttp2 v1.43.0.

This release has no changes in libnghttp2.


Documentations are now built with Sphinx 3.3.0 or later.


The python binding now requires Python 3.

All python scripts for nghttp2 development are translated to Python 3 compatible.


This release fixes a potential memory issue that a memory pool gets cleared while it is still in use.

ECDSA certificate is now chosen when compatible signature algorithm is available.

This release adds a workaround to include ‘:’ in backend pattern.