Skip to content

Nginx core developer quits project in security dispute, starts “freenginx” fork

Hosting
  • A core developer of Nginx, currently the world’s most popular web server, has quit the project, stating that he no longer sees it as “a free and open source project… for the public good.” His fork, freenginx, is “going to be run by developers, and not corporate entities,” writes Maxim Dounin, and will be “free from arbitrary corporate actions.”

    Dounin is one of the earliest and still most active coders on the open source Nginx project and one of the first employees of Nginx, Inc., a company created in 2011 to commercially support the steadily growing web server. Nginx is now used on roughly one-third of the world’s web servers, ahead of Apache.

    A tricky history of creation and ownership

    Nginx Inc. was acquired by Seattle-based networking firm F5 in 2019. Later that year, two of Nginx’s leaders, Maxim Konovalov and Igor Sysoev, were detained and interrogated in their homes by armed Russian state agents. Sysoev’s former employer, Internet firm Rambler, claimed that it owned the rights to Nginx’s source code, as it was developed during Sysoev’s tenure at Rambler (where Dounin also worked). While the criminal charges and rights do not appear to have materialized, the implications of a Russian company’s intrusion into a popular open source piece of the web’s infrastructure caused some alarm.

    Sysoev left F5 and the Nginx project in early 2022. Later that year, due to the Russian invasion of Ukraine, F5 discontinued all operations in Russia. Some Nginx developers still in Russia formed Angie, developed in large part to support Nginx users in Russia. Dounin technically stopped working for F5 at that point, too, but maintained his role in Nginx “as a volunteer,” according to Dounin’s mailing list post.

    Dounin writes in his announcement that “new non-technical management” at F5 “recently decided that they know better how to run open source projects. In particular, they decided to interfere with security policy nginx uses for years, ignoring both the policy and developers’ position.” While it was “quite understandable,” given their ownership, Dounin wrote that it means he was “no longer able to control which changes are made in nginx,” hence his departure and fork.

    The CVEs at the center of the split

    Comments on Hacker News, including one by a purported employee of F5, suggest Dounin opposed the assigning of published CVEs (Common Vulnerabilities and Exposures) to bugs in aspects of QUIC. While QUIC is not enabled in the most default Nginx setup, it is included in the application’s “mainline” version, which, according to the Nginx documentation, contains “the latest features and bug fixes and is always up to date.”

    The commenter from F5, MZMegaZone, seemingly the principal security engineer at F5, notes that “a number of customers/users have the code in production, experimental or not” and adds that F5 is a CVE Numbering Authority (CNA).

    Dounin expanded on F5’s actions in a later mail response.

    The most recent “security advisory” was released despite the fact that the particular bug in the experimental HTTP/3 code is expected to be fixed as a normal bug as per the existing security policy, and all the developers, including me, agree on this.

    And, while the particular action isn’t exactly very bad, the approach in general is quite problematic.

    Asked about the potential for name confusion and trademark issues, Dounin wrote in another response about trademark concerns:

    I believe [they] do not apply here, but IANAL [I am not a lawyer]," and "the name aligns well with project goals.

    MZMegaZone confirmed the relationship between security disclosures and Dounin’s departure.

    All I know is he objected to our decision to assign CVEs, was not happy that we did, and the timing does not appear coincidental,"

    MZMegaZone wrote on Hacker News. He later added,

    I don’t think having the CVEs should reflect poorly on NGINX or Maxim. I’m sorry he feels the way he does, but I hold no ill will toward him and wish him success, seriously.

    Dounin, reached by email, pointed to his mailing list responses for clarification. He added,

    Essentially, F5 ignored both the project policy and joint developers’ position, without any discussion."

    MegaZone wrote to Ars (noting that he only spoke for himself and not F5), stating, “It’s an unfortunate situation, but I think we did the right thing for the users in assigning CVEs and following public disclosure practices. Rational people can disagree and I respect Maxim has his own view on the matter, and hold no ill will toward him or the fork. I wish it hadn’t come to this, but I respect the choice was his to make.”

    A representative for F5 wrote to Ars that:

    F5 is committed to delivering successful open source projects that require a large and diverse community of contributors, as well as applying rigorous industry standards forassigning and scoring identified vulnerabilities. We believe this is the right approach for developing highly secure software for our customers and community, and we encourage the open source community to join us in this effort.

    – Source :

    https://arstechnica.com/information-technology/2024/02/nginx-key-developer-starts-a-freenginx-fork-after-dispute-with-parent-firm/

  • DownPWundefined DownPW marked this topic as a regular topic on
  • @DownPW Interesting. I do wonder however if this project was forked because of the CVE’s identified, or the fact that the core developer of NGINX doesn’t like the idea of his brainchild being consumed by a large corporate. We’ve seen this happen before on numerous occasions such as the below

    • OwnCloud -> Forked to NextCloud
    • MySql -> Forked to MariaDB
    • Open Office -> Forked to Libre Office

    I’d like to think that this is all in the name of keeping Open Source software free, although part of me thinks that forks are created for other reasons aside from the original developer not agreeing or being palatable to the direction acquisition typically brings to the table. You cannot expect a larger entity to purchase your Open Source software and for it to remain in its current format, or to operate autonomously. This is not how larger corporate entities operate.

  • Just had a look through the new Free NGINX website, which looks like an 80’s throwback and that it was created using a ZX Spectrum 🙂

    https://freenginx.org

    Love the sarcastic note…

    image.png

  • Seems that before FreeNGINX, there was “Angie” - a strange name for a fork of Nginx, but here it is nonetheless

    https://angie.software/en/

    Features

    Core advantages over nginx include the following:

    • Supporting HTTP/3 for client connections, as well as for proxied server connections, with the ability to independently use different protocol versions (HTTP/1.x, HTTP/2, HTTP/3) on opposite sides.
    • Automatic HTTPS provisions TLS certificates using built-in ACME support.
    • Simplifying configuration: the location directive can define several matching expressions at once, which enables combining blocks with shared settings.
    • Exposing basic information about the web server, its configuration, as well as metrics of proxied servers, client connections, shared memory zones, and many other things via a RESTful API interface in JSON format.
    • Exporting statistics in Prometheus format with customizable templates.
    • Monitoring the server through the browser with the Console Light visual monitoring tool. See the online demo: https://console.angie.software/
    • Automatically updating lists of proxied servers matching a domain name or retrieving such lists from SRV DNS records.
    • Session binding mode, which directs all requests within one session to the same proxied server.
    • Recommissioning upstream servers after a failure smoothly using the slow_start option of the server directive.
    • Limiting the MP4 file transfer rate proportionally to its bitrate, thus reducing the bandwidth load.
    • Extending authorization and balancing capabilities for the MQTT protocol with the mqtt_preread directive under stream.
    • Pre-built binary packages for many popular third-party modules.
    • Server- and client-side support for NTLS when using the TongSuo TLS library, enabled at build time.

    Judging by these new features, this specific fork seems very active with updates once per quarter.

  • have you test it ?
    Maybe virtualmin implement it in the future…

  • @DownPW said in Nginx core developer quits project in security dispute, starts “freenginx” fork:

    Maybe virtualmin implement it in the future…

    I don’t think they will - my guess is that they will stick with the current branch of NGINX. I’ve not personally tested it, but the GIT page seems to be very active. This is equally impressive

    8ac0d197-68fa-4bd8-bfa3-87237bf8f1f4-image.png

    I think the most impressive on here is the native support of HTTP 3


Related Topics
  • Error certification on virtualmin/Nginx

    Solved Linux
    17
    0 Votes
    17 Posts
    554 Views

    @DownPW anytime

  • Is nginx necessary to use?

    Moved Solved Hosting
    2
    1 Votes
    2 Posts
    254 Views

    @Panda said in Cloudflare bot fight mode and Google search:

    Basic question again, is nginx necessary to use?

    No, but you’d need something at least to handle the inbound requests, so you could use Apache, NGINX, Caddy… (there are plenty of them, but I tend to prefer NGINX)

    @Panda said in Cloudflare bot fight mode and Google search:

    Do these two sites need to be attached to different ports, and the ports put in the DNS record?

    No. They will both use ports 80 (HTTP) and 443 (HTTPS) by default.

    @Panda said in Cloudflare bot fight mode and Google search:

    Its not currently working, but how would the domain name know which of the two sites to resolve to without more info?
    Currently it only says the IP of the whole server.

    Yes, that’s correct. Domain routing is handled (for example) at the NGINX level, so whatever you have in DNS will be presented as the hostname, and NGINX will expect a match which once received, will then be forwarded onto the relevant destination.

    As an example, in your NGINX config, you could have (at a basic level used in reverse proxy mode - obviously, the IP addresses here are redacted and replaced with fakes). We assume you have created an A record in your DNS called “proxy” which resolves to 192.206.28.1, so fully qualified, will be proxy.sudonix.org in this case.

    The web browser requests this site, which is in turn received by NGINX and matches the below config

    server { server_name proxy.sudonix.org; listen 192.206.28.1; root /home/sudonix.org/domains/proxy.sudonix.org/ogproxy; index index.php index.htm index.html; access_log /var/log/virtualmin/proxy.sudonix.org_access_log; error_log /var/log/virtualmin/proxy.sudonix.org_error_log; location / { proxy_set_header Access-Control-Allow-Origin *; proxy_set_header Host $host; proxy_pass http://localhost:2000; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Api-Key $http_x_api_key; } location /images { index index.php index.htm index.html; root /home/sudonix.org/domains/proxy.sudonix.org/ogproxy; } fastcgi_split_path_info "^(.+\.php)(/.+)$"; listen 192.206.28.1:443 ssl http2; ssl_certificate /home/sudonix.org/domains/proxy.sudonix.org/ssl.combined; ssl_certificate_key /home/sudonix.org/ssl.key; }

    The important part here is server_name proxy.sudonix.org; as this is used to “map” the request to the actual domain name, which you can see in the root section as root /home/sudonix.org/domains/proxy.sudonix.org/ogproxy;

    As the DNS record you specified matches this hostname, NGINX then knows what to do with the request when it receives it.

  • Optimum config for NodeBB under NGINX

    Performance
    4
    3 Votes
    4 Posts
    708 Views

    @crazycells hi - no security reason, or anything specific in this case. However, the nginx.conf I posted was from my Dev environment which uses this port as a way of not interfering with production.

    And yes, I use clustering on this site with three instances.

  • NODEBB: Nginx error performance & High CPU

    Solved Performance
    69
    14 Votes
    69 Posts
    5k Views

    @phenomlab

    Seems to be better with some scaling fix for redis on redis.conf. I haven’t seen the message yet since the changes I made

    # I increase it to the value of /proc/sys/net/core/somaxconn tcp-backlog 4096 # I'm uncommenting because it can slow down Redis. Uncommented by default !!!!!!!!!!!!!!!!!!! #save 900 1 #save 300 10 #save 60 10000

    If you have other Redis optimizations. I take all your advice

    https://severalnines.com/blog/performance-tuning-redis/

  • 6 Votes
    36 Posts
    2k Views

    @justoverclock said in Digitalocean step by step guide to nginx configuration:

    i’m learning

    And that’s the whole point of this site 🙂 If you don’t learn anything, you gain nothing.

  • nginx can't start again

    Moved Solved Configure
    20
    2 Votes
    20 Posts
    1k Views

    @elhana-fine Yes that will happen of of course if you still choose to restart the NGINX service after making a change and the test fails. The test on it’s own will state the error and the line number allowing you to fix that first 🙂

  • nginx seo urls

    Solved Configure
    15
    3 Votes
    15 Posts
    978 Views

    @riekmedia that looks fine to me

  • 1 Votes
    12 Posts
    1k Views

    @ash3t Great 🙂 Glad everything has worked out.