NGINX 1.29.6 Adds Native Sticky Sessions and Fixes QUIC Reset Packet Overflow
NGINX 1.29.6 mainline release introduces a sticky-session directive for upstream blocks, enabling cookie-based session affinity without external load balancers and solving session-loss issues during worker restarts. The release also fixes oversized QUIC reset packets and improves SCGI backend proxying.
NGINX 1.29.6 mainline has arrived with a feature that administrators have been requesting for years: a native sticky-session directive for upstream blocks. The addition eliminates the need for external load balancers or third-party modules to maintain session affinity, while a QUIC protocol fix addresses packet handling issues that affected HTTP/3 deployments.
Native Sticky Sessions
The new sticky directive in upstream blocks enables cookie-based session affinity directly in NGINX's configuration. When a client first connects to an upstream group, NGINX selects a backend server using the configured load balancing algorithm and sets a cookie identifying that server. Subsequent requests from the same client are routed to the same backend as long as the cookie is present and the server is healthy.
Previous versions of NGINX required either the commercial NGINX Plus product or third-party modules like nginx-sticky-module to achieve session affinity. The built-in implementation solves a persistent pain point: session loss during worker process restarts. When NGINX reloads its configuration or a worker process is replaced, the new worker can read the session cookie and route the request correctly without disrupting the user's session.
QUIC and HTTP/3 Fixes
The release fixes an issue where NGINX could send oversized QUIC reset packets that exceeded the path MTU, causing network compatibility problems. The fix caps reset packet size and implements rate limiting for reset generation, preventing a scenario where a flood of invalid QUIC connections could cause NGINX to generate excessive reset traffic. SCGI backend proxying has also been improved with proper chunked transfer encoding support.
Security Context
This release follows the 1.29.5 and 1.28.2 patches that addressed CVE-2026-1642, a time-of-check-time-of-use (TOCTOU) race condition in upstream TLS connections. The race allowed a man-in-the-middle attacker to inject traffic into an upstream connection by exploiting a brief window between certificate verification and data transmission. Sites using NGINX as a reverse proxy with TLS-encrypted upstream connections should ensure they are running at least version 1.28.2 (stable) or 1.29.5 (mainline).
NGINX 1.29.6 is available from the official NGINX repositories and from source at nginx.org.
Related Articles
FreeBSD 14.4 Delivers Post-Quantum SSH, OpenZFS 2.2.9, and Intel E610 Support
FreeBSD 14.4-RELEASE has arrived with OpenSSH 10.0p2 defaulting to hybrid post-quantum key exchange, OpenZFS 2.2.9, and new driver support for Intel Ethernet E610 NICs. The release also adds 9P filesystem support for Bhyve virtualization guests and patches vulnerabilities in OpenSSL and libarchive.
OFC 2026: Coherent and Broadcom Demonstrate 3.2 Terabit-Per-Second Optical Transceivers
At the Optical Fiber Communication Conference in Los Angeles, Coherent and Broadcom have demonstrated 3.2 Tbps optical transceiver modules — doubling the bandwidth of current-generation 1.6T interconnects. The technology is designed for the next wave of AI data center buildouts, where single training runs require moving exabytes of data between thousands of GPUs.
Ayar Labs and Wiwynn Unveil 1,024-GPU Photonic Rack System at OFC 2026
Silicon photonics startup Ayar Labs and server manufacturer Wiwynn have unveiled a rack-scale reference platform at the Optical Fiber Communication Conference that connects over 1,024 GPUs using optical interconnects instead of copper. The 100% liquid-cooled system promises dramatically lower power consumption while enabling the massive GPU clusters needed for next-generation AI training.