70 changed files with 651 additions and 6872 deletions
--- a/.github/DISCUSSION_TEMPLATE/general.yml
+++ b/.github/DISCUSSION_TEMPLATE/general.yml
@ -1,15 +0,0 @@
---
-body:
-  - type: markdown
-    attributes:
-      value: |
-        For NGINX troubleshooting/technical help, please visit our community forum instead of asking your questions here. We will politely redirect these types of questions to the forum.
-  - type: textarea
-    id: general
-    attributes:
-      label: What would you like to discuss?
-      description: Please provide as much context as possible. Remember that only general discussions related to the NGINX codebase will be addressed on GitHub. For anything else, please visit our [community forum](https://community.nginx.org/).
-      value: |
-        I would like to discuss...
-    validations:
-      required: true
--- a/.github/DISCUSSION_TEMPLATE/ideas.yml
+++ b/.github/DISCUSSION_TEMPLATE/ideas.yml
@ -1,15 +0,0 @@
---
-body:
-  - type: markdown
-    attributes:
-      value: |
-        For NGINX troubleshooting/technical help, please visit our community forum instead of asking your questions here. We will politely redirect these types of questions to the forum.
-  - type: textarea
-    id: ideas
-    attributes:
-      label: What idea would you like to discuss?
-      description: Please provide as much context as possible. Remember that only ideas related to the NGINX codebase will be addressed on GitHub. For anything else, please visit our [community forum](https://community.nginx.org/).
-      value: |
-        I have an idea for...
-    validations:
-      required: true
--- a/.github/DISCUSSION_TEMPLATE/q-a.yml
+++ b/.github/DISCUSSION_TEMPLATE/q-a.yml
@ -1,15 +0,0 @@
---
-body:
-  - type: markdown
-    attributes:
-      value: |
-        For NGINX troubleshooting/technical help, please visit our community forum instead of asking your questions here. We will politely redirect these types of questions to the forum.
-  - type: textarea
-    id: q-a
-    attributes:
-      label: What question do you have?
-      description: Please provide as much context as possible. Remember that only questions related to the NGINX codebase will be addressed on GitHub. For anything else, please visit our [community forum](https://community.nginx.org/).
-      value: |
-        I would like to know...
-    validations:
-      required: true
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -0,0 +1,38 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ""
+labels: "bug"
+---
+
+### Environment
+
+Include the result of the following commands:
+  - `nginx -V`
+  - `uname -a`
+
+### Description
+
+Describe the bug in full detail including expected and actual behavior.
+Specify conditions that caused it. Provide the relevant part of nginx
+configuration and debug log.
+
+- [ ] The bug is reproducible with the latest version of nginx
+- [ ] The nginx configuration is minimized to the smallest possible
+to reproduce the issue and doesn't contain third-party modules
+
+#### nginx configuration
+
+```
+# Your nginx configuration here
+```
+or share the configuration in [gist](https://gist.github.com/).
+
+#### nginx debug log
+
+It is advised to enable
+[debug logging](http://nginx.org/en/docs/debugging_log.html).
+```
+# Your nginx debug log here
+```
+or share the debug log in [gist](https://gist.github.com/).
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@ -1,106 +0,0 @@
---
-name: 🐛 Bug report
-description: Create a report to help us improve
-labels: bug
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for taking the time to fill out this bug report!
-
-        Before you continue filling out this report, please take a moment to check that your bug has not been [already reported on GitHub][issue search], is reproducible with the latest version of nginx, and does not involve any third-party modules 🙌
-
-        Remember to redact any sensitive information such as authentication credentials and/or license keys!
-
-        **Note:** If you are seeking community support, please start a new topic in the [NGINX Community forum][forum]. If you wish to discuss the codebase, please start a new thread via [GitHub discussions][discussions].
-
-        [issue search]: https://github.com/nginx/nginx/search?q=is%3Aissue&type=issues
-        [discussions]: https://github.com/nginx/nginx/discussions
-        [forum]: https://community.nginx.org
-
-  - type: textarea
-    id: overview
-    attributes:
-      label: Bug Overview
-      description: A clear and concise overview of the bug.
-      placeholder: When I do "X", "Y" happens instead of "Z".
-    validations:
-      required: true
-
-  - type: textarea
-    id: behavior
-    attributes:
-      label: Expected Behavior
-      description: A clear and concise description of what you expected to happen.
-      placeholder: When I do "X", I expect "Z" to happen.
-    validations:
-      required: true
-
-  - type: textarea
-    id: steps
-    attributes:
-      label: Steps to Reproduce the Bug
-      description: Detail the series of steps required to reproduce the bug.
-      placeholder: When I run "X" using [...], "X" fails with "Y" error message. If I check the terminal outputs and/or logs, I see the following info.
-    validations:
-      required: true
-
-  - type: textarea
-    id: configuration
-    attributes:
-      label: NGINX Configuration
-      description: Please provide your NGINX configuration. Minimize it to the smallest possible configuration that reproduces the issue.
-      value: |
-        ```
-        # Your NGINX configuration
-        ```
-    validations:
-      required: true
-
-  - type: textarea
-    id: version
-    attributes:
-      label: NGINX version and build configuration options
-      description: Please provide details about your NGINX build.
-      value: |
-        The output of `nginx -V`: [...]
-    validations:
-      required: true
-
-  - type: textarea
-    id: environment
-    attributes:
-      label: Environment where NGINX is being built and/or deployed
-      description: Please provide details about your environment.
-      value: |
-        - Target deployment platform: [e.g. AWS/GCP/local cluster/etc...]
-        - Target OS: [e.g. RHEL 9/Ubuntu 24.04/etc...]
-    validations:
-      required: true
-
-  - type: textarea
-    id: architecture
-    attributes:
-      label: Architecture where NGINX is being built and/or deployed
-      description: Please provide details about your deployment environment.
-      value: |
-        The output of `uname -a`: [...]
-    validations:
-      required: true
-
-  - type: textarea
-    id: logs
-    attributes:
-      label: NGINX Debug Log
-      description: Please provide your NGINX debug log. See this [doc](http://nginx.org/en/docs/debugging_log.html) for details on how to enable it.
-      value: |
-        ```
-        # Your NGINX debug log
-        ```
-
-  - type: textarea
-    id: context
-    attributes:
-      label: Additional Context
-      description: Add any other context about the problem here.
-      placeholder: Feel free to add any other context/information/screenshots/etc... that you think might be relevant to this issue in here.
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -1,12 +0,0 @@
---
-blank_issues_enabled: false
-contact_links:
-  - name: 💬 Talk to the NGINX community!
-    url: https://community.nginx.org
-    about: A community forum for NGINX users, developers, and contributors
-  - name: 📝 Code of Conduct
-    url: https://www.contributor-covenant.org/version/2/1/code_of_conduct
-    about: NGINX follows the Contributor Covenant Code of Conduct to ensure a safe and inclusive community
-  - name: 💼 For commercial & enterprise users
-    url: https://www.f5.com/products/nginx
-    about: F5 offers a wide range of NGINX products for commercial & enterprise users
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -0,0 +1,18 @@
+---
+name: Feature request
+about: Suggest a feature for nginx
+title: ""
+labels: "feature"
+---
+
+### Describe the feature you'd like to add to nginx
+
+A clear and concise description of the feature.
+
+### Describe the problem this feature solves
+
+A clear and concise description of the problem.
+
+### Additional context
+
+Add any other context about the feature request here.
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@ -1,40 +0,0 @@
---
-name: ✨ Feature request
-description: Suggest an idea for this project
-labels: enhancement
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for taking the time to fill out this feature request!
-
-        Before you continue filling out this request, please take a moment to check that your feature has not been [already requested on GitHub][issue search] 🙌
-
-        **Note:** If you are seeking community support, please start a new topic in the [NGINX Community forum][forum]. If you wish to discuss the codebase, please start a new thread via [GitHub discussions][discussions].
-
-        [issue search]: https://github.com/nginx/nginx/search?q=is%3Aissue&type=issues
-        [discussions]: https://github.com/nginx/nginx/discussions
-        [forum]: https://community.nginx.org
-
-  - type: textarea
-    id: overview
-    attributes:
-      label: Feature Overview
-      description: A clear and concise description of what the feature request is.
-      placeholder: I would like this project to be able to do "X".
-    validations:
-      required: true
-
-  - type: textarea
-    id: alternatives
-    attributes:
-      label: Alternatives Considered
-      description: Detail any potential alternative solutions/workarounds you've used or considered.
-      placeholder: I have done/might be able to do "X" in this project by doing "Y".
-
-  - type: textarea
-    id: context
-    attributes:
-      label: Additional Context
-      description: Add any other context about the problem here.
-      placeholder: Feel free to add any other context/information/screenshots/etc... that you think might be relevant to this feature request here.
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,10 +1,10 @@
 ### Proposed changes

-Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue using one of the [supported keywords](https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue) in this PR's description or commit message.
+Describe the use case and detail of the change.

-### Checklist
+If this pull request addresses an issue on GitHub, make sure to reference that
+issue using one of the
+[supported keywords](https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue).

-Before creating a PR, run through this checklist and mark each as complete:
-
- [ ] I have read the [contributing guidelines](/CONTRIBUTING.md).
- [ ] I have checked that NGINX compiles and runs after adding my changes.
+Before creating a pull request, make sure to comply with the
+[Contributing Guidelines](https://github.com/nginx/nginx/blob/master/CONTRIBUTING.md).
--- a/.github/workflows/f5_cla.yml
+++ b/.github/workflows/f5_cla.yml
@ -1,41 +0,0 @@
---
-name: F5 CLA
-on:
-  issue_comment:
-    types: [created]
-  pull_request_target:
-    types: [opened, closed, synchronize]
-permissions: read-all
-jobs:
-  f5-cla:
-    name: F5 CLA
-    runs-on: ubuntu-24.04
-    permissions:
-      actions: write
-      pull-requests: write
-      statuses: write
-    steps:
-      - name: Run F5 Contributor License Agreement (CLA) assistant
-        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
-        with:
-          # Path to the CLA document.
-          path-to-document: https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md
-          # Custom CLA messages.
-          custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the [F5 Contributor License Agreement (CLA)](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md) and reply on a new comment with the following text to agree:'
-          custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms'
-          custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!'
-          # Remote repository storing CLA signatures.
-          remote-organization-name: f5
-          remote-repository-name: f5-cla-data
-          # Branch where CLA signatures are stored.
-          branch: main
-          path-to-signatures: signatures/signatures.json
-          # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
-          # NOTE: You will want to edit the usernames to suit your project needs.
-          allowlist: bot*
-          # Do not lock PRs after a merge.
-          lock-pullrequest-aftermerge: false
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -5,34 +5,34 @@ We really appreciate that you are considering contributing!

 ## Table of Contents

+- [Ask a Question](#ask-a-question)
 - [Report a Bug](#report-a-bug)
 - [Suggest a Feature or Enhancement](#suggest-a-feature-or-enhancement)
 - [Open a Discussion](#open-a-discussion)
 - [Submit a Pull Request](#submit-a-pull-request)
 - [Issue Lifecycle](#issue-lifecycle)

+## Ask a Question
+
+To ask a question, open an issue on GitHub with the label `question`.
+
 ## Report a Bug

 To report a bug, open an issue on GitHub with the label `bug` using the
-available [bug report issue form](/.github/ISSUE_TEMPLATE/bug_report.yml).
-Please ensure the bug has not already been reported. **If the bug is a
-potential security vulnerability, please report it using our
-[security policy](/SECURITY.md).**
+available bug report issue template. Before reporting a bug, make sure the
+issue has not already been reported.

 ## Suggest a Feature or Enhancement

-To suggest a feature or enhancement, please create an issue on GitHub with the
-label `enhancement` using the available
-[feature request issue form](/.github/ISSUE_TEMPLATE/feature_request.yml).
+To suggest a feature or enhancement, open an issue on GitHub with the label
+`feature` or `enhancement` using the available feature request issue template.
 Please ensure the feature or enhancement has not already been suggested.

 ## Open a Discussion

 If you want to engage in a conversation with the community and maintainers,
 we encourage you to use
-[GitHub Discussions](https://github.com/nginx/nginx/discussions) to discuss
-the NGINX codebase or the [NGINX Community forum](https://community.nginx.org)
-to chat anything else NGINX (including troubleshooting).
+[GitHub Discussions](https://github.com/nginx/nginx/discussions).

 ## Submit a Pull Request

@ -89,20 +89,7 @@ git clone https://github.com/nginx/nginx-tests.git
 ```

 - Submitting a change implies granting project a permission to use it under the
-[BSD-2-Clause license](/LICENSE)
-
-### F5 Contributor License Agreement (CLA)
-
-F5 requires all contributors to agree to the terms of the F5 CLA
-(available [here](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md))
-before any of their changes can be incorporated into an F5 Open Source
-repository (even contributions to the F5 CLA itself!).
-
-If you have not yet agreed to the F5 CLA terms and submit a PR to this
-repository, a bot will prompt you to view and agree to the F5 CLA.
-You will have to agree to the F5 CLA terms through a comment in the PR
-before any of your changes can be merged. Your agreement signature
-will be safely stored by F5 and no longer be required in future PRs.
+[BSD-2-Clause license](https://github.com/nginx/nginx/blob/master/LICENSE)

 ## Issue Lifecycle

--- a/README.md
+++ b/README.md
@ -4,11 +4,6 @@
  <img alt="NGINX Banner">
 </picture>

-[![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)
-[![Community Forum](https://img.shields.io/badge/community-forum-009639?logo=discourse&link=https%3A%2F%2Fcommunity.nginx.org)](https://community.nginx.org)
-[![License](https://img.shields.io/badge/License-BSD%202--Clause-blue.svg)](/LICENSE)
-[![Code of Conduct](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](/CODE_OF_CONDUCT.md)
-
 NGINX (pronounced "engine x" or "en-jin-eks") is the world's most popular Web Server, high performance Load Balancer, Reverse Proxy, API Gateway and Content Cache.

 NGINX is free and open source software, distributed under the terms of a simplified [2-clause BSD-like license](LICENSE).
@ -65,6 +60,7 @@ nginx -V
 ```
 > See [Configuring the build](#configuring-the-build) for information on how to include specific Static modules into your nginx build.

+
 ## Configurations
 NGINX is highly flexible and configurable. Provisioning the software is achieved via text-based config file(s) accepting parameters called "[Directives](https://nginx.org/en/docs/dirindex.html)". See [Configuration File's Structure](https://nginx.org/en/docs/beginners_guide.html#conf_structure) for a comprehensive description of how NGINX configuration files work.

@ -213,7 +209,9 @@ The output of which should start with:
 ```

 # Asking questions and reporting issues
-See our [Support](SUPPORT.md) guidelines for information on how discuss the codebase, ask troubleshooting questions, and report issues.
+We encourage you to engage with us.
+- [NGINX GitHub Discussions](https://github.com/nginx/nginx/discussions), is the go-to place to start asking questions and sharing your thoughts.
+- Our [GitHub Issues](https://github.com/nginx/nginx/issues) page offers space to submit and discuss specific issues, report bugs, and suggest enhancements.

 # Contributing code
 Please see the [Contributing](CONTRIBUTING.md) guide for information on how to contribute code.
--- a/SUPPORT.md
+++ b/SUPPORT.md
@ -1,48 +0,0 @@
-# Support
-
-## Ask a Question
-
-We use GitHub issues for tracking bugs and feature requests
-related to this project.
-
-If you don't know how something in the codebase works, are curious if NGINX
-is capable of achieving your desired functionality or want to discuss the
-implementation of an existing or in development feature, please start a
-GitHub discussion!
-
-## NGINX Specific Questions and/or Issues
-
-This project isn't the right place to get support for NGINX and/or NGINX
-troubleshooting questions, but the following resources are available below.
-Thanks for your understanding!
-
-### Community Forum
-
-We have a [community forum](https://community.nginx.org/)!
-If you have any NGINX specific questions and/or issues,
-try checking out the [`NGINX category`](https://community.nginx.org/c/projects/nginx/23).
-For general discussions around anything tangentially NGINX related,
-check out the [`General Discussion category`](https://community.nginx.org/c/general-discussion/34).
-Both fellow community members and NGINXers might be able to help you! :)
-
-### Documentation
-
-For a comprehensive list of all NGINX directives, check out <https://nginx.org>.
-
-For a comprehensive list of administration and deployment guides for all
-NGINX products, check out <https://docs.nginx.com>.
-
-## Contributing
-
-Please see the [contributing guide](/CONTRIBUTING.md) for guidelines
-on how to best contribute to this project.
-
-## Commercial Support
-
-Commercial support for this project is available.
-Please get in touch with [F5 sales](https://www.f5.com/products/get-f5/)
-or check your contract details for more information!
-
-## Community Support
-
-Community support is offered on a best effort basis through any of our active communities.
--- a/auto/cc/clang
+++ b/auto/cc/clang
@ -5,6 +5,15 @@
 # clang


+NGX_CLANG_VER=`$CC -v 2>&1 | grep 'version' 2>&1 \
+                           | sed -n -e 's/^.*clang version \(.*\)/\1/p' \
+                                    -e 's/^.*LLVM version \(.*\)/\1/p'`
+
+echo " + clang version: $NGX_CLANG_VER"
+
+have=NGX_COMPILER value="\"clang $NGX_CLANG_VER\"" . auto/define
+
+
 CC_TEST_FLAGS="-pipe"


--- a/auto/cc/gcc
+++ b/auto/cc/gcc
@ -8,6 +8,14 @@
 #     4.0.0, 4.0.1, 4.1.0


+NGX_GCC_VER=`$CC -v 2>&1 | grep 'gcc version' 2>&1 \
+                         | sed -e 's/^.* version \(.*\)/\1/'`
+
+echo " + gcc version: $NGX_GCC_VER"
+
+have=NGX_COMPILER value="\"gcc $NGX_GCC_VER\"" . auto/define
+
+
 # Solaris 7's /usr/ccs/bin/as does not support "-pipe"

 CC_TEST_FLAGS="-pipe"
@ -104,7 +112,7 @@ esac

 CC_AUX_FLAGS="$CC_AUX_FLAGS $CPU_OPT"

-case "$NGX_CC_VER" in
+case "$NGX_GCC_VER" in
    2.7*)
        # batch build
        CPU_OPT=
@ -137,7 +145,7 @@ CFLAGS="$CFLAGS -Wall -Wpointer-arith"
 #CFLAGS="$CFLAGS -Winline"
 #CFLAGS="$CFLAGS -Wmissing-prototypes"

-case "$NGX_CC_VER" in
+case "$NGX_GCC_VER" in
    2.*)
        # we have a lot of the unused function arguments
        CFLAGS="$CFLAGS -Wno-unused"
--- a/auto/cc/icc
+++ b/auto/cc/icc
@ -5,6 +5,14 @@

 # Intel C++ compiler 7.1, 8.0, 8.1, 9.0, 11.1

+NGX_ICC_VER=`$CC -V 2>&1 | grep 'Version' 2>&1 \
+                         | sed -e 's/^.* Version \([^ ]*\) *Build.*$/\1/'`
+
+echo " + icc version: $NGX_ICC_VER"
+
+have=NGX_COMPILER value="\"Intel C Compiler $NGX_ICC_VER\"" . auto/define
+
+
 # optimizations

 CFLAGS="$CFLAGS -O"
@ -75,7 +83,7 @@ CFLAGS="$CFLAGS -wd1418"
 # external declaration in primary source file
 CFLAGS="$CFLAGS -wd1419"

-case "$NGX_CC_VER" in
+case "$NGX_ICC_VER" in
    9.*)
        # "cc" clobber ignored, warnings for Linux's htonl()/htons()
        CFLAGS="$CFLAGS -wd1469"
--- a/auto/cc/msvc
+++ b/auto/cc/msvc
@ -11,12 +11,20 @@
 # MSVC 2015 (14.0)                        cl 19.00


-ngx_msvc_ver=`echo $NGX_CC_VER | sed -e 's/^\([0-9]*\).*/\1/'`
+NGX_MSVC_VER=`$NGX_WINE $CC 2>&1 | grep 'C/C++.* [0-9][0-9]*\.[0-9]' 2>&1 \
+                                 | sed -e 's/^.* \([0-9][0-9]*\.[0-9].*\)/\1/'`
+
+echo " + cl version: $NGX_MSVC_VER"
+
+have=NGX_COMPILER value="\"cl $NGX_MSVC_VER\"" . auto/define
+
+
+ngx_msvc_ver=`echo $NGX_MSVC_VER | sed -e 's/^\([0-9]*\).*/\1/'`


 # detect x64 builds

-case "$NGX_CC_VER" in
+case "$NGX_MSVC_VER" in

    *ARM64)
        NGX_MACHINE=arm64
--- a/auto/cc/name
+++ b/auto/cc/name
@ -28,13 +28,6 @@ if [ "$CC" = cl ]; then
    NGX_CC_NAME=msvc
    echo " + using Microsoft Visual C++ compiler"

-    NGX_CC_VER=`$NGX_WINE $CC 2>&1 \
-                | grep 'C/C++.* [0-9][0-9]*\.[0-9]' 2>&1 \
-                | sed -e 's/^.* \([0-9][0-9]*\.[0-9].*\)/\1/'`
-    echo " + cl version: $NGX_CC_VER"
-
-    have=NGX_COMPILER value="\"cl $NGX_CC_VER\"" . auto/define
-
 elif [ "$CC" = wcl386 ]; then
    NGX_CC_NAME=owc
    echo " + using Open Watcom C compiler"
@ -47,48 +40,22 @@ elif `$CC -V 2>&1 | grep '^Intel(R) C' >/dev/null 2>&1`; then
    NGX_CC_NAME=icc
    echo " + using Intel C++ compiler"

-    NGX_CC_VER=`$CC -V 2>&1 \
-                | sed -n -e 's/^.* Version \([^ ]*\) *Build.*$/\1/p'`
-    echo " + icc version: $NGX_CC_VER"
-
-    have=NGX_COMPILER value="\"Intel C Compiler $NGX_CC_VER\"" . auto/define
-
 elif `$CC -v 2>&1 | grep 'gcc version' >/dev/null 2>&1`; then
    NGX_CC_NAME=gcc
    echo " + using GNU C compiler"

-    NGX_CC_VER=`$CC -v 2>&1 | sed -n -e 's/^.*gcc version \(.*\)/\1/p'`
-    echo " + gcc version: $NGX_CC_VER"
-
-    have=NGX_COMPILER value="\"gcc $NGX_CC_VER\"" . auto/define
-
 elif `$CC -v 2>&1 | grep 'clang version' >/dev/null 2>&1`; then
    NGX_CC_NAME=clang
    echo " + using Clang C compiler"

-    NGX_CC_VER=`$CC -v 2>&1 | sed -n -e 's/^.*clang version \(.*\)/\1/p'`
-    echo " + clang version: $NGX_CC_VER"
-
-    have=NGX_COMPILER value="\"clang $NGX_CC_VER\"" . auto/define
-
 elif `$CC -v 2>&1 | grep 'LLVM version' >/dev/null 2>&1`; then
    NGX_CC_NAME=clang
    echo " + using Clang C compiler"

-    NGX_CC_VER=`$CC -v 2>&1 | sed -n -e 's/^.*LLVM version \(.*\)/\1/p'`
-    echo " + clang version: $NGX_CC_VER"
-
-    have=NGX_COMPILER value="\"clang $NGX_CC_VER\"" . auto/define
-
 elif `$CC -V 2>&1 | grep 'Sun C' >/dev/null 2>&1`; then
    NGX_CC_NAME=sunc
    echo " + using Sun C compiler"

-    NGX_CC_VER=`$CC -V 2>&1 | sed -n -e 's/^.* Sun C \(.*\)/\1/p'`
-    echo " + Sun C version: $NGX_CC_VER"
-
-    have=NGX_COMPILER value="\"Sun C $NGX_CC_VER\"" . auto/define
-
 elif `$CC -V 2>&1 | grep '^Compaq C' >/dev/null 2>&1`; then
    NGX_CC_NAME=ccc
    echo " + using Compaq C compiler"
--- a/auto/cc/sunc
+++ b/auto/cc/sunc
@ -13,6 +13,13 @@
 # Sun C 5.13 SunOS_i386 2014/10/20        Oracle Solaris Studio 12.4
 # Sun C 5.14 SunOS_i386 2016/05/31        Oracle Developer Studio 12.5

+NGX_SUNC_VER=`$CC -V 2>&1 | grep 'Sun C' 2>&1 \
+                          | sed -e 's/^.* Sun C \(.*\)/\1/'`
+
+echo " + Sun C version: $NGX_SUNC_VER"
+
+have=NGX_COMPILER value="\"Sun C $NGX_SUNC_VER\"" . auto/define
+

 cat << END > $NGX_AUTOTEST.c

--- a/auto/lib/pcre/make
+++ b/auto/lib/pcre/make
@ -37,7 +37,6 @@ if [ $PCRE_LIBRARY = PCRE2 ]; then
                       pcre2_xclass.c"

        ngx_pcre_test="pcre2_chkdint.c \
-                       pcre2_compile_cgroup.c \
                       pcre2_compile_class.c \
                       pcre2_convert.c \
                       pcre2_extuni.c \
--- a/auto/modules
+++ b/auto/modules
@ -729,7 +729,7 @@ if [ $HTTP = YES ]; then

        ngx_module_name=ngx_http_proxy_module
        ngx_module_incs=
-        ngx_module_deps=src/http/modules/ngx_http_proxy_module.h
+        ngx_module_deps=
        ngx_module_srcs=src/http/modules/ngx_http_proxy_module.c
        ngx_module_libs=
        ngx_module_link=$HTTP_PROXY
@ -781,17 +781,6 @@ if [ $HTTP = YES ]; then
        . auto/module
    fi

-    if [ $HTTP_PROXY = YES -a $HTTP_V2 = YES ]; then
-        ngx_module_name=ngx_http_proxy_v2_module
-        ngx_module_incs=
-        ngx_module_deps=
-        ngx_module_srcs=src/http/modules/ngx_http_proxy_v2_module.c
-        ngx_module_libs=
-        ngx_module_link=$HTTP_V2
-
-        . auto/module
-    fi
-
    if [ $HTTP_PERL != NO ]; then
        ngx_module_name=ngx_http_perl_module
        ngx_module_incs=src/http/modules/perl
--- a/auto/unix
+++ b/auto/unix
@ -129,6 +129,26 @@ if test -z "$NGX_KQUEUE_CHECKED"; then
 fi


+if [ "$NGX_SYSTEM" = "NetBSD" ]; then
+
+    # NetBSD 2.0 incompatibly defines kevent.udata as "intptr_t"
+
+    cat << END >> $NGX_AUTO_CONFIG_H
+
+#define NGX_KQUEUE_UDATA_T
+
+END
+
+else
+    cat << END >> $NGX_AUTO_CONFIG_H
+
+#define NGX_KQUEUE_UDATA_T  (void *)
+
+END
+
+fi
+
+
 ngx_feature="crypt()"
 ngx_feature_name="NGX_HAVE_CRYPT"
 ngx_feature_run=no
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -36,6 +36,8 @@ http {
        listen       80;
        server_name  localhost;

+        #charset koi8-r;
+
        #access_log  logs/host.access.log  main;

        location / {
--- a/docs/xml/nginx/changes.xml
+++ b/docs/xml/nginx/changes.xml
@ -5,336 +5,6 @@
 <change_log title="nginx">


-<changes ver="1.29.4" date="2025-12-09">
-
-<change type="feature">
-<para lang="ru">
-модуль ngx_http_proxy_module поддерживает HTTP/2.
-</para>
-<para lang="en">
-the ngx_http_proxy_module supports HTTP/2.
-</para>
-</change>
-
-<change type="feature">
-<para lang="ru">
-поддержка расширения TLS Encrypted ClientHello
-при использовании ветки разработки ECH OpenSSL;
-директива ssl_ech_file.<br/>
-Спасибо Stephen Farrell.
-</para>
-<para lang="en">
-Encrypted ClientHello TLS extension support
-when using OpenSSL ECH feature branch;
-the "ssl_ech_file" directive.<br/>
-Thanks to Stephen Farrell.
-</para>
-</change>
-
-<change type="change">
-<para lang="ru">
-валидация хоста и порта в строке запроса,
-в заголовке "Host" и псевдо-заголовке ":authority"
-изменена на соответствующую RFC 3986.
-</para>
-<para lang="en">
-validation of host and port in the request line,
-"Host" header field, and ":authority" pseudo-header field
-has been changed to follow RFC 3986.
-</para>
-</change>
-
-<change type="change">
-<para lang="ru">
-теперь одиночный символ LF, используемый для перевода строки
-в chunked-теле запроса или ответа, считается ошибкой.
-</para>
-<para lang="en">
-now a single LF used as a line terminator
-in a chunked request or response body is considered an error.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-при использовании HTTP/3 с OpenSSL 3.5.1 и новее
-в рабочем процессе мог произойти segmentation fault;
-ошибка появилась в 1.29.1.<br/>
-Спасибо Jan Svojanovsky.
-</para>
-<para lang="en">
-when using HTTP/3 with OpenSSL 3.5.1 or newer
-a segmentation fault might occur in a worker process;
-the bug had appeared in 1.29.1.<br/>
-Thanks to Jan Svojanovsky.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-при совместном использовании директив try_files и proxy_pass с URI
-в рабочем процессе мог произойти segmentation fault.
-</para>
-<para lang="en">
-a segmentation fault might occur in a worker process
-if the "try_files" directive and "proxy_pass" with a URI were used.
-</para>
-</change>
-
-</changes>
-
-
-<changes ver="1.29.3" date="2025-10-28">
-
-<change type="feature">
-<para lang="ru">
-директивы add_header_inherit и add_trailer_inherit.
-</para>
-<para lang="en">
-the "add_header_inherit" and "add_trailer_inherit" directives.
-</para>
-</change>
-
-<change type="feature">
-<para lang="ru">
-переменные $request_port и $is_request_port.
-</para>
-<para lang="en">
-the $request_port and $is_request_port variables.
-</para>
-</change>
-
-<change type="feature">
-<para lang="ru">
-переменные $ssl_sigalg и $ssl_client_sigalg.
-</para>
-<para lang="en">
-the $ssl_sigalg and $ssl_client_sigalg variables.
-</para>
-</change>
-
-<change type="feature">
-<para lang="ru">
-параметр volatile директивы geo.
-</para>
-<para lang="en">
-the "volatile" parameter of the "geo" directive.
-</para>
-</change>
-
-<change type="feature">
-<para lang="ru">
-теперь сжатие сертификатов доступно с BoringSSL.
-</para>
-<para lang="en">
-now certificate compression is available with BoringSSL.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-теперь сжатие сертификатов запрещено при включенном OCSP stapling.
-</para>
-<para lang="en">
-now certificate compression is disabled with OCSP stapling.
-</para>
-</change>
-
-</changes>
-
-
-<changes ver="1.29.2" date="2025-10-07">
-
-<change type="feature">
-<para lang="ru">
-теперь nginx можно собрать с AWS-LC.<br/>
-Спасибо Samuel Chiang.
-</para>
-<para lang="en">
-now nginx can be built with AWS-LC.<br/>
-Thanks Samuel Chiang.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-теперь директива ssl_protocols работает
-в виртуальном сервере, отличном от сервера по умолчанию,
-при использовании OpenSSL 1.1.1 и новее.
-</para>
-<para lang="en">
-now the "ssl_protocols" directive works
-in a virtual server different from the default server
-when using OpenSSL 1.1.1 or newer.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-при использовании TLSv1.3 с OpenSSL и клиентских сертификатов
-SSL handshake всегда завершался ошибкой
-при восстановлении сессии с другим значением SNI;
-ошибка появилась в 1.27.4.
-</para>
-<para lang="en">
-SSL handshake always failed
-when using TLSv1.3 with OpenSSL and client certificates
-and resuming a session with a different SNI value;
-the bug had appeared in 1.27.4.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-при использовании QUIC и директивы ssl_reject_handshake
-в логах могли появляться сообщения
-"ignoring stale global SSL error";
-ошибка появилась в 1.29.0.<br/>
-Спасибо Владимиру Хомутову.
-</para>
-<para lang="en">
-the "ignoring stale global SSL error"
-alerts might appear in logs
-when using QUIC and the "ssl_reject_handshake" directive;
-the bug had appeared in 1.29.0.<br/>
-Thanks to Vladimir Homutov.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-в обработке delta-seconds
-в строке "Cache-Control" в заголовке ответа бэкенда.
-</para>
-<para lang="en">
-in delta-seconds processing
-in the "Cache-Control" backend response header line.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-команда XCLIENT не использовала кодировку xtext.<br/>
-Спасибо Igor Morgenstern из Aisle Research.
-</para>
-<para lang="en">
-an XCLIENT command didn't use the xtext encoding.<br/>
-Thanks to Igor Morgenstern of Aisle Research.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-в кешировании SSL-сертификатов во время переконфигурации.
-</para>
-<para lang="en">
-in SSL certificate caching during reconfiguration.
-</para>
-</change>
-
-</changes>
-
-
-<changes ver="1.29.1" date="2025-08-13">
-
-<change type="security">
-<para lang="ru">
-обработка специально созданного логина/пароля при использовании
-метода аутентификации "none" в модуле ngx_mail_smtp_module
-могла приводить к отправке серверу аутентификации
-части содержимого памяти рабочего процесса (CVE-2025-53859).
-</para>
-<para lang="en">
-processing of a specially crafted login/password when using
-the "none" authentication method in the ngx_mail_smtp_module
-might cause worker process memory disclosure
-to the authentication server (CVE-2025-53859).
-</para>
-</change>
-
-<change type="change">
-<para lang="ru">
-теперь сжатие сертификатов в протоколе TLSv1.3 по умолчанию запрещено.
-</para>
-<para lang="en">
-now TLSv1.3 certificate compression is disabled by default.
-</para>
-</change>
-
-<change type="feature">
-<para lang="ru">
-директива ssl_certificate_compression.
-</para>
-<para lang="en">
-the "ssl_certificate_compression" directive.
-</para>
-</change>
-
-<change type="feature">
-<para lang="ru">
-поддержка 0-RTT в QUIC при использовании OpenSSL 3.5.1 и новее.
-</para>
-<para lang="en">
-support for 0-RTT in QUIC when using OpenSSL 3.5.1 or newer.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-при использовании HTTP/2 и директивы early_hints
-ответ 103 мог буферизироваться.
-</para>
-<para lang="en">
-the 103 response might be buffered
-when using HTTP/2 and the "early_hints" directive.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-в обработке заголовков запроса "Host" и ":authority"
-с одинаковыми значениями при использовании HTTP/2;
-ошибка появилась в 1.17.9.
-</para>
-<para lang="en">
-in handling "Host" and ":authority" header lines
-with equal values when using HTTP/2;
-the bug had appeared in 1.17.9.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-в обработке заголовка запроса "Host" с портом
-при использовании HTTP/3.
-</para>
-<para lang="en">
-in handling "Host" header lines with a port
-when using HTTP/3.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-nginx не собирался под NetBSD 10.0.
-</para>
-<para lang="en">
-nginx could not be built on NetBSD 10.0.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-в работе параметра none директивы smtp_auth.
-</para>
-<para lang="en">
-in the "none" parameter of the "smtp_auth" directive.
-</para>
-</change>
-
-</changes>
-
-
 <changes ver="1.29.0" date="2025-06-24">

 <change type="feature">
@ -8966,7 +8636,7 @@ Thanks to Piotr Sikora.
 Спасибо Piotr Sikora.
 </para>
 <para lang="en">
-now nginx can be built with BoringSSL and LibreSSL.<br/>
+now nginx can be build with BoringSSL and LibreSSL.<br/>
 Thanks to Piotr Sikora.
 </para>
 </change>
@ -26249,7 +25919,7 @@ the ECONNABORTED error log level was changed to "error" from "crit".
 модуль ngx_http_perl_module не собирался без модуля ngx_http_ssi_filter_module.
 </para>
 <para lang="en">
-the ngx_http_perl_module could not be built without
+the ngx_http_perl_module could not be build without
 the ngx_http_ssi_filter_module.
 </para>
 </change>
--- a/misc/GNUmakefile
+++ b/misc/GNUmakefile
@ -6,9 +6,9 @@ TEMP =		tmp

 CC =		cl
 OBJS =		objs.msvc8
-OPENSSL =	openssl-3.5.4
+OPENSSL =	openssl-3.5.0
 ZLIB =		zlib-1.3.1
-PCRE =		pcre2-10.46
+PCRE =		pcre2-10.45


 release: export
@ -110,7 +110,7 @@ zip: export
 	cp -p $(OBJS)/lib/$(OPENSSL)/LICENSE.txt			\
 		$(TEMP)/$(NGINX)/docs/OpenSSL.LICENSE

-	cp -p $(OBJS)/lib/$(PCRE)/LICENCE.md				\
+	cp -p $(OBJS)/lib/$(PCRE)/LICENCE				\
 		$(TEMP)/$(NGINX)/docs/PCRE.LICENCE

 	sed -ne '/^ (C) 1995-20/,/^  jloup@gzip\.org/p'			\
--- a/misc/README
+++ b/misc/README
@ -3,7 +3,7 @@ make -f misc/GNUmakefile release

 the required tools:
 *) xsltproc to build CHANGES,
-*) xslscript.pl ( https://github.com/nginx/xslscript ) to build XSLTs
+*) xslscript.pl ( http://hg.nginx.org/xslscript ) to build XSLTs
   from XSLScript sources.


--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_


-#define nginx_version      1029005
-#define NGINX_VERSION      "1.29.5"
+#define nginx_version      1029000
+#define NGINX_VERSION      "1.29.0"
 #define NGINX_VER          "nginx/" NGINX_VERSION

 #ifdef NGX_BUILD
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@ -1494,9 +1494,8 @@ ngx_utf8_cpystrn(u_char *dst, u_char *src, size_t n, size_t len)
 uintptr_t
 ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)
 {
-    u_char          prefix;
-    uint32_t       *escape;
    ngx_uint_t      n;
+    uint32_t       *escape;
    static u_char   hex[] = "0123456789ABCDEF";

    /*
@ -1634,36 +1633,11 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)

                    /* mail_auth is the same as memcached */

-                    /* " ", "+", "=", not allowed */
-
-    static uint32_t   mail_xtext[] = {
-        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
-
-                    /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
-        0x20000801, /* 0010 0000 0000 0000  0000 1000 0000 0001 */
-
-                    /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
-        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
-
-                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
-        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
-
-        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
-        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
-        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
-        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
-    };
-
    static uint32_t  *map[] =
-        { uri, args, uri_component, html, refresh, memcached, memcached,
-          mail_xtext };
-
-    static u_char  map_char[] =
-        { '%', '%', '%', '%', '%', '%', '%', '+' };
+        { uri, args, uri_component, html, refresh, memcached, memcached };


    escape = map[type];
-    prefix = map_char[type];

    if (dst == NULL) {

@ -1684,7 +1658,7 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)

    while (size) {
        if (escape[*src >> 5] & (1U << (*src & 0x1f))) {
-            *dst++ = prefix;
+            *dst++ = '%';
            *dst++ = hex[*src >> 4];
            *dst++ = hex[*src & 0xf];
            src++;
--- a/src/core/ngx_string.h
+++ b/src/core/ngx_string.h
@ -203,7 +203,6 @@ u_char *ngx_utf8_cpystrn(u_char *dst, u_char *src, size_t n, size_t len);
 #define NGX_ESCAPE_REFRESH        4
 #define NGX_ESCAPE_MEMCACHED      5
 #define NGX_ESCAPE_MAIL_AUTH      6
-#define NGX_ESCAPE_MAIL_XTEXT     7

 #define NGX_UNESCAPE_URI       1
 #define NGX_UNESCAPE_REDIRECT  2
--- a/src/event/modules/ngx_kqueue_module.c
+++ b/src/event/modules/ngx_kqueue_module.c
@ -10,15 +10,6 @@
 #include <ngx_event.h>


-/* NetBSD up to 10.0 incompatibly defines kevent.udata as "intptr_t" */
-
-#if (__NetBSD__ && __NetBSD_Version__ < 1000000000)
-#define NGX_KQUEUE_UDATA_T
-#else
-#define NGX_KQUEUE_UDATA_T  (void *)
-#endif
-
-
 typedef struct {
    ngx_uint_t  changes;
    ngx_uint_t  events;
@ -200,7 +191,7 @@ ngx_kqueue_init(ngx_cycle_t *cycle, ngx_msec_t timer)
        kev.flags = EV_ADD|EV_ENABLE;
        kev.fflags = 0;
        kev.data = timer;
-        kev.udata = NGX_KQUEUE_UDATA_T (uintptr_t) 0;
+        kev.udata = 0;

        ts.tv_sec = 0;
        ts.tv_nsec = 0;
@ -246,7 +237,7 @@ ngx_kqueue_notify_init(ngx_log_t *log)
    notify_kev.data = 0;
    notify_kev.flags = EV_ADD|EV_CLEAR;
    notify_kev.fflags = 0;
-    notify_kev.udata = NGX_KQUEUE_UDATA_T (uintptr_t) 0;
+    notify_kev.udata = 0;

    if (kevent(ngx_kqueue, &notify_kev, 1, NULL, 0, NULL) == -1) {
        ngx_log_error(NGX_LOG_ALERT, log, ngx_errno,
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@ -9,10 +9,6 @@
 #include <ngx_core.h>
 #include <ngx_event.h>

-#if (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
-#include <zlib.h>
-#endif
-

 #define NGX_SSL_PASSWORD_BUFFER_SIZE  4096

@ -23,13 +19,6 @@ typedef struct {


 static ngx_inline ngx_int_t ngx_ssl_cert_already_in_hash(void);
-#if (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
-static int ngx_ssl_cert_compression_callback(ngx_ssl_conn_t *ssl_conn,
-    CBB *out, const uint8_t *in, size_t in_len);
-static void *ngx_ssl_cert_compression_alloc(void *opaque, u_int items,
-    u_int size);
-static void ngx_ssl_cert_compression_free(void *opaque, void *address);
-#endif
 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
    int ret);
@ -139,8 +128,6 @@ int  ngx_ssl_ticket_keys_index;
 int  ngx_ssl_ocsp_index;
 int  ngx_ssl_index;
 int  ngx_ssl_certificate_name_index;
-int  ngx_ssl_certificate_comp_index;
-int  ngx_ssl_client_hello_arg_index;


 u_char  ngx_ssl_session_buffer[NGX_SSL_MAX_SESSION_SIZE];
@ -283,21 +270,6 @@ ngx_ssl_init(ngx_log_t *log)
        return NGX_ERROR;
    }

-    ngx_ssl_certificate_comp_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
-                                                           NULL);
-    if (ngx_ssl_certificate_comp_index == -1) {
-        ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
-        return NGX_ERROR;
-    }
-
-    ngx_ssl_client_hello_arg_index = SSL_CTX_get_ex_new_index(0, NULL, NULL,
-                                                              NULL, NULL);
-    if (ngx_ssl_client_hello_arg_index == -1) {
-        ngx_ssl_error(NGX_LOG_ALERT, log, 0,
-                      "SSL_CTX_get_ex_new_index() failed");
-        return NGX_ERROR;
-    }
-
    return NGX_OK;
 }

@ -415,11 +387,6 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
    SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
 #endif

-#ifdef SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
-    SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TX_CERTIFICATE_COMPRESSION);
-    SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_RX_CERTIFICATE_COMPRESSION);
-#endif
-
 #ifdef SSL_OP_NO_ANTI_REPLAY
    SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY);
 #endif
@ -477,18 +444,10 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
 {
    char            *err;
    X509            *x509, **elm;
-    u_long           n;
    EVP_PKEY        *pkey;
-    ngx_uint_t       mask;
    STACK_OF(X509)  *chain;

-    mask = 0;
-    elm = NULL;
-
-retry:
-
-    chain = ngx_ssl_cache_fetch(cf, NGX_SSL_CACHE_CERT | mask,
-                                &err, cert, NULL);
+    chain = ngx_ssl_cache_fetch(cf, NGX_SSL_CACHE_CERT, &err, cert, NULL);
    if (chain == NULL) {
        if (err != NULL) {
            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
@ -528,7 +487,6 @@ retry:
        }
    }

-    if (elm == NULL) {
    elm = ngx_array_push(&ssl->certs);
    if (elm == NULL) {
        X509_free(x509);
@ -536,10 +494,6 @@ retry:
        return NGX_ERROR;
    }

-    } else {
-        X509_free(*elm);
-    }
-
    *elm = x509;

    /*
@ -560,21 +514,11 @@ retry:
    }

 #else
+    {
+    int  n;

    /* SSL_CTX_set0_chain() is only available in OpenSSL 1.0.2+ */

-#ifdef SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS
-    /* OpenSSL 1.0.1+ */
-    SSL_CTX_clear_extra_chain_certs(ssl->ctx);
-#else
-
-    if (ssl->ctx->extra_certs) {
-        sk_X509_pop_free(ssl->ctx->extra_certs, X509_free);
-        ssl->ctx->extra_certs = NULL;
-    }
-
-#endif
-
    n = sk_X509_num(chain);

    while (n--) {
@ -590,11 +534,10 @@ retry:
    }

    sk_X509_free(chain);
-
+    }
 #endif

-    pkey = ngx_ssl_cache_fetch(cf, NGX_SSL_CACHE_PKEY | mask,
-                               &err, key, passwords);
+    pkey = ngx_ssl_cache_fetch(cf, NGX_SSL_CACHE_PKEY, &err, key, passwords);
    if (pkey == NULL) {
        if (err != NULL) {
            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
@ -606,23 +549,9 @@ retry:
    }

    if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
-        EVP_PKEY_free(pkey);
-
-        /* there can be mismatched pairs on uneven cache update */
-
-        n = ERR_peek_last_error();
-
-        if (ERR_GET_LIB(n) == ERR_LIB_X509
-            && ERR_GET_REASON(n) == X509_R_KEY_VALUES_MISMATCH
-            && mask == 0)
-        {
-            ERR_clear_error();
-            mask = NGX_SSL_CACHE_INVALIDATE;
-            goto retry;
-        }
-
        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                      "SSL_CTX_use_PrivateKey(\"%s\") failed", key->data);
+        EVP_PKEY_free(pkey);
        return NGX_ERROR;
    }

@ -730,197 +659,6 @@ retry:
 }


-ngx_int_t
-ngx_ssl_certificate_compression(ngx_conf_t *cf, ngx_ssl_t *ssl,
-    ngx_uint_t enable)
-{
-    if (!enable) {
-        return NGX_OK;
-    }
-
-#ifdef SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
-
-    if (SSL_CTX_compress_certs(ssl->ctx, 0) == 0) {
-        ngx_ssl_error(NGX_LOG_WARN, ssl->log, 0,
-                      "SSL_CTX_compress_certs() failed, ignored");
-        return NGX_OK;
-    }
-
-    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TX_CERTIFICATE_COMPRESSION);
-
-#elif (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
-
-    if (SSL_CTX_add_cert_compression_alg(ssl->ctx, TLSEXT_cert_compression_zlib,
-                                         ngx_ssl_cert_compression_callback,
-                                         NULL)
-        == 0)
-    {
-        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "SSL_CTX_add_cert_compression_alg() failed");
-        return NGX_ERROR;
-    }
-
-#else
-
-    ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
-                  "\"ssl_certificate_compression\" is not supported "
-                  "on this platform, ignored");
-
-#endif
-
-    return NGX_OK;
-}
-
-
-#if (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
-
-static int
-ngx_ssl_cert_compression_callback(ngx_ssl_conn_t *ssl_conn, CBB *out,
-    const uint8_t *in, size_t in_len)
-{
-    int                rc;
-    X509              *cert;
-    u_char            *p;
-    z_stream           zstream;
-    ngx_str_t         *comp, tmp;
-    ngx_pool_t        *pool;
-    ngx_connection_t  *c;
-
-#ifdef OPENSSL_IS_BORINGSSL
-    {
-    SSL_CTX    *ssl_ctx;
-    ngx_ssl_t  *ssl;
-
-    /* BoringSSL doesn't have certificate slots, we take the last set */
-
-    ssl_ctx = SSL_get_SSL_CTX(ssl_conn);
-    ssl = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_index);
-    cert = ((X509 **) ssl->certs.elts)[ssl->certs.nelts - 1];
-    }
-#else
-
-    /*
-     * AWS-LC saves leaf certificate in SSL to associate with SSL_CTX,
-     * see https://github.com/aws/aws-lc/commit/e1ba2b3e5
-     */
-
-    cert = SSL_get_certificate(ssl_conn);
-
-#endif
-
-    comp = X509_get_ex_data(cert, ngx_ssl_certificate_comp_index);
-
-    if (comp != NULL) {
-        return CBB_add_bytes(out, comp->data, comp->len);
-    }
-
-    c = ngx_ssl_get_connection(ssl_conn);
-
-    pool = ngx_create_pool(256, c->log);
-    if (pool == NULL) {
-        return 0;
-    }
-
-    pool->log = c->log;
-
-    ngx_memzero(&zstream, sizeof(z_stream));
-
-    zstream.zalloc = ngx_ssl_cert_compression_alloc;
-    zstream.zfree = ngx_ssl_cert_compression_free;
-    zstream.opaque = pool;
-
-    rc = deflateInit(&zstream, Z_DEFAULT_COMPRESSION);
-
-    if (rc != Z_OK) {
-        ngx_log_error(NGX_LOG_ALERT, c->log, 0, "deflateInit() failed: %d", rc);
-        goto error;
-    }
-
-    tmp.len = deflateBound(&zstream, in_len);
-    tmp.data = ngx_palloc(pool, tmp.len);
-    if (tmp.data == NULL) {
-        goto error;
-    }
-
-    zstream.next_in = (u_char *) in;
-    zstream.avail_in = in_len;
-    zstream.next_out = tmp.data;
-    zstream.avail_out = tmp.len;
-
-    rc = deflate(&zstream, Z_FINISH);
-
-    if (rc != Z_STREAM_END) {
-        ngx_log_error(NGX_LOG_ALERT, c->log, 0,
-                      "deflate(Z_FINISH) failed: %d", rc);
-        goto error;
-    }
-
-    tmp.len -= zstream.avail_out;
-
-    rc = deflateEnd(&zstream);
-
-    if (rc != Z_OK) {
-        ngx_log_error(NGX_LOG_ALERT, c->log, 0, "deflateEnd() failed: %d", rc);
-        goto error;
-    }
-
-    p = ngx_alloc(sizeof(ngx_str_t) + tmp.len, c->log);
-    if (p == NULL) {
-        goto error;
-    }
-
-    comp = (ngx_str_t *) p;
-
-    comp->len = tmp.len;
-    comp->data = p + sizeof(ngx_str_t);
-
-    ngx_memcpy(comp->data, tmp.data, tmp.len);
-
-    if (X509_set_ex_data(cert, ngx_ssl_certificate_comp_index, p) == 0) {
-        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_set_ex_data() failed");
-        ngx_free(p);
-    }
-
-    rc = CBB_add_bytes(out, tmp.data, tmp.len);
-
-    ngx_destroy_pool(pool);
-
-    return rc;
-
-error:
-
-    ngx_destroy_pool(pool);
-
-    return 0;
-}
-
-
-static void *
-ngx_ssl_cert_compression_alloc(void *opaque, u_int items, u_int size)
-{
-    ngx_pool_t *pool = opaque;
-
-    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pool->log, 0,
-                   "cert compression alloc: n:%ud s:%ud", items, size);
-
-    return ngx_palloc(pool, items * size);
-}
-
-
-static void
-ngx_ssl_cert_compression_free(void *opaque, void *address)
-{
-#if 0
-    ngx_pool_t *pool = opaque;
-
-    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pool->log, 0,
-                   "cert compression free: %p", address);
-#endif
-}
-
-#endif
-
-
 ngx_int_t
 ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
    ngx_uint_t prefer_server_ciphers)
@ -1636,7 +1374,7 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
    if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) {
        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                      "SSL_CTX_set0_tmp_dh_pkey(\"%s\") failed", file->data);
-#if (OPENSSL_VERSION_NUMBER >= 0x30000010L)
+#if (OPENSSL_VERSION_NUMBER >= 0x3000001fL)
        EVP_PKEY_free(dh);
 #endif
        BIO_free(bio);
@ -1653,105 +1391,6 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
 }


-ngx_int_t
-ngx_ssl_ech_files(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *filenames)
-{
-#ifdef SSL_OP_ECH_GREASE
-    int             numkeys;
-    BIO            *in;
-    ngx_int_t       rc;
-    ngx_str_t      *filename;
-    ngx_uint_t      i;
-    OSSL_ECHSTORE  *es;
-
-    if (filenames == NULL) {
-        return NGX_OK;
-    }
-
-    es = OSSL_ECHSTORE_new(NULL, NULL);
-    if (es == NULL) {
-        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "OSSL_ECHSTORE_new() failed");
-        return NGX_ERROR;
-    }
-
-    rc = NGX_ERROR;
-    filename = filenames->elts;
-
-    for (i = 0; i < filenames->nelts; i++) {
-
-        if (ngx_conf_full_name(cf->cycle, &filename[i], 1) != NGX_OK) {
-            goto cleanup;
-        }
-
-        in = BIO_new_file((char *) filename[i].data, "r");
-        if (in == NULL) {
-            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                          "BIO_new_file(\"%s\") failed", filename[i].data);
-            goto cleanup;
-        }
-
-        /*
-         * We only set the ECHConfigList from the first file read to use
-         * in ECH retry-configs.
-         *
-         * That allows many sensible key rotation schemes so that the
-         * values sent in ECH retry-configs are smaller and current.
-         * For example, if the first file name has the current ECH
-         * private key, and a second one has the previously used key
-         * that some clients may still use due to DNS caching.
-         */
-
-         if (OSSL_ECHSTORE_read_pem(es, in, i ? OSSL_ECH_NO_RETRY
-                                              : OSSL_ECH_FOR_RETRY)
-             != 1)
-         {
-             ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                           "OSSL_ECHSTORE_read_pem(%s) failed",
-                           filename[i].data);
-             BIO_free(in);
-             goto cleanup;
-         }
-
-         BIO_free(in);
-    }
-
-    /*
-     * load the ECH store after checking there's at least one ECH
-     * private key in there (the PEM file spec allows zero or one
-     * private key per file)
-     */
-
-    if (OSSL_ECHSTORE_num_keys(es, &numkeys) != 1) {
-        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "OSSL_ECHSTORE_num_keys(%s) failed");
-        goto cleanup;
-    }
-
-    if (numkeys > 0 && SSL_CTX_set1_echstore(ssl->ctx, es) != 1) {
-        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "SSL_CTX_set1_echstore() failed");
-        goto cleanup;
-    }
-
-    rc = NGX_OK;
-
-cleanup:
-
-    OSSL_ECHSTORE_free(es);
-    return rc;
-
-#else
-    if (filenames != NULL) {
-        ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
-                      "\"ssl_ech_file\" is not supported on this platform, "
-                      "ignored");
-    }
-
-    return NGX_OK;
-#endif
-}
-
-
 ngx_int_t
 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)
 {
@ -1971,131 +1610,6 @@ ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
 }


-ngx_int_t
-ngx_ssl_set_client_hello_callback(ngx_ssl_t *ssl, ngx_ssl_client_hello_arg *cb)
-{
-#ifdef SSL_CLIENT_HELLO_SUCCESS
-
-    SSL_CTX_set_client_hello_cb(ssl->ctx, ngx_ssl_client_hello_callback, NULL);
-
-    if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_client_hello_arg_index, cb) == 0)
-    {
-        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "SSL_CTX_set_ex_data() failed");
-        return NGX_ERROR;
-    }
-
-#elif defined OPENSSL_IS_BORINGSSL
-
-    SSL_CTX_set_select_certificate_cb(ssl->ctx, ngx_ssl_select_certificate);
-
-    if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_client_hello_arg_index, cb) == 0)
-    {
-        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "SSL_CTX_set_ex_data() failed");
-        return NGX_ERROR;
-    }
-
-#endif
-
-    return NGX_OK;
-}
-
-
-#ifdef SSL_CLIENT_HELLO_SUCCESS
-
-int
-ngx_ssl_client_hello_callback(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
-{
-    u_char                    *p;
-    size_t                     len;
-    ngx_int_t                  rc;
-    ngx_str_t                  host;
-    ngx_connection_t          *c;
-    ngx_ssl_client_hello_arg  *cb;
-
-    c = ngx_ssl_get_connection(ssl_conn);
-    cb = SSL_CTX_get_ex_data(c->ssl->session_ctx,
-                             ngx_ssl_client_hello_arg_index);
-
-    if (SSL_client_hello_get0_ext(ssl_conn, TLSEXT_TYPE_server_name,
-                                  (const unsigned char **) &p, &len)
-        == 0)
-    {
-        ngx_str_null(&host);
-        goto done;
-    }
-
-    /*
-     * RFC 6066 mandates non-zero HostName length, we follow OpenSSL.
-     * No more than one ServerName is expected.
-     */
-
-    if (len < 5
-        || (size_t) (p[0] << 8) + p[1] + 2 != len
-        || p[2] != TLSEXT_NAMETYPE_host_name
-        || (size_t) (p[3] << 8) + p[4] + 2 + 3 != len)
-    {
-        *ad = SSL_AD_DECODE_ERROR;
-        return SSL_CLIENT_HELLO_ERROR;
-    }
-
-    len -= 5;
-    p += 5;
-
-    if (len > TLSEXT_MAXLEN_host_name || ngx_strlchr(p, p + len, '\0')) {
-        *ad = SSL_AD_UNRECOGNIZED_NAME;
-        return SSL_CLIENT_HELLO_ERROR;
-    }
-
-    host.len = len;
-    host.data = p;
-
-done:
-
-    rc = cb->servername(ssl_conn, ad, &host);
-
-    if (rc == SSL_TLSEXT_ERR_ALERT_FATAL) {
-        return SSL_CLIENT_HELLO_ERROR;
-    }
-
-    return SSL_CLIENT_HELLO_SUCCESS;
-}
-
-#elif defined OPENSSL_IS_BORINGSSL
-
-enum ssl_select_cert_result_t ngx_ssl_select_certificate(
-    const SSL_CLIENT_HELLO *client_hello)
-{
-    int                        ad;
-    ngx_int_t                  rc;
-    ngx_ssl_conn_t            *ssl_conn;
-    ngx_connection_t          *c;
-    ngx_ssl_client_hello_arg  *cb;
-
-    ssl_conn = client_hello->ssl;
-    c = ngx_ssl_get_connection(ssl_conn);
-    cb = SSL_CTX_get_ex_data(c->ssl->session_ctx,
-                             ngx_ssl_client_hello_arg_index);
-
-    /*
-     * BoringSSL sends a hardcoded "handshake_failure" alert on errors,
-     * we use it to map SSL_AD_INTERNAL_ERROR.  To preserve other alert
-     * values, error handling is postponed to the servername callback.
-     */
-
-    rc = cb->servername(ssl_conn, &ad, NULL);
-
-    if (rc == SSL_TLSEXT_ERR_ALERT_FATAL && ad == SSL_AD_INTERNAL_ERROR) {
-        return ssl_select_cert_error;
-    }
-
-    return ssl_select_cert_success;
-}
-
-#endif
-
-
 ngx_int_t
 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
 {
@ -4012,7 +3526,6 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
            || n == SSL_R_TLSV1_ALERT_USER_CANCELLED                 /* 1090 */
            || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION               /* 1100 */
 #endif
-            || n == 1121 /* SSL_R_TLSV1_ALERT_ECH_REQUIRED */
            )
        {
            switch (c->log_error) {
@ -5244,19 +4757,10 @@ ngx_ssl_cleanup_ctx(void *data)
    ngx_ssl_t  *ssl = data;

    X509        *cert;
-    u_char      *p;
    ngx_uint_t   i;

    for (i = 0; i < ssl->certs.nelts; i++) {
        cert = ((X509 **) ssl->certs.elts)[i];
-
-        p = X509_get_ex_data(cert, ngx_ssl_certificate_comp_index);
-
-        if (p) {
-            ngx_free(p);
-            X509_set_ex_data(cert, ngx_ssl_certificate_comp_index, NULL);
-        }
-
        X509_free(cert);
    }

@ -5551,7 +5055,11 @@ ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
            return NGX_OK;
        }

+#if (OPENSSL_VERSION_NUMBER >= 0x3000000fL)
        name = SSL_group_to_name(c->ssl->connection, nid);
+#else
+        name = NULL;
+#endif

        s->len = name ? ngx_strlen(name) : sizeof("0x0000") - 1;
        s->data = ngx_pnalloc(pool, s->len);
@ -5605,7 +5113,11 @@ ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
        nid = curves[i];

        if (nid & TLSEXT_nid_unknown) {
+#if (OPENSSL_VERSION_NUMBER >= 0x3000000fL)
            name = SSL_group_to_name(c->ssl->connection, nid);
+#else
+            name = NULL;
+#endif

            len += name ? ngx_strlen(name) : sizeof("0x0000") - 1;

@ -5627,7 +5139,11 @@ ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
        nid = curves[i];

        if (nid & TLSEXT_nid_unknown) {
+#if (OPENSSL_VERSION_NUMBER >= 0x3000000fL)
            name = SSL_group_to_name(c->ssl->connection, nid);
+#else
+            name = NULL;
+#endif

            p = name ? ngx_cpymem(p, name, ngx_strlen(name))
                     : ngx_sprintf(p, "0x%04xd", nid & 0xffff);
@ -5653,32 +5169,6 @@ ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 }


-ngx_int_t
-ngx_ssl_get_sigalg(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
-{
-#ifdef SSL_get0_signature_name
-
-    const char  *name;
-
-    if (SSL_get0_signature_name(c->ssl->connection, &name)) {
-        s->len = ngx_strlen(name);
-        s->data = ngx_pnalloc(pool, s->len);
-        if (s->data == NULL) {
-            return NGX_ERROR;
-        }
-
-        ngx_memcpy(s->data, name, s->len);
-
-        return NGX_OK;
-    }
-
-#endif
-
-    s->len = 0;
-    return NGX_OK;
-}
-
-
 ngx_int_t
 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
@ -5808,81 +5298,6 @@ ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 }


-ngx_int_t
-ngx_ssl_get_ech_status(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
-{
-#ifdef SSL_OP_ECH_GREASE
-    int    echrv;
-    char  *inner_sni, *outer_sni;
-
-    inner_sni = NULL;
-    outer_sni = NULL;
-
-    echrv = SSL_ech_get1_status(c->ssl->connection, &inner_sni, &outer_sni);
-
-    switch (echrv) {
-    case SSL_ECH_STATUS_NOT_TRIED:
-        ngx_str_set(s, "NOT_TRIED");
-        break;
-    case SSL_ECH_STATUS_SUCCESS:
-        ngx_str_set(s, "SUCCESS");
-        break;
-    case SSL_ECH_STATUS_GREASE:
-        ngx_str_set(s, "GREASE");
-        break;
-    case SSL_ECH_STATUS_BACKEND:
-        ngx_str_set(s, "BACKEND");
-        break;
-    default:
-        ngx_str_set(s, "FAILED");
-        break;
-    }
-
-    OPENSSL_free(inner_sni);
-    OPENSSL_free(outer_sni);
-#else
-    s->len = 0;
-#endif
-    return NGX_OK;
-}
-
-
-ngx_int_t
-ngx_ssl_get_ech_outer_server_name(ngx_connection_t *c, ngx_pool_t *pool,
-    ngx_str_t *s)
-{
-#if defined(SSL_OP_ECH_GREASE)
-    int    echrv;
-    char  *inner_sni, *outer_sni;
-
-    inner_sni = NULL;
-    outer_sni = NULL;
-
-    echrv = SSL_ech_get1_status(c->ssl->connection, &inner_sni, &outer_sni);
-
-    if (echrv == SSL_ECH_STATUS_SUCCESS && outer_sni) {
-        s->len = ngx_strlen(outer_sni);
-
-        s->data = ngx_pnalloc(pool, s->len);
-        if (s->data == NULL) {
-            return NGX_ERROR;
-        }
-
-        ngx_memcpy(s->data, outer_sni, s->len);
-
-    } else {
-        s->len = 0;
-    }
-
-    OPENSSL_free(inner_sni);
-    OPENSSL_free(outer_sni);
-#else
-    s->len = 0;
-#endif
-    return NGX_OK;
-}
-
-
 ngx_int_t
 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
@ -6499,32 +5914,6 @@ ngx_ssl_parse_time(
 }


-ngx_int_t
-ngx_ssl_get_client_sigalg(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
-{
-#ifdef SSL_get0_peer_signature_name
-
-    const char  *name;
-
-    if (SSL_get0_peer_signature_name(c->ssl->connection, &name)) {
-        s->len = ngx_strlen(name);
-        s->data = ngx_pnalloc(pool, s->len);
-        if (s->data == NULL) {
-            return NGX_ERROR;
-        }
-
-        ngx_memcpy(s->data, name, s->len);
-
-        return NGX_OK;
-    }
-
-#endif
-
-    s->len = 0;
-    return NGX_OK;
-}
-
-
 static void *
 ngx_openssl_create_conf(ngx_cycle_t *cycle)
 {
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@ -26,6 +26,14 @@
 #include <openssl/engine.h>
 #endif
 #include <openssl/evp.h>
+#if (NGX_QUIC)
+#ifdef OPENSSL_IS_BORINGSSL
+#include <openssl/hkdf.h>
+#include <openssl/chacha.h>
+#else
+#include <openssl/kdf.h>
+#endif
+#endif
 #include <openssl/hmac.h>
 #ifndef OPENSSL_NO_OCSP
 #include <openssl/ocsp.h>
@ -88,11 +96,6 @@
 #endif


-#if (OPENSSL_VERSION_NUMBER < 0x30000000L)
-#define SSL_group_to_name(s, nid)    NULL
-#endif
-
-
 typedef struct ngx_ssl_ocsp_s   ngx_ssl_ocsp_t;


@ -143,7 +146,6 @@ struct ngx_ssl_connection_s {
    unsigned                    in_ocsp:1;
    unsigned                    early_preread:1;
    unsigned                    write_blocked:1;
-    unsigned                    sni_accepted:1;
 };


@ -190,13 +192,6 @@ typedef struct {
 } ngx_ssl_session_cache_t;


-typedef int (*ngx_ssl_servername_pt)(ngx_ssl_conn_t *, int *, void *);
-
-typedef struct {
-    ngx_ssl_servername_pt       servername;
-} ngx_ssl_client_hello_arg;
-
-
 #define NGX_SSL_SSLv2    0x0002
 #define NGX_SSL_SSLv3    0x0004
 #define NGX_SSL_TLSv1    0x0008
@ -236,8 +231,6 @@ ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
 ngx_int_t ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *cert, ngx_str_t *key, ngx_ssl_cache_t *cache,
    ngx_array_t *passwords);
-ngx_int_t ngx_ssl_certificate_compression(ngx_conf_t *cf, ngx_ssl_t *ssl,
-    ngx_uint_t enable);

 ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
    ngx_uint_t prefer_server_ciphers);
@ -271,8 +264,6 @@ ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
 ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf,
    ngx_array_t *passwords);
 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
-ngx_int_t ngx_ssl_ech_files(ngx_conf_t *cf, ngx_ssl_t *ssl,
-    ngx_array_t *filename);
 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
 ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl,
    ngx_uint_t enable);
@ -288,15 +279,6 @@ ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
    ngx_array_t *paths);
 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);

-ngx_int_t ngx_ssl_set_client_hello_callback(ngx_ssl_t *ssl,
-    ngx_ssl_client_hello_arg *cb);
-#ifdef SSL_CLIENT_HELLO_SUCCESS
-int ngx_ssl_client_hello_callback(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg);
-#elif defined OPENSSL_IS_BORINGSSL
-enum ssl_select_cert_result_t ngx_ssl_select_certificate(
-    const SSL_CLIENT_HELLO *client_hello);
-#endif
-
 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
    ngx_uint_t flags);

@ -330,8 +312,6 @@ ngx_int_t ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
-ngx_int_t ngx_ssl_get_sigalg(ngx_connection_t *c, ngx_pool_t *pool,
-    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool,
@ -340,10 +320,6 @@ ngx_int_t ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
-ngx_int_t ngx_ssl_get_ech_status(ngx_connection_t *c, ngx_pool_t *pool,
-    ngx_str_t *s);
-ngx_int_t ngx_ssl_get_ech_outer_server_name(ngx_connection_t *c,
-    ngx_pool_t *pool, ngx_str_t *s);
 ngx_int_t ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
@ -372,8 +348,6 @@ ngx_int_t ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
-ngx_int_t ngx_ssl_get_client_sigalg(ngx_connection_t *c, ngx_pool_t *pool,
-    ngx_str_t *s);


 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
@ -401,8 +375,6 @@ extern int  ngx_ssl_ticket_keys_index;
 extern int  ngx_ssl_ocsp_index;
 extern int  ngx_ssl_index;
 extern int  ngx_ssl_certificate_name_index;
-extern int  ngx_ssl_certificate_comp_index;
-extern int  ngx_ssl_client_hello_arg_index;


 extern u_char  ngx_ssl_session_buffer[NGX_SSL_MAX_SESSION_SIZE];
--- a/src/event/ngx_event_openssl_cache.c
+++ b/src/event/ngx_event_openssl_cache.c
@ -193,7 +193,6 @@ ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,
    time_t                 mtime;
    uint32_t               hash;
    ngx_int_t              rc;
-    ngx_uint_t             invalidate;
    ngx_file_uniq_t        uniq;
    ngx_file_info_t        fi;
    ngx_ssl_cache_t       *cache, *old_cache;
@ -203,17 +202,10 @@ ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,

    *err = NULL;

-    invalidate = index & NGX_SSL_CACHE_INVALIDATE;
-    index &= ~NGX_SSL_CACHE_INVALIDATE;
-
    if (ngx_ssl_cache_init_key(cf->pool, index, path, &id) != NGX_OK) {
        return NULL;
    }

-    if (id.type == NGX_SSL_CACHE_DATA) {
-        invalidate = 0;
-    }
-
    cache = (ngx_ssl_cache_t *) ngx_get_conf(cf->cycle->conf_ctx,
                                             ngx_openssl_cache_module);

@ -223,14 +215,9 @@ ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,
    cn = ngx_ssl_cache_lookup(cache, type, &id, hash);

    if (cn != NULL) {
-        if (!invalidate) {
        return type->ref(err, cn->value);
    }

-        type->free(cn->value);
-        ngx_rbtree_delete(&cache->rbtree, &cn->node);
-    }
-
    value = NULL;

    if (id.type == NGX_SSL_CACHE_PATH
@ -249,7 +236,7 @@ ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,

    old_cache = ngx_ssl_cache_get_old_conf(cf->cycle);

-    if (old_cache && old_cache->inheritable && !invalidate) {
+    if (old_cache && old_cache->inheritable) {
        cn = ngx_ssl_cache_lookup(old_cache, type, &id, hash);

        if (cn != NULL) {
--- a/src/event/quic/ngx_event_quic.h
+++ b/src/event/quic/ngx_event_quic.h
@ -12,14 +12,16 @@
 #include <ngx_core.h>


-#if (OPENSSL_VERSION_NUMBER >= 0x30500010L)
-#define NGX_QUIC_OPENSSL_API                 1
+#ifdef OSSL_RECORD_PROTECTION_LEVEL_NONE
+#ifndef NGX_QUIC_OPENSSL_API
+#define NGX_QUIC_BORINGSSL_API               1
+#define NGX_QUIC_OPENSSL_COMPAT              1
+#endif

 #elif (defined SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION)
 #define NGX_QUIC_QUICTLS_API                 1

-#elif (defined OPENSSL_IS_BORINGSSL || defined OPENSSL_IS_AWSLC               \
-       || defined LIBRESSL_VERSION_NUMBER)
+#elif (defined OPENSSL_IS_BORINGSSL || defined LIBRESSL_VERSION_NUMBER)
 #define NGX_QUIC_BORINGSSL_API               1

 #else
--- a/src/event/quic/ngx_event_quic_protection.c
+++ b/src/event/quic/ngx_event_quic_protection.c
@ -8,12 +8,6 @@
 #include <ngx_core.h>
 #include <ngx_event.h>
 #include <ngx_event_quic_connection.h>
-#if (NGX_QUIC_BORINGSSL_EVP_API)
-#include <openssl/hkdf.h>
-#include <openssl/chacha.h>
-#else
-#include <openssl/kdf.h>
-#endif


 /* RFC 9001, 5.4.1.  Header Protection Application: 5-byte mask */
@ -39,7 +33,7 @@ static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask,

 static ngx_int_t ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out,
    const u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
-#if !(NGX_QUIC_BORINGSSL_EVP_API)
+#ifndef OPENSSL_IS_BORINGSSL
 static ngx_int_t ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out,
    const u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
 #endif
@ -64,7 +58,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
    switch (id) {

    case TLS1_3_CK_AES_128_GCM_SHA256:
-#if (NGX_QUIC_BORINGSSL_EVP_API)
+#ifdef OPENSSL_IS_BORINGSSL
        ciphers->c = EVP_aead_aes_128_gcm();
 #else
        ciphers->c = EVP_aes_128_gcm();
@ -75,7 +69,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
        break;

    case TLS1_3_CK_AES_256_GCM_SHA384:
-#if (NGX_QUIC_BORINGSSL_EVP_API)
+#ifdef OPENSSL_IS_BORINGSSL
        ciphers->c = EVP_aead_aes_256_gcm();
 #else
        ciphers->c = EVP_aes_256_gcm();
@ -86,12 +80,12 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
        break;

    case TLS1_3_CK_CHACHA20_POLY1305_SHA256:
-#if (NGX_QUIC_BORINGSSL_EVP_API)
+#ifdef OPENSSL_IS_BORINGSSL
        ciphers->c = EVP_aead_chacha20_poly1305();
 #else
        ciphers->c = EVP_chacha20_poly1305();
 #endif
-#if (NGX_QUIC_BORINGSSL_EVP_API)
+#ifdef OPENSSL_IS_BORINGSSL
        ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305();
 #else
        ciphers->hp = EVP_chacha20();
@ -100,7 +94,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
        len = 32;
        break;

-#if !(NGX_QUIC_BORINGSSL_EVP_API)
+#ifndef OPENSSL_IS_BORINGSSL
    case TLS1_3_CK_AES_128_CCM_SHA256:
        ciphers->c = EVP_aes_128_ccm();
        ciphers->hp = EVP_aes_128_ctr();
@ -269,7 +263,7 @@ static ngx_int_t
 ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
    const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len)
 {
-#if (NGX_QUIC_BORINGSSL_EVP_API)
+#ifdef OPENSSL_IS_BORINGSSL

    if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)
        == 0)
@ -331,7 +325,7 @@ ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest,
    const u_char *secret, size_t secret_len, const u_char *salt,
    size_t salt_len)
 {
-#if (NGX_QUIC_BORINGSSL_EVP_API)
+#ifdef OPENSSL_IS_BORINGSSL

    if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt,
                     salt_len)
@ -394,7 +388,7 @@ ngx_quic_crypto_init(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
    ngx_quic_md_t *key, ngx_int_t enc, ngx_log_t *log)
 {

-#if (NGX_QUIC_BORINGSSL_EVP_API)
+#ifdef OPENSSL_IS_BORINGSSL
    EVP_AEAD_CTX  *ctx;

    ctx = EVP_AEAD_CTX_new(cipher, key->data, key->len,
@ -454,7 +448,7 @@ static ngx_int_t
 ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, const u_char *nonce,
    ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
 {
-#if (NGX_QUIC_BORINGSSL_EVP_API)
+#ifdef OPENSSL_IS_BORINGSSL
    if (EVP_AEAD_CTX_open(s->ctx, out->data, &out->len, out->len, nonce,
                          s->iv.len, in->data, in->len, ad->data, ad->len)
        != 1)
@ -474,7 +468,7 @@ ngx_int_t
 ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, const u_char *nonce,
    ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
 {
-#if (NGX_QUIC_BORINGSSL_EVP_API)
+#ifdef OPENSSL_IS_BORINGSSL
    if (EVP_AEAD_CTX_seal(s->ctx, out->data, &out->len, out->len, nonce,
                          s->iv.len, in->data, in->len, ad->data, ad->len)
        != 1)
@ -490,7 +484,7 @@ ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, const u_char *nonce,
 }


-#if !(NGX_QUIC_BORINGSSL_EVP_API)
+#ifndef OPENSSL_IS_BORINGSSL

 static ngx_int_t
 ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out,
@ -569,7 +563,7 @@ void
 ngx_quic_crypto_cleanup(ngx_quic_secret_t *s)
 {
    if (s->ctx) {
-#if (NGX_QUIC_BORINGSSL_EVP_API)
+#ifdef OPENSSL_IS_BORINGSSL
        EVP_AEAD_CTX_free(s->ctx);
 #else
        EVP_CIPHER_CTX_free(s->ctx);
@ -585,7 +579,7 @@ ngx_quic_crypto_hp_init(const EVP_CIPHER *cipher, ngx_quic_secret_t *s,
 {
    EVP_CIPHER_CTX  *ctx;

-#if (NGX_QUIC_BORINGSSL_EVP_API)
+#ifdef OPENSSL_IS_BORINGSSL
    if (cipher == (EVP_CIPHER *) EVP_aead_chacha20_poly1305()) {
        /* no EVP interface */
        s->hp_ctx = NULL;
@ -621,7 +615,7 @@ ngx_quic_crypto_hp(ngx_quic_secret_t *s, u_char *out, u_char *in,

    ctx = s->hp_ctx;

-#if (NGX_QUIC_BORINGSSL_EVP_API)
+#ifdef OPENSSL_IS_BORINGSSL
    uint32_t         cnt;

    if (ctx == NULL) {
--- a/src/event/quic/ngx_event_quic_protection.h
+++ b/src/event/quic/ngx_event_quic_protection.h
@ -22,12 +22,10 @@
 #define NGX_QUIC_MAX_MD_SIZE          48


-#if (defined OPENSSL_IS_BORINGSSL || defined OPENSSL_IS_AWSLC)
-#define NGX_QUIC_BORINGSSL_EVP_API    1
+#ifdef OPENSSL_IS_BORINGSSL
 #define ngx_quic_cipher_t             EVP_AEAD
 #define ngx_quic_crypto_ctx_t         EVP_AEAD_CTX
 #else
-#define NGX_QUIC_BORINGSSL_EVP_API    0
 #define ngx_quic_cipher_t             EVP_CIPHER
 #define ngx_quic_crypto_ctx_t         EVP_CIPHER_CTX
 #endif
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@ -185,13 +185,7 @@ ngx_quic_cbs_release_rcd(ngx_ssl_conn_t *ssl_conn, size_t bytes_read, void *arg)
    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
                   "quic ngx_quic_cbs_release_rcd len:%uz", bytes_read);

-    /* already closed on handshake failure */
-
    qc = ngx_quic_get_connection(c);
-    if (qc == NULL) {
-        return 1;
-    }
-
    ctx = ngx_quic_get_send_ctx(qc, qc->read_level);

    cl = ngx_quic_read_buffer(c, &ctx->crypto, bytes_read);
@ -701,35 +695,30 @@ ngx_quic_handshake(ngx_connection_t *c)

    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);

+    if (qc->error) {
+        return NGX_ERROR;
+    }
+
    if (n <= 0) {
        sslerr = SSL_get_error(ssl_conn, n);

        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d",
                       sslerr);

+        if (sslerr != SSL_ERROR_WANT_READ) {
+
            if (c->ssl->handshake_rejected) {
                ngx_connection_error(c, 0, "handshake rejected");
                ERR_clear_error();
+
                return NGX_ERROR;
            }

-        if (qc->error) {
-            ngx_connection_error(c, 0, "SSL_do_handshake() failed");
-            ERR_clear_error();
-            return NGX_ERROR;
-        }
-
-        if (sslerr != SSL_ERROR_WANT_READ) {
            ngx_ssl_connection_error(c, sslerr, 0, "SSL_do_handshake() failed");
            return NGX_ERROR;
        }
    }

-    if (qc->error) {
-        ngx_connection_error(c, 0, "SSL_do_handshake() failed");
-        return NGX_ERROR;
-    }
-
    if (!SSL_is_init_finished(ssl_conn)) {
        if (ngx_quic_keys_available(qc->keys, NGX_QUIC_ENCRYPTION_EARLY_DATA, 0)
            && qc->client_tp_done)
@ -979,7 +968,7 @@ ngx_quic_init_connection(ngx_connection_t *c)
    }
 #endif

-#if (defined OPENSSL_IS_BORINGSSL || defined OPENSSL_IS_AWSLC)
+#ifdef OPENSSL_IS_BORINGSSL
    if (SSL_set_quic_early_data_context(ssl_conn, p, clen) == 0) {
        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
                      "quic SSL_set_quic_early_data_context() failed");
--- a/src/http/modules/ngx_http_auth_basic_module.c
+++ b/src/http/modules/ngx_http_auth_basic_module.c
@ -253,8 +253,7 @@ ngx_http_auth_basic_handler(ngx_http_request_t *r)
        pwd.len = i - passwd;
        pwd.data = ngx_pnalloc(r->pool, pwd.len + 1);
        if (pwd.data == NULL) {
-            rc = NGX_HTTP_INTERNAL_SERVER_ERROR;
-            goto cleanup;
+            return NGX_HTTP_INTERNAL_SERVER_ERROR;
        }

        ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1);
--- a/src/http/modules/ngx_http_chunked_filter_module.c
+++ b/src/http/modules/ngx_http_chunked_filter_module.c
@ -66,9 +66,7 @@ ngx_http_chunked_header_filter(ngx_http_request_t *r)
        || r->headers_out.status == NGX_HTTP_NO_CONTENT
        || r->headers_out.status < NGX_HTTP_OK
        || r != r->main
-        || r->method == NGX_HTTP_HEAD
-        || (r->method == NGX_HTTP_CONNECT
-            && r->headers_out.status < NGX_HTTP_SPECIAL_RESPONSE))
+        || r->method == NGX_HTTP_HEAD)
    {
        return ngx_http_next_header_filter(r);
    }
--- a/src/http/modules/ngx_http_geo_module.c
+++ b/src/http/modules/ngx_http_geo_module.c
@ -63,7 +63,6 @@ typedef struct {
    unsigned                         allow_binary_include:1;
    unsigned                         binary_include:1;
    unsigned                         proxy_recursive:1;
-    unsigned                         no_cacheable:1;
 } ngx_http_geo_conf_ctx_t;


@ -464,7 +463,6 @@ ngx_http_geo_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
                  + sizeof(ngx_http_variable_value_t)
                  + 0x10000 * sizeof(ngx_http_geo_range_t *);
    ctx.allow_binary_include = 1;
-    ctx.no_cacheable = 0;

    save = *cf;
    cf->pool = pool;
@ -480,10 +478,6 @@ ngx_http_geo_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
        goto failed;
    }

-    if (ctx.no_cacheable) {
-        var->flags |= NGX_HTTP_VAR_NOCACHEABLE;
-    }
-
    geo->proxies = ctx.proxies;
    geo->proxy_recursive = ctx.proxy_recursive;

@ -629,12 +623,6 @@ ngx_http_geo(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
            rv = NGX_CONF_OK;
            goto done;
        }
-
-        else if (ngx_strcmp(value[0].data, "volatile") == 0) {
-            ctx->no_cacheable = 1;
-            rv = NGX_CONF_OK;
-            goto done;
-        }
    }

    if (cf->args->nelts != 2) {
--- a/src/http/modules/ngx_http_headers_filter_module.c
+++ b/src/http/modules/ngx_http_headers_filter_module.c
@ -10,11 +10,6 @@
 #include <ngx_http.h>


-#define NGX_HTTP_HEADERS_INHERIT_OFF    0
-#define NGX_HTTP_HEADERS_INHERIT_ON     1
-#define NGX_HTTP_HEADERS_INHERIT_MERGE  2
-
-
 typedef struct ngx_http_header_val_s  ngx_http_header_val_t;

 typedef ngx_int_t (*ngx_http_set_header_pt)(ngx_http_request_t *r,
@ -54,8 +49,6 @@ typedef struct {
    ngx_http_complex_value_t  *expires_value;
    ngx_array_t               *headers;
    ngx_array_t               *trailers;
-    ngx_uint_t                 headers_inherit;
-    ngx_uint_t                 trailers_inherit;
 } ngx_http_headers_conf_t;


@ -104,14 +97,6 @@ static ngx_http_set_header_t  ngx_http_set_headers[] = {
 };


-static ngx_conf_enum_t  ngx_http_headers_inherit[] = {
-    { ngx_string("off"),   NGX_HTTP_HEADERS_INHERIT_OFF },
-    { ngx_string("on"),    NGX_HTTP_HEADERS_INHERIT_ON },
-    { ngx_string("merge"), NGX_HTTP_HEADERS_INHERIT_MERGE },
-    { ngx_null_string, 0 }
-};
-
-
 static ngx_command_t  ngx_http_headers_filter_commands[] = {

    { ngx_string("expires"),
@ -138,22 +123,6 @@ static ngx_command_t  ngx_http_headers_filter_commands[] = {
      offsetof(ngx_http_headers_conf_t, trailers),
      NULL },

-    { ngx_string("add_header_inherit"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-                        |NGX_CONF_TAKE1,
-      ngx_conf_set_enum_slot,
-      NGX_HTTP_LOC_CONF_OFFSET,
-      offsetof(ngx_http_headers_conf_t, headers_inherit),
-      &ngx_http_headers_inherit },
-
-    { ngx_string("add_trailer_inherit"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-                        |NGX_CONF_TAKE1,
-      ngx_conf_set_enum_slot,
-      NGX_HTTP_LOC_CONF_OFFSET,
-      offsetof(ngx_http_headers_conf_t, trailers_inherit),
-      &ngx_http_headers_inherit },
-
      ngx_null_command
 };

@ -688,8 +657,6 @@ ngx_http_headers_create_conf(ngx_conf_t *cf)
     */

    conf->expires = NGX_HTTP_EXPIRES_UNSET;
-    conf->headers_inherit = NGX_CONF_UNSET_UINT;
-    conf->trailers_inherit = NGX_CONF_UNSET_UINT;

    return conf;
 }
@ -701,8 +668,6 @@ ngx_http_headers_merge_conf(ngx_conf_t *cf, void *parent, void *child)
    ngx_http_headers_conf_t *prev = parent;
    ngx_http_headers_conf_t *conf = child;

-    ngx_http_header_val_t  *hv;
-
    if (conf->expires == NGX_HTTP_EXPIRES_UNSET) {
        conf->expires = prev->expires;
        conf->expires_time = prev->expires_time;
@ -713,43 +678,12 @@ ngx_http_headers_merge_conf(ngx_conf_t *cf, void *parent, void *child)
        }
    }

-    ngx_conf_merge_uint_value(conf->headers_inherit, prev->headers_inherit,
-                              NGX_HTTP_HEADERS_INHERIT_ON);
-    ngx_conf_merge_uint_value(conf->trailers_inherit, prev->trailers_inherit,
-                              NGX_HTTP_HEADERS_INHERIT_ON);
-
-    if (conf->headers_inherit != NGX_HTTP_HEADERS_INHERIT_OFF
-        && prev->headers)
-    {
    if (conf->headers == NULL) {
        conf->headers = prev->headers;
-
-        } else if (conf->headers_inherit == NGX_HTTP_HEADERS_INHERIT_MERGE) {
-            hv = ngx_array_push_n(conf->headers, prev->headers->nelts);
-            if (hv == NULL) {
-                return NGX_CONF_ERROR;
    }

-            ngx_memcpy(hv, prev->headers->elts,
-                       sizeof(ngx_http_header_val_t) * prev->headers->nelts);
-        }
-    }
-
-    if (conf->trailers_inherit != NGX_HTTP_HEADERS_INHERIT_OFF
-        && prev->trailers)
-    {
    if (conf->trailers == NULL) {
        conf->trailers = prev->trailers;
-
-        } else if (conf->trailers_inherit == NGX_HTTP_HEADERS_INHERIT_MERGE) {
-            hv = ngx_array_push_n(conf->trailers, prev->trailers->nelts);
-            if (hv == NULL) {
-                return NGX_CONF_ERROR;
-            }
-
-            ngx_memcpy(hv, prev->trailers->elts,
-                       sizeof(ngx_http_header_val_t) * prev->trailers->nelts);
-        }
    }

    return NGX_CONF_OK;
--- a/src/http/modules/ngx_http_index_module.c
+++ b/src/http/modules/ngx_http_index_module.c
@ -490,7 +490,7 @@ ngx_http_index_set_index(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
        if (value[i].len == 0) {
            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
                               "index \"%V\" in \"index\" directive is invalid",
-                               &value[i]);
+                               &value[1]);
            return NGX_CONF_ERROR;
        }

--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@ -8,7 +8,6 @@
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_http.h>
-#include <ngx_http_proxy_module.h>


 #define  NGX_HTTP_PROXY_COOKIE_SECURE           0x0001
@ -24,6 +23,11 @@
 #define  NGX_HTTP_PROXY_COOKIE_SAMESITE_OFF     0x0400


+typedef struct {
+    ngx_array_t                    caches;  /* ngx_http_file_cache_t * */
+} ngx_http_proxy_main_conf_t;
+
+
 typedef struct ngx_http_proxy_rewrite_s  ngx_http_proxy_rewrite_t;

 typedef ngx_int_t (*ngx_http_proxy_rewrite_pt)(ngx_http_request_t *r,
@ -57,6 +61,96 @@ typedef struct {
 } ngx_http_proxy_cookie_flags_t;


+typedef struct {
+    ngx_str_t                      key_start;
+    ngx_str_t                      schema;
+    ngx_str_t                      host_header;
+    ngx_str_t                      port;
+    ngx_str_t                      uri;
+} ngx_http_proxy_vars_t;
+
+
+typedef struct {
+    ngx_array_t                   *flushes;
+    ngx_array_t                   *lengths;
+    ngx_array_t                   *values;
+    ngx_hash_t                     hash;
+} ngx_http_proxy_headers_t;
+
+
+typedef struct {
+    ngx_http_upstream_conf_t       upstream;
+
+    ngx_array_t                   *body_flushes;
+    ngx_array_t                   *body_lengths;
+    ngx_array_t                   *body_values;
+    ngx_str_t                      body_source;
+
+    ngx_http_proxy_headers_t       headers;
+#if (NGX_HTTP_CACHE)
+    ngx_http_proxy_headers_t       headers_cache;
+#endif
+    ngx_array_t                   *headers_source;
+
+    ngx_array_t                   *proxy_lengths;
+    ngx_array_t                   *proxy_values;
+
+    ngx_array_t                   *redirects;
+    ngx_array_t                   *cookie_domains;
+    ngx_array_t                   *cookie_paths;
+    ngx_array_t                   *cookie_flags;
+
+    ngx_http_complex_value_t      *method;
+    ngx_str_t                      location;
+    ngx_str_t                      url;
+
+#if (NGX_HTTP_CACHE)
+    ngx_http_complex_value_t       cache_key;
+#endif
+
+    ngx_http_proxy_vars_t          vars;
+
+    ngx_flag_t                     redirect;
+
+    ngx_uint_t                     http_version;
+
+    ngx_uint_t                     headers_hash_max_size;
+    ngx_uint_t                     headers_hash_bucket_size;
+
+#if (NGX_HTTP_SSL)
+    ngx_uint_t                     ssl;
+    ngx_uint_t                     ssl_protocols;
+    ngx_str_t                      ssl_ciphers;
+    ngx_uint_t                     ssl_verify_depth;
+    ngx_str_t                      ssl_trusted_certificate;
+    ngx_str_t                      ssl_crl;
+    ngx_array_t                   *ssl_conf_commands;
+#endif
+} ngx_http_proxy_loc_conf_t;
+
+
+typedef struct {
+    ngx_http_status_t              status;
+    ngx_http_chunked_t             chunked;
+    ngx_http_proxy_vars_t          vars;
+    off_t                          internal_body_length;
+
+    ngx_chain_t                   *free;
+    ngx_chain_t                   *busy;
+
+    ngx_buf_t                     *trailers;
+
+    unsigned                       head:1;
+    unsigned                       internal_chunked:1;
+    unsigned                       header_sent:1;
+} ngx_http_proxy_ctx_t;
+
+
+static ngx_int_t ngx_http_proxy_eval(ngx_http_request_t *r,
+    ngx_http_proxy_ctx_t *ctx, ngx_http_proxy_loc_conf_t *plcf);
+#if (NGX_HTTP_CACHE)
+static ngx_int_t ngx_http_proxy_create_key(ngx_http_request_t *r);
+#endif
 static ngx_int_t ngx_http_proxy_create_request(ngx_http_request_t *r);
 static ngx_int_t ngx_http_proxy_reinit_request(ngx_http_request_t *r);
 static ngx_int_t ngx_http_proxy_body_output_filter(void *data, ngx_chain_t *in);
@ -84,14 +178,15 @@ static ngx_int_t ngx_http_proxy_port_variable(ngx_http_request_t *r,
 static ngx_int_t
    ngx_http_proxy_add_x_forwarded_for_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
-static ngx_int_t
-    ngx_http_proxy_internal_connection_variable(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t
    ngx_http_proxy_internal_body_length_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_proxy_internal_chunked_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
+static ngx_int_t ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r,
+    ngx_table_elt_t *h, size_t prefix);
+static ngx_int_t ngx_http_proxy_rewrite_cookie(ngx_http_request_t *r,
+    ngx_table_elt_t *h);
 static ngx_int_t ngx_http_proxy_parse_cookie(ngx_str_t *value,
    ngx_array_t *attrs);
 static ngx_int_t ngx_http_proxy_rewrite_cookie_value(ngx_http_request_t *r,
@ -198,9 +293,6 @@ static ngx_conf_post_t  ngx_http_proxy_ssl_conf_command_post =
 static ngx_conf_enum_t  ngx_http_proxy_http_version[] = {
    { ngx_string("1.0"), NGX_HTTP_VERSION_10 },
    { ngx_string("1.1"), NGX_HTTP_VERSION_11 },
-#if (NGX_HTTP_V2)
-    { ngx_string("2"), NGX_HTTP_VERSION_20 },
-#endif
    { ngx_null_string, 0 }
 };

@ -748,8 +840,8 @@ static char  ngx_http_proxy_version_11[] = " HTTP/1.1" CRLF;


 static ngx_keyval_t  ngx_http_proxy_headers[] = {
-    { ngx_string("Host"), ngx_string("$proxy_internal_host") },
-    { ngx_string("Connection"), ngx_string("$proxy_internal_connection") },
+    { ngx_string("Host"), ngx_string("$proxy_host") },
+    { ngx_string("Connection"), ngx_string("close") },
    { ngx_string("Content-Length"), ngx_string("$proxy_internal_body_length") },
    { ngx_string("Transfer-Encoding"), ngx_string("$proxy_internal_chunked") },
    { ngx_string("TE"), ngx_string("") },
@ -776,8 +868,8 @@ static ngx_str_t  ngx_http_proxy_hide_headers[] = {
 #if (NGX_HTTP_CACHE)

 static ngx_keyval_t  ngx_http_proxy_cache_headers[] = {
-    { ngx_string("Host"), ngx_string("$proxy_internal_host") },
-    { ngx_string("Connection"), ngx_string("$proxy_internal_connection") },
+    { ngx_string("Host"), ngx_string("$proxy_host") },
+    { ngx_string("Connection"), ngx_string("close") },
    { ngx_string("Content-Length"), ngx_string("$proxy_internal_body_length") },
    { ngx_string("Transfer-Encoding"), ngx_string("$proxy_internal_chunked") },
    { ngx_string("TE"), ngx_string("") },
@ -812,14 +904,6 @@ static ngx_http_variable_t  ngx_http_proxy_vars[] = {
    { ngx_string("proxy_add_via"), NULL, NULL, 0, NGX_HTTP_VAR_NOHASH, 0 },
 #endif

-    { ngx_string("proxy_internal_host"), NULL,
-      ngx_http_proxy_host_variable, 1,
-      NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
-
-    { ngx_string("proxy_internal_connection"), NULL,
-      ngx_http_proxy_internal_connection_variable, 0,
-      NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
-
    { ngx_string("proxy_internal_body_length"), NULL,
      ngx_http_proxy_internal_body_length_variable, 0,
      NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
@ -878,14 +962,6 @@ ngx_http_proxy_handler(ngx_http_request_t *r)
    ngx_http_proxy_main_conf_t  *pmcf;
 #endif

-    plcf = ngx_http_get_module_loc_conf(r, ngx_http_proxy_module);
-
-#if (NGX_HTTP_V2)
-    if (plcf->http_version == NGX_HTTP_VERSION_20) {
-        return ngx_http_proxy_v2_handler(r);
-    }
-#endif
-
    if (ngx_http_upstream_create(r) != NGX_OK) {
        return NGX_HTTP_INTERNAL_SERVER_ERROR;
    }
@ -895,10 +971,10 @@ ngx_http_proxy_handler(ngx_http_request_t *r)
        return NGX_HTTP_INTERNAL_SERVER_ERROR;
    }

-    ctx->legacy = 1;
-
    ngx_http_set_ctx(r, ctx, ngx_http_proxy_module);

+    plcf = ngx_http_get_module_loc_conf(r, ngx_http_proxy_module);
+
    u = r->upstream;

    if (plcf->proxy_lengths == NULL) {
@ -974,7 +1050,7 @@ ngx_http_proxy_handler(ngx_http_request_t *r)
 }


-ngx_int_t
+static ngx_int_t
 ngx_http_proxy_eval(ngx_http_request_t *r, ngx_http_proxy_ctx_t *ctx,
    ngx_http_proxy_loc_conf_t *plcf)
 {
@ -1078,7 +1154,7 @@ ngx_http_proxy_eval(ngx_http_request_t *r, ngx_http_proxy_ctx_t *ctx,

 #if (NGX_HTTP_CACHE)

-ngx_int_t
+static ngx_int_t
 ngx_http_proxy_create_key(ngx_http_request_t *r)
 {
    size_t                      len, loc_len;
@ -1130,8 +1206,7 @@ ngx_http_proxy_create_key(ngx_http_request_t *r)
        return NGX_OK;
    }

-    loc_len = (r->valid_location && ctx->vars.uri.len)
-              ? ngx_min(plcf->location.len, r->uri.len) : 0;
+    loc_len = (r->valid_location && ctx->vars.uri.len) ? plcf->location.len : 0;

    if (r->quoted_uri || r->internal) {
        escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
@ -1243,8 +1318,8 @@ ngx_http_proxy_create_request(ngx_http_request_t *r)
        uri_len = r->unparsed_uri.len;

    } else {
-        loc_len = (r->valid_location && ctx->vars.uri.len)
-                  ? ngx_min(plcf->location.len, r->uri.len) : 0;
+        loc_len = (r->valid_location && ctx->vars.uri.len) ?
+                      plcf->location.len : 0;

        if (r->quoted_uri || r->internal) {
            escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
@ -2043,7 +2118,7 @@ ngx_http_proxy_input_filter_init(void *data)
        /* chunked */

        u->pipe->input_filter = ngx_http_proxy_chunked_filter;
-        u->pipe->length = 5; /* "0" CRLF CRLF */
+        u->pipe->length = 3; /* "0" LF LF */

        u->input_filter = ngx_http_proxy_non_buffered_chunked_filter;
        u->length = 1;
@ -2692,11 +2767,6 @@ ngx_http_proxy_host_variable(ngx_http_request_t *r,
        return NGX_OK;
    }

-    if (data == 1 && !ctx->legacy) {
-        v->not_found = 1;
-        return NGX_OK;
-    }
-
    v->len = ctx->vars.host_header.len;
    v->valid = 1;
    v->no_cacheable = 0;
@ -2777,29 +2847,6 @@ ngx_http_proxy_add_x_forwarded_for_variable(ngx_http_request_t *r,
 }


-static ngx_int_t
-ngx_http_proxy_internal_connection_variable(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v, uintptr_t data)
-{
-    ngx_http_proxy_ctx_t  *ctx;
-
-    ctx = ngx_http_get_module_ctx(r, ngx_http_proxy_module);
-
-    if (ctx == NULL || !ctx->legacy) {
-        v->not_found = 1;
-        return NGX_OK;
-    }
-
-    v->valid = 1;
-    v->no_cacheable = 0;
-    v->not_found = 0;
-
-    ngx_str_set(v, "close");
-
-    return NGX_OK;
-}
-
-
 static ngx_int_t
 ngx_http_proxy_internal_body_length_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data)
@ -2853,7 +2900,7 @@ ngx_http_proxy_internal_chunked_variable(ngx_http_request_t *r,
 }


-ngx_int_t
+static ngx_int_t
 ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r, ngx_table_elt_t *h,
    size_t prefix)
 {
@ -2885,7 +2932,7 @@ ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r, ngx_table_elt_t *h,
 }


-ngx_int_t
+static ngx_int_t
 ngx_http_proxy_rewrite_cookie(ngx_http_request_t *r, ngx_table_elt_t *h)
 {
    u_char                     *p;
@ -3530,7 +3577,6 @@ ngx_http_proxy_create_loc_conf(ngx_conf_t *cf)
     *     conf->headers.values = NULL;
     *     conf->headers.hash = { NULL, 0 };
     *     conf->headers_cache.lengths = NULL;
-     *     conf->host_set = 0;
     *     conf->headers_cache.values = NULL;
     *     conf->headers_cache.hash = { NULL, 0 };
     *     conf->body_lengths = NULL;
@ -4106,7 +4152,6 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 #if (NGX_HTTP_CACHE)
        conf->headers_cache = prev->headers_cache;
 #endif
-        conf->host_set = prev->host_set;
    }

    rc = ngx_http_proxy_init_headers(cf, conf, &conf->headers,
@ -4139,7 +4184,6 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 #if (NGX_HTTP_CACHE)
        prev->headers_cache = conf->headers_cache;
 #endif
-        prev->host_set = conf->host_set;
    }

    return NGX_CONF_OK;
@ -4192,12 +4236,6 @@ ngx_http_proxy_init_headers(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *conf,
        src = conf->headers_source->elts;
        for (i = 0; i < conf->headers_source->nelts; i++) {

-            if (src[i].key.len == 4
-                && ngx_strncasecmp(src[i].key.data, (u_char *) "Host", 4) == 0)
-            {
-                conf->host_set = 1;
-            }
-
            s = ngx_array_push(&headers_merged);
            if (s == NULL) {
                return NGX_ERROR;
--- a/src/http/modules/ngx_http_proxy_module.h
+++ b/src/http/modules/ngx_http_proxy_module.h
@ -1,127 +0,0 @@
-
-/*
- * Copyright (C) Igor Sysoev
- * Copyright (C) Nginx, Inc.
- */
-
-
-#ifndef _NGX_HTTP_PROXY_H_INCLUDED_
-#define _NGX_HTTP_PROXY_H_INCLUDED_
-
-
-#include <ngx_config.h>
-#include <ngx_core.h>
-#include <ngx_http.h>
-
-
-typedef struct {
-    ngx_array_t                    caches;  /* ngx_http_file_cache_t * */
-} ngx_http_proxy_main_conf_t;
-
-
-typedef struct {
-    ngx_str_t                      key_start;
-    ngx_str_t                      schema;
-    ngx_str_t                      host_header;
-    ngx_str_t                      port;
-    ngx_str_t                      uri;
-} ngx_http_proxy_vars_t;
-
-
-typedef struct {
-    ngx_array_t                   *flushes;
-    ngx_array_t                   *lengths;
-    ngx_array_t                   *values;
-    ngx_hash_t                     hash;
-} ngx_http_proxy_headers_t;
-
-
-typedef struct {
-    ngx_http_upstream_conf_t       upstream;
-
-    ngx_array_t                   *body_flushes;
-    ngx_array_t                   *body_lengths;
-    ngx_array_t                   *body_values;
-    ngx_str_t                      body_source;
-
-    ngx_http_proxy_headers_t       headers;
-#if (NGX_HTTP_CACHE)
-    ngx_http_proxy_headers_t       headers_cache;
-#endif
-    ngx_array_t                   *headers_source;
-    ngx_uint_t                     host_set;
-
-    ngx_array_t                   *proxy_lengths;
-    ngx_array_t                   *proxy_values;
-
-    ngx_array_t                   *redirects;
-    ngx_array_t                   *cookie_domains;
-    ngx_array_t                   *cookie_paths;
-    ngx_array_t                   *cookie_flags;
-
-    ngx_http_complex_value_t      *method;
-    ngx_str_t                      location;
-    ngx_str_t                      url;
-
-#if (NGX_HTTP_CACHE)
-    ngx_http_complex_value_t       cache_key;
-#endif
-
-    ngx_http_proxy_vars_t          vars;
-
-    ngx_flag_t                     redirect;
-
-    ngx_uint_t                     http_version;
-
-    ngx_uint_t                     headers_hash_max_size;
-    ngx_uint_t                     headers_hash_bucket_size;
-
-#if (NGX_HTTP_SSL || NGX_COMPAT)
-    ngx_uint_t                     ssl;
-    ngx_uint_t                     ssl_protocols;
-    ngx_str_t                      ssl_ciphers;
-    ngx_uint_t                     ssl_verify_depth;
-    ngx_str_t                      ssl_trusted_certificate;
-    ngx_str_t                      ssl_crl;
-    ngx_array_t                   *ssl_conf_commands;
-#endif
-} ngx_http_proxy_loc_conf_t;
-
-
-typedef struct {
-    ngx_http_status_t              status;
-    ngx_http_chunked_t             chunked;
-    ngx_http_proxy_vars_t          vars;
-    off_t                          internal_body_length;
-
-    ngx_chain_t                   *free;
-    ngx_chain_t                   *busy;
-
-    ngx_buf_t                     *trailers;
-
-    unsigned                       head:1;
-    unsigned                       internal_chunked:1;
-    unsigned                       header_sent:1;
-    unsigned                       legacy:1;
-} ngx_http_proxy_ctx_t;
-
-
-ngx_int_t ngx_http_proxy_eval(ngx_http_request_t *r, ngx_http_proxy_ctx_t *ctx,
-    ngx_http_proxy_loc_conf_t *plcf);
-#if (NGX_HTTP_CACHE)
-ngx_int_t ngx_http_proxy_create_key(ngx_http_request_t *r);
-#endif
-ngx_int_t ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r,
-    ngx_table_elt_t *h, size_t prefix);
-ngx_int_t ngx_http_proxy_rewrite_cookie(ngx_http_request_t *r,
-    ngx_table_elt_t *h);
-
-#if (NGX_HTTP_V2)
-ngx_int_t ngx_http_proxy_v2_handler(ngx_http_request_t *r);
-#endif
-
-
-extern ngx_module_t  ngx_http_proxy_module;
-
-
-#endif /* _NGX_HTTP_PROXY_H_INCLUDED_ */
--- a/src/http/modules/ngx_http_proxy_v2_module.c
+++ b/src/http/modules/ngx_http_proxy_v2_module.c
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@ -117,13 +117,6 @@ static ngx_command_t  ngx_http_ssl_commands[] = {
      0,
      NULL },

-    { ngx_string("ssl_ech_file"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
-      ngx_conf_set_str_array_slot,
-      NGX_HTTP_SRV_CONF_OFFSET,
-      offsetof(ngx_http_ssl_srv_conf_t, ech_files),
-      NULL },
-
    { ngx_string("ssl_password_file"),
      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
      ngx_http_ssl_password_file,
@ -131,13 +124,6 @@ static ngx_command_t  ngx_http_ssl_commands[] = {
      0,
      NULL },

-    { ngx_string("ssl_certificate_compression"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
-      ngx_conf_set_flag_slot,
-      NGX_HTTP_SRV_CONF_OFFSET,
-      offsetof(ngx_http_ssl_srv_conf_t, certificate_compression),
-      NULL },
-
    { ngx_string("ssl_dhparam"),
      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
      ngx_conf_set_str_slot,
@ -244,7 +230,7 @@ static ngx_command_t  ngx_http_ssl_commands[] = {
      NULL },

    { ngx_string("ssl_ocsp"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
      ngx_conf_set_enum_slot,
      NGX_HTTP_SRV_CONF_OFFSET,
      offsetof(ngx_http_ssl_srv_conf_t, ocsp),
@ -365,9 +351,6 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
    { ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 },

-    { ngx_string("ssl_sigalg"), NULL, ngx_http_ssl_variable,
-      (uintptr_t) ngx_ssl_get_sigalg, NGX_HTTP_VAR_CHANGEABLE, 0 },
-
    { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },

@ -384,13 +367,6 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
    { ngx_string("ssl_alpn_protocol"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },

-    { ngx_string("ssl_ech_status"), NULL, ngx_http_ssl_variable,
-      (uintptr_t) ngx_ssl_get_ech_status, NGX_HTTP_VAR_CHANGEABLE, 0 },
-
-    { ngx_string("ssl_ech_outer_server_name"), NULL, ngx_http_ssl_variable,
-      (uintptr_t) ngx_ssl_get_ech_outer_server_name,
-      NGX_HTTP_VAR_CHANGEABLE, 0 },
-
    { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },

@ -432,9 +408,6 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
    { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },

-    { ngx_string("ssl_client_sigalg"), NULL, ngx_http_ssl_variable,
-      (uintptr_t) ngx_ssl_get_client_sigalg, NGX_HTTP_VAR_CHANGEABLE, 0 },
-
      ngx_http_null_variable
 };

@ -648,7 +621,6 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
     */

    sscf->prefer_server_ciphers = NGX_CONF_UNSET;
-    sscf->certificate_compression = NGX_CONF_UNSET;
    sscf->early_data = NGX_CONF_UNSET;
    sscf->reject_handshake = NGX_CONF_UNSET;
    sscf->buffer_size = NGX_CONF_UNSET_SIZE;
@ -657,7 +629,6 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
    sscf->certificates = NGX_CONF_UNSET_PTR;
    sscf->certificate_keys = NGX_CONF_UNSET_PTR;
    sscf->certificate_cache = NGX_CONF_UNSET_PTR;
-    sscf->ech_files = NGX_CONF_UNSET_PTR;
    sscf->passwords = NGX_CONF_UNSET_PTR;
    sscf->conf_commands = NGX_CONF_UNSET_PTR;
    sscf->builtin_session_cache = NGX_CONF_UNSET;
@ -687,9 +658,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    ngx_conf_merge_value(conf->prefer_server_ciphers,
                         prev->prefer_server_ciphers, 0);

-    ngx_conf_merge_value(conf->certificate_compression,
-                         prev->certificate_compression, 0);
-
    ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
    ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);

@ -709,8 +677,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    ngx_conf_merge_ptr_value(conf->certificate_cache, prev->certificate_cache,
                         NULL);

-    ngx_conf_merge_ptr_value(conf->ech_files, prev->ech_files, NULL);
-
    ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);

    ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
@ -772,12 +738,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    cln->data = &conf->ssl;

 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
-    {
-    static ngx_ssl_client_hello_arg cb = { ngx_http_ssl_servername };
-
-    if (ngx_ssl_set_client_hello_callback(&conf->ssl, &cb) != NGX_OK) {
-        return NGX_CONF_ERROR;
-    }

    if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
                                               ngx_http_ssl_servername)
@ -788,7 +748,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
            "dynamically to an OpenSSL library which has no tlsext support, "
            "therefore SNI is not available");
    }
-    }
+
 #endif

 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
@ -832,13 +792,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
        {
            return NGX_CONF_ERROR;
        }
-
-        if (ngx_ssl_certificate_compression(cf, &conf->ssl,
-                                            conf->certificate_compression)
-            != NGX_OK)
-        {
-            return NGX_CONF_ERROR;
-        }
    }

    conf->ssl.buffer_size = conf->buffer_size;
@ -897,10 +850,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
        return NGX_CONF_ERROR;
    }

-    if (ngx_ssl_ech_files(cf, &conf->ssl, conf->ech_files) != NGX_OK) {
-        return NGX_CONF_ERROR;
-    }
-
    if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
@ -939,19 +888,13 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)

    if (conf->stapling) {

-        if (conf->certificate_compression) {
-            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                          "\"ssl_stapling\" is incompatible with "
-                          "\"ssl_certificate_compression\"");
-            return NGX_CONF_ERROR;
-        }
-
        if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
                             &conf->stapling_responder, conf->stapling_verify)
            != NGX_OK)
        {
            return NGX_CONF_ERROR;
        }
+
    }

    if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) {
--- a/src/http/modules/ngx_http_ssl_module.h
+++ b/src/http/modules/ngx_http_ssl_module.h
@ -18,7 +18,6 @@ typedef struct {
    ngx_ssl_t                       ssl;

    ngx_flag_t                      prefer_server_ciphers;
-    ngx_flag_t                      certificate_compression;
    ngx_flag_t                      early_data;
    ngx_flag_t                      reject_handshake;

@ -49,7 +48,6 @@ typedef struct {

    ngx_str_t                       ciphers;

-    ngx_array_t                    *ech_files;
    ngx_array_t                    *passwords;
    ngx_array_t                    *conf_commands;

--- a/src/http/ngx_http.h
+++ b/src/http/ngx_http.h
@ -122,6 +122,7 @@ ngx_int_t ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,

 ngx_http_request_t *ngx_http_create_request(ngx_connection_t *c);
 ngx_int_t ngx_http_process_request_uri(ngx_http_request_t *r);
+ngx_int_t ngx_http_process_request_header(ngx_http_request_t *r);
 void ngx_http_process_request(ngx_http_request_t *r);
 void ngx_http_update_location_config(ngx_http_request_t *r);
 void ngx_http_handler(ngx_http_request_t *r);
@ -130,8 +131,8 @@ ngx_int_t ngx_http_post_request(ngx_http_request_t *r,
    ngx_http_posted_request_t *pr);
 ngx_int_t ngx_http_set_virtual_server(ngx_http_request_t *r,
    ngx_str_t *host);
-ngx_int_t ngx_http_validate_host(ngx_str_t *host, in_port_t *port,
-    ngx_pool_t *pool, ngx_uint_t alloc);
+ngx_int_t ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool,
+    ngx_uint_t alloc);
 void ngx_http_close_request(ngx_http_request_t *r, ngx_int_t rc);
 void ngx_http_finalize_request(ngx_http_request_t *r, ngx_int_t rc);
 void ngx_http_free_request(ngx_http_request_t *r, ngx_int_t rc);
--- a/src/http/ngx_http_core_module.h
+++ b/src/http/ngx_http_core_module.h
@ -206,7 +206,6 @@ typedef struct {
 #if (NGX_PCRE)
    unsigned                    captures:1;
 #endif
-    unsigned                    allow_connect:1;

    ngx_http_core_loc_conf_t  **named_locations;
 } ngx_http_core_srv_conf_t;
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@ -111,7 +111,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
        sw_schema,
        sw_schema_slash,
        sw_schema_slash_slash,
-        sw_spaces_before_host,
        sw_host_start,
        sw_host,
        sw_host_end,
@ -159,7 +158,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
            if (ch == ' ') {
                r->method_end = p - 1;
                m = r->request_start;
-                state = sw_spaces_before_uri;

                switch (p - m) {

@ -249,7 +247,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
                    if (ngx_str7_cmp(m, 'C', 'O', 'N', 'N', 'E', 'C', 'T', ' '))
                    {
                        r->method = NGX_HTTP_CONNECT;
-                        state = sw_spaces_before_host;
                    }

                    break;
@ -272,6 +269,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
                    break;
                }

+                state = sw_spaces_before_uri;
                break;
            }

@ -347,14 +345,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
            }
            break;

-        case sw_spaces_before_host:
-
-            if (ch == ' ') {
-                break;
-            }
-
-            /* fall through */
-
        case sw_host_start:

            r->host_start = p;
@ -383,18 +373,12 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)

        case sw_host_end:

-            if (ch == ':') {
-                state = sw_port;
-                break;
-            }
-
            r->host_end = p;

-            if (r->method == NGX_HTTP_CONNECT) {
-                return NGX_HTTP_PARSE_INVALID_REQUEST;
-            }
-
            switch (ch) {
+            case ':':
+                state = sw_port;
+                break;
            case '/':
                r->uri_start = p;
                state = sw_after_slash_in_uri;
@ -465,17 +449,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
                break;
            }

-            r->host_end = p;
-
-            if (r->method == NGX_HTTP_CONNECT) {
-                if (ch == ' ') {
-                    state = sw_http_09;
-                    break;
-                }
-
-                return NGX_HTTP_PARSE_INVALID_REQUEST;
-            }
-
            switch (ch) {
            case '/':
                r->uri_start = p;
@ -711,16 +684,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
        case sw_http_HTTP:
            switch (ch) {
            case '/':
-
-                /*
-                 * use single "/" from request line to preserve pointers,
-                 * if request line will be copied to large client buffer
-                 */
-                if (r->method == NGX_HTTP_CONNECT) {
-                    r->uri_start = p;
-                    r->uri_end = p + 1;
-                }
-
                state = sw_first_major_digit;
                break;
            default:
@ -2254,6 +2217,12 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                case CR:
                    state = sw_last_chunk_extension_almost_done;
                    break;
+                case LF:
+                    if (keep_trailers) {
+                        goto done;
+                    }
+                    state = sw_trailer;
+                    break;
                case ';':
                case ' ':
                case '\t':
@ -2270,6 +2239,9 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
            case CR:
                state = sw_chunk_extension_almost_done;
                break;
+            case LF:
+                state = sw_chunk_data;
+                break;
            case ';':
            case ' ':
            case '\t':
@ -2287,7 +2259,7 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                state = sw_chunk_extension_almost_done;
                break;
            case LF:
-                goto invalid;
+                state = sw_chunk_data;
            }
            break;

@ -2307,6 +2279,9 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
            case CR:
                state = sw_after_data_almost_done;
                break;
+            case LF:
+                state = sw_chunk_start;
+                break;
            default:
                goto invalid;
            }
@ -2325,7 +2300,10 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                state = sw_last_chunk_extension_almost_done;
                break;
            case LF:
-                goto invalid;
+                if (keep_trailers) {
+                    goto done;
+                }
+                state = sw_trailer;
            }
            break;

@ -2345,7 +2323,7 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                state = sw_trailer_almost_done;
                break;
            case LF:
-                goto invalid;
+                goto done;
            default:
                state = sw_trailer_header;
            }
@ -2363,7 +2341,7 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                state = sw_trailer_header_almost_done;
                break;
            case LF:
-                goto invalid;
+                state = sw_trailer;
            }
            break;

@ -2389,45 +2367,35 @@ data:
    switch (state) {

    case sw_chunk_start:
-        ctx->length = 5 /* "0" CRLF CRLF */;
+        ctx->length = 3 /* "0" LF LF */;
        break;
    case sw_chunk_size:
-        ctx->length = 2 /* CRLF */
-                      + (ctx->size ? ctx->size + 7 /* CRLF "0" CRLF CRLF */
-                                   : 2 /* CRLF */);
+        ctx->length = 1 /* LF */
+                      + (ctx->size ? ctx->size + 4 /* LF "0" LF LF */
+                                   : 1 /* LF */);
        break;
    case sw_chunk_extension:
-        ctx->length = 2 /* CRLF */ + ctx->size + 7 /* CRLF "0" CRLF CRLF */;
-        break;
    case sw_chunk_extension_almost_done:
-        ctx->length = 1 /* LF */ + ctx->size + 7 /* CRLF "0" CRLF CRLF */;
+        ctx->length = 1 /* LF */ + ctx->size + 4 /* LF "0" LF LF */;
        break;
    case sw_chunk_data:
-        ctx->length = ctx->size + 7 /* CRLF "0" CRLF CRLF */;
+        ctx->length = ctx->size + 4 /* LF "0" LF LF */;
        break;
    case sw_after_data:
-        ctx->length = 7 /* CRLF "0" CRLF CRLF */;
-        break;
    case sw_after_data_almost_done:
-        ctx->length = 6 /* LF "0" CRLF CRLF */;
+        ctx->length = 4 /* LF "0" LF LF */;
        break;
    case sw_last_chunk_extension:
-        ctx->length = 4 /* CRLF CRLF */;
-        break;
    case sw_last_chunk_extension_almost_done:
-        ctx->length = 3 /* LF CRLF */;
+        ctx->length = 2 /* LF LF */;
        break;
    case sw_trailer:
-        ctx->length = 2 /* CRLF */;
-        break;
    case sw_trailer_almost_done:
        ctx->length = 1 /* LF */;
        break;
    case sw_trailer_header:
-        ctx->length = 4 /* CRLF CRLF */;
-        break;
    case sw_trailer_header_almost_done:
-        ctx->length = 3 /* LF CRLF */;
+        ctx->length = 2 /* LF LF */;
        break;

    }
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@ -29,7 +29,6 @@ static ngx_int_t ngx_http_process_connection(ngx_http_request_t *r,
 static ngx_int_t ngx_http_process_user_agent(ngx_http_request_t *r,
    ngx_table_elt_t *h, ngx_uint_t offset);

-static ngx_int_t ngx_http_process_request_header(ngx_http_request_t *r);
 static ngx_int_t ngx_http_find_virtual_server(ngx_connection_t *c,
    ngx_http_virtual_names_t *virtual_names, ngx_str_t *host,
    ngx_http_request_t *r, ngx_http_core_srv_conf_t **cscfp);
@ -891,27 +890,8 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
        return SSL_TLSEXT_ERR_ALERT_FATAL;
    }

-    if (c->ssl->sni_accepted) {
-        return SSL_TLSEXT_ERR_OK;
-    }
-
-    if (c->ssl->handshake_rejected) {
-        *ad = SSL_AD_UNRECOGNIZED_NAME;
-        return SSL_TLSEXT_ERR_ALERT_FATAL;
-    }
-
    hc = c->data;

-    if (arg != NULL) {
-        host = *(ngx_str_t *) arg;
-
-        if (host.data == NULL) {
-            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
-                           "SSL server name: null");
-            goto done;
-        }
-
-    } else {
    servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);

    if (servername == NULL) {
@ -920,18 +900,18 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
        goto done;
    }

-        host.len = ngx_strlen(servername);
-        host.data = (u_char *) servername;
-    }
-
    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
-                   "SSL server name: \"%V\"", &host);
+                   "SSL server name: \"%s\"", servername);
+
+    host.len = ngx_strlen(servername);

    if (host.len == 0) {
        goto done;
    }

-    rc = ngx_http_validate_host(&host, NULL, c->pool, 1);
+    host.data = (u_char *) servername;
+
+    rc = ngx_http_validate_host(&host, c->pool, 1);

    if (rc == NGX_ERROR) {
        goto error;
@ -952,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
        goto done;
    }

+    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
+
+#if (defined TLS1_3_VERSION                                                   \
+     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
+
+    /*
+     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
+     * but servername being negotiated in every TLSv1.3 handshake
+     * is only returned in OpenSSL 1.1.1+ as well
+     */
+
+    if (sscf->verify) {
+        const char  *hostname;
+
+        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
+
+        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
+            c->ssl->handshake_rejected = 1;
+            *ad = SSL_AD_ACCESS_DENIED;
+            return SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
+    }
+
+#endif
+
    hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
    if (hc->ssl_servername == NULL) {
        goto error;
@ -965,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)

    ngx_set_connection_log(c, clcf->error_log);

-    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
-
    c->ssl->buffer_size = sscf->buffer_size;

    if (sscf->ssl.ctx) {
@ -1015,7 +1018,6 @@ done:
        return SSL_TLSEXT_ERR_ALERT_FATAL;
    }

-    c->ssl->sni_accepted = 1;
    return SSL_TLSEXT_ERR_OK;

 error:
@ -1107,7 +1109,6 @@ ngx_http_process_request_line(ngx_event_t *rev)
    ssize_t              n;
    ngx_int_t            rc, rv;
    ngx_str_t            host;
-    in_port_t            port;
    ngx_connection_t    *c;
    ngx_http_request_t  *r;

@ -1170,7 +1171,7 @@ ngx_http_process_request_line(ngx_event_t *rev)
                host.len = r->host_end - r->host_start;
                host.data = r->host_start;

-                rc = ngx_http_validate_host(&host, &port, r->pool, 0);
+                rc = ngx_http_validate_host(&host, r->pool, 0);

                if (rc == NGX_DECLINED) {
                    ngx_log_error(NGX_LOG_INFO, c->log, 0,
@ -1189,7 +1190,6 @@ ngx_http_process_request_line(ngx_event_t *rev)
                }

                r->headers_in.server = host;
-                r->port = port;
            }

            if (r->http_version < NGX_HTTP_VERSION_10) {
@ -1850,7 +1850,6 @@ ngx_http_process_host(ngx_http_request_t *r, ngx_table_elt_t *h,
 {
    ngx_int_t  rc;
    ngx_str_t  host;
-    in_port_t  port;

    if (r->headers_in.host) {
        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@ -1867,7 +1866,7 @@ ngx_http_process_host(ngx_http_request_t *r, ngx_table_elt_t *h,

    host = h->value;

-    rc = ngx_http_validate_host(&host, &port, r->pool, 0);
+    rc = ngx_http_validate_host(&host, r->pool, 0);

    if (rc == NGX_DECLINED) {
        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@ -1890,7 +1889,6 @@ ngx_http_process_host(ngx_http_request_t *r, ngx_table_elt_t *h,
    }

    r->headers_in.server = host;
-    r->port = port;

    return NGX_OK;
 }
@ -1986,11 +1984,9 @@ ngx_http_process_user_agent(ngx_http_request_t *r, ngx_table_elt_t *h,
 }


-static ngx_int_t
+ngx_int_t
 ngx_http_process_request_header(ngx_http_request_t *r)
 {
-    ngx_http_core_srv_conf_t  *cscf;
-
    if (r->headers_in.server.len == 0
        && ngx_http_set_virtual_server(r, &r->headers_in.server)
           == NGX_ERROR)
@ -2059,11 +2055,7 @@ ngx_http_process_request_header(ngx_http_request_t *r)
        }
    }

-    cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
-
-    if (r->method == NGX_HTTP_CONNECT
-        && (r->http_version != NGX_HTTP_VERSION_11 || !cscf->allow_connect))
-    {
+    if (r->method == NGX_HTTP_CONNECT) {
        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
                      "client sent CONNECT method");
        ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
@ -2174,174 +2166,72 @@ ngx_http_process_request(ngx_http_request_t *r)


 ngx_int_t
-ngx_http_validate_host(ngx_str_t *host, in_port_t *portp, ngx_pool_t *pool,
-    ngx_uint_t alloc)
+ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc)
 {
    u_char  *h, ch;
    size_t   i, dot_pos, host_len;
-    ngx_int_t   port;

    enum {
-        sw_host_start = 0,
-        sw_host,
-        sw_host_ip_literal,
-        sw_host_end,
-        sw_port,
+        sw_usual = 0,
+        sw_literal,
+        sw_rest
    } state;

    dot_pos = host->len;
    host_len = host->len;
-    port = 0;

    h = host->data;

-    state = sw_host_start;
+    state = sw_usual;

    for (i = 0; i < host->len; i++) {
        ch = h[i];

-        switch (state) {
-
-        case sw_host_start:
-
-            if (ch == '[') {
-                state = sw_host_ip_literal;
-                break;
-            }
-
-            state = sw_host;
-
-            /* fall through */
-
-        case sw_host:
-
-            if (ch >= 'A' && ch <= 'Z') {
-                alloc = 1;
-                break;
-            }
-
-            if (ch >= 'a' && ch <= 'z') {
-                break;
-            }
-
-            if (ch >= '0' && ch <= '9') {
-                break;
-            }
-
        switch (ch) {
+
+        case '.':
+            if (dot_pos == i - 1) {
+                return NGX_DECLINED;
+            }
+            dot_pos = i;
+            break;
+
        case ':':
+            if (state == sw_usual) {
                host_len = i;
-                state = sw_port;
-                break;
-            case '-':
-                break;
-            case '.':
-                if (dot_pos == i - 1) {
-                    return NGX_DECLINED;
-                }
-                dot_pos = i;
-                break;
-            case '_':
-            case '~':
-                /* unreserved */
-                break;
-            case '!':
-            case '$':
-            case '&':
-            case '\'':
-            case '(':
-            case ')':
-            case '*':
-            case '+':
-            case ',':
-            case ';':
-            case '=':
-                /* sub-delims */
-                break;
-            case '%':
-                /* pct-encoded */
-                break;
-            default:
-                return NGX_DECLINED;
+                state = sw_rest;
            }
            break;

-        case sw_host_ip_literal:
+        case '[':
+            if (i == 0) {
+                state = sw_literal;
+            }
+            break;
+
+        case ']':
+            if (state == sw_literal) {
+                host_len = i + 1;
+                state = sw_rest;
+            }
+            break;
+
+        default:
+
+            if (ngx_path_separator(ch)) {
+                return NGX_DECLINED;
+            }
+
+            if (ch <= 0x20 || ch == 0x7f) {
+                return NGX_DECLINED;
+            }

            if (ch >= 'A' && ch <= 'Z') {
                alloc = 1;
-                break;
            }

-            if (ch >= 'a' && ch <= 'z') {
            break;
        }
-
-            if (ch >= '0' && ch <= '9') {
-                break;
-            }
-
-            switch (ch) {
-            case ':':
-                break;
-            case ']':
-                host_len = i + 1;
-                state = sw_host_end;
-                break;
-            case '-':
-                break;
-            case '.':
-                if (dot_pos == i - 1) {
-                    return NGX_DECLINED;
-                }
-                dot_pos = i;
-                break;
-            case '_':
-            case '~':
-                /* unreserved */
-                break;
-            case '!':
-            case '$':
-            case '&':
-            case '\'':
-            case '(':
-            case ')':
-            case '*':
-            case '+':
-            case ',':
-            case ';':
-            case '=':
-                /* sub-delims */
-                break;
-            default:
-                return NGX_DECLINED;
-            }
-            break;
-
-        case sw_host_end:
-
-            if (ch == ':') {
-                state = sw_port;
-                break;
-            }
-            return NGX_DECLINED;
-
-        case sw_port:
-
-            if (ch >= '0' && ch <= '9') {
-                if (port >= 6553 && (port > 6553 || (ch - '0') > 5)) {
-                    return NGX_DECLINED;
-                }
-
-                port = port * 10 + (ch - '0');
-                break;
-            }
-            return NGX_DECLINED;
-        }
-    }
-
-    if (state == sw_host_ip_literal) {
-        return NGX_DECLINED;
    }

    if (dot_pos == host_len - 1) {
@ -2363,10 +2253,6 @@ ngx_http_validate_host(ngx_str_t *host, in_port_t *portp, ngx_pool_t *pool,

    host->len = host_len;

-    if (portp) {
-        *portp = port;
-    }
-
    return NGX_OK;
 }

--- a/src/http/ngx_http_request.h
+++ b/src/http/ngx_http_request.h
@ -461,8 +461,6 @@ struct ngx_http_request_s {

    ngx_http_cleanup_t               *cleanup;

-    in_port_t                         port;
-
    unsigned                          count:16;
    unsigned                          subrequests:8;
    unsigned                          blocked:8;
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@ -116,10 +116,6 @@ static ngx_int_t ngx_http_upstream_process_set_cookie(ngx_http_request_t *r,
 static ngx_int_t
    ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
    ngx_table_elt_t *h, ngx_uint_t offset);
-#if (NGX_HTTP_CACHE)
-static ngx_int_t ngx_http_upstream_process_delta_seconds(u_char *p,
-    u_char *last);
-#endif
 static ngx_int_t ngx_http_upstream_ignore_header_line(ngx_http_request_t *r,
    ngx_table_elt_t *h, ngx_uint_t offset);
 static ngx_int_t ngx_http_upstream_process_expires(ngx_http_request_t *r,
@ -1771,23 +1767,6 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
        }
    }

-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
-
-    if (u->ssl_alpn_protocol.len) {
-        if (SSL_set_alpn_protos(c->ssl->connection, u->ssl_alpn_protocol.data,
-                                u->ssl_alpn_protocol.len)
-            != 0)
-        {
-            ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
-                          "SSL_set_alpn_protos() failed");
-            ngx_http_upstream_finalize_request(r, u,
-                                               NGX_HTTP_INTERNAL_SERVER_ERROR);
-            return;
-        }
-    }
-
-#endif
-
    if (u->conf->ssl_session_reuse) {
        c->ssl->save_session = ngx_http_upstream_ssl_save_session;

@ -5087,9 +5066,18 @@ ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
    }

    if (p) {
-        n = ngx_http_upstream_process_delta_seconds(p + offset, last);
+        n = 0;
+
+        for (p += offset; p < last; p++) {
+            if (*p == ',' || *p == ';' || *p == ' ') {
+                break;
+            }
+
+            if (*p >= '0' && *p <= '9') {
+                n = n * 10 + (*p - '0');
+                continue;
+            }

-        if (n == NGX_ERROR) {
            u->cacheable = 0;
            return NGX_OK;
        }
@ -5099,8 +5087,7 @@ ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
            return NGX_OK;
        }

-        r->cache->valid_sec = ngx_min((ngx_uint_t) ngx_time() + n,
-                                      NGX_MAX_INT_T_VALUE);
+        r->cache->valid_sec = ngx_time() + n;
        u->headers_in.expired = 0;
    }

@ -5110,9 +5097,18 @@ extensions:
                         23 - 1);

    if (p) {
-        n = ngx_http_upstream_process_delta_seconds(p + 23, last);
+        n = 0;
+
+        for (p += 23; p < last; p++) {
+            if (*p == ',' || *p == ';' || *p == ' ') {
+                break;
+            }
+
+            if (*p >= '0' && *p <= '9') {
+                n = n * 10 + (*p - '0');
+                continue;
+            }

-        if (n == NGX_ERROR) {
            u->cacheable = 0;
            return NGX_OK;
        }
@ -5124,9 +5120,18 @@ extensions:
    p = ngx_strlcasestrn(start, last, (u_char *) "stale-if-error=", 15 - 1);

    if (p) {
-        n = ngx_http_upstream_process_delta_seconds(p + 15, last);
+        n = 0;
+
+        for (p += 15; p < last; p++) {
+            if (*p == ',' || *p == ';' || *p == ' ') {
+                break;
+            }
+
+            if (*p >= '0' && *p <= '9') {
+                n = n * 10 + (*p - '0');
+                continue;
+            }

-        if (n == NGX_ERROR) {
            u->cacheable = 0;
            return NGX_OK;
        }
@ -5140,41 +5145,6 @@ extensions:
 }


-#if (NGX_HTTP_CACHE)
-
-static ngx_int_t
-ngx_http_upstream_process_delta_seconds(u_char *p, u_char *last)
-{
-    ngx_int_t  n, cutoff, cutlim;
-
-    cutoff = NGX_MAX_INT_T_VALUE / 10;
-    cutlim = NGX_MAX_INT_T_VALUE % 10;
-
-    n = 0;
-
-    for ( /* void */ ; p < last; p++) {
-        if (*p == ',' || *p == ';' || *p == ' ') {
-            break;
-        }
-
-        if (*p < '0' || *p > '9') {
-            return NGX_ERROR;
-        }
-
-        if (n >= cutoff && (n > cutoff || *p - '0' > cutlim)) {
-            n = NGX_MAX_INT_T_VALUE;
-            break;
-        }
-
-        n = n * 10 + (*p - '0');
-    }
-
-    return n;
-}
-
-#endif
-
-
 static ngx_int_t
 ngx_http_upstream_process_expires(ngx_http_request_t *r, ngx_table_elt_t *h,
    ngx_uint_t offset)
@ -6915,7 +6885,6 @@ ngx_http_upstream_set_local(ngx_http_request_t *r, ngx_http_upstream_t *u,
    }

    if (val.len == 0) {
-        u->peer.local = NULL;
        return NGX_OK;
    }

@ -6932,7 +6901,6 @@ ngx_http_upstream_set_local(ngx_http_request_t *r, ngx_http_upstream_t *u,
    if (rc != NGX_OK) {
        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
                      "invalid local address \"%V\"", &val);
-        u->peer.local = NULL;
        return NGX_OK;
    }

--- a/src/http/ngx_http_upstream.h
+++ b/src/http/ngx_http_upstream.h
@ -253,7 +253,7 @@ typedef struct {

    ngx_str_t                        module;

-    NGX_COMPAT_BEGIN(6)
+    NGX_COMPAT_BEGIN(2)
    NGX_COMPAT_END
 } ngx_http_upstream_conf_t;

@ -390,7 +390,6 @@ struct ngx_http_upstream_s {

 #if (NGX_HTTP_SSL || NGX_COMPAT)
    ngx_str_t                        ssl_name;
-    ngx_str_t                        ssl_alpn_protocol;
 #endif

    ngx_http_cleanup_pt             *cleanup;
--- a/src/http/ngx_http_variables.c
+++ b/src/http/ngx_http_variables.c
@ -71,10 +71,6 @@ static ngx_int_t ngx_http_variable_scheme(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_variable_https(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
-static ngx_int_t ngx_http_variable_request_port(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v, uintptr_t data);
-static ngx_int_t ngx_http_variable_is_request_port(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v, uintptr_t data);
 static void ngx_http_variable_set_args(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_variable_is_args(ngx_http_request_t *r,
@ -235,12 +231,6 @@ static ngx_http_variable_t  ngx_http_core_variables[] = {

    { ngx_string("https"), NULL, ngx_http_variable_https, 0, 0, 0 },

-    { ngx_string("request_port"), NULL,
-      ngx_http_variable_request_port, 0, 0, 0 },
-
-    { ngx_string("is_request_port"), NULL,
-      ngx_http_variable_is_request_port, 0, 0, 0 },
-
    { ngx_string("request_uri"), NULL, ngx_http_variable_request,
      offsetof(ngx_http_request_t, unparsed_uri), 0, 0 },

@ -1550,51 +1540,6 @@ ngx_http_variable_https(ngx_http_request_t *r,
 }


-static ngx_int_t
-ngx_http_variable_request_port(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v, uintptr_t data)
-{
-    ngx_uint_t  port;
-
-    v->len = 0;
-    v->valid = 1;
-    v->no_cacheable = 0;
-    v->not_found = 0;
-
-    v->data = ngx_pnalloc(r->pool, sizeof("65535") - 1);
-    if (v->data == NULL) {
-        return NGX_ERROR;
-    }
-
-    port = r->port;
-
-    if (port > 0 && port < 65536) {
-        v->len = ngx_sprintf(v->data, "%ui", port) - v->data;
-    }
-
-    return NGX_OK;
-}
-
-
-static ngx_int_t
-ngx_http_variable_is_request_port(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v, uintptr_t data)
-{
-    if (r->port == 0) {
-        *v = ngx_http_variable_null_value;
-        return NGX_OK;
-    }
-
-    v->len = 1;
-    v->valid = 1;
-    v->no_cacheable = 0;
-    v->not_found = 0;
-    v->data = (u_char *) ":";
-
-    return NGX_OK;
-}
-
-
 static void
 ngx_http_variable_set_args(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data)
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@ -158,7 +158,6 @@ static ngx_int_t ngx_http_v2_construct_request_line(ngx_http_request_t *r);
 static ngx_int_t ngx_http_v2_cookie(ngx_http_request_t *r,
    ngx_http_v2_header_t *header);
 static ngx_int_t ngx_http_v2_construct_cookie_header(ngx_http_request_t *r);
-static ngx_int_t ngx_http_v2_construct_host_header(ngx_http_request_t *r);
 static void ngx_http_v2_run_request(ngx_http_request_t *r);
 static ngx_int_t ngx_http_v2_process_request_body(ngx_http_request_t *r,
    u_char *pos, size_t size, ngx_uint_t last, ngx_uint_t flush);
@ -3518,42 +3517,44 @@ ngx_http_v2_parse_scheme(ngx_http_request_t *r, ngx_str_t *value)
 static ngx_int_t
 ngx_http_v2_parse_authority(ngx_http_request_t *r, ngx_str_t *value)
 {
-    ngx_int_t  rc;
-    in_port_t  port;
+    ngx_table_elt_t            *h;
+    ngx_http_header_t          *hh;
+    ngx_http_core_main_conf_t  *cmcf;

-    if (r->host_start) {
-        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
-                      "client sent duplicate \":authority\" header");
-        return NGX_DECLINED;
+    static ngx_str_t host = ngx_string("host");
+
+    h = ngx_list_push(&r->headers_in.headers);
+    if (h == NULL) {
+        return NGX_ERROR;
    }

-    r->host_start = value->data;
-    r->host_end = value->data + value->len;
+    h->hash = ngx_hash(ngx_hash(ngx_hash('h', 'o'), 's'), 't');

-    rc = ngx_http_validate_host(value, &port, r->pool, 0);
+    h->key.len = host.len;
+    h->key.data = host.data;

-    if (rc == NGX_DECLINED) {
-        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
-                      "client sent invalid \":authority\" header");
-        return NGX_DECLINED;
+    h->value.len = value->len;
+    h->value.data = value->data;
+
+    h->lowcase_key = host.data;
+
+    cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module);
+
+    hh = ngx_hash_find(&cmcf->headers_in_hash, h->hash,
+                       h->lowcase_key, h->key.len);
+
+    if (hh == NULL) {
+        return NGX_ERROR;
    }

-    if (rc == NGX_ERROR) {
-        ngx_http_v2_close_stream(r->stream, NGX_HTTP_INTERNAL_SERVER_ERROR);
-        return NGX_ABORT;
-    }
-
-    if (ngx_http_set_virtual_server(r, value) == NGX_ERROR) {
+    if (hh->handler(r, h, hh->offset) != NGX_OK) {
        /*
         * request has been finalized already
-         * in ngx_http_set_virtual_server()
+         * in ngx_http_process_host()
         */
        return NGX_ABORT;
    }

-    r->headers_in.server = *value;
-    r->port = port;
-
    return NGX_OK;
 }

@ -3724,54 +3725,7 @@ ngx_http_v2_construct_cookie_header(ngx_http_request_t *r)
    if (hh->handler(r, h, hh->offset) != NGX_OK) {
        /*
         * request has been finalized already
-         * in ngx_http_process_header_line()
-         */
-        return NGX_ERROR;
-    }
-
-    return NGX_OK;
-}
-
-
-static ngx_int_t
-ngx_http_v2_construct_host_header(ngx_http_request_t *r)
-{
-    ngx_table_elt_t            *h;
-    ngx_http_header_t          *hh;
-    ngx_http_core_main_conf_t  *cmcf;
-
-    static ngx_str_t host = ngx_string("host");
-
-    h = ngx_list_push(&r->headers_in.headers);
-    if (h == NULL) {
-        ngx_http_v2_close_stream(r->stream, NGX_HTTP_INTERNAL_SERVER_ERROR);
-        return NGX_ERROR;
-    }
-
-    h->hash = ngx_hash(ngx_hash(ngx_hash('h', 'o'), 's'), 't');
-
-    h->key.len = host.len;
-    h->key.data = host.data;
-
-    h->value.len = r->host_end - r->host_start;
-    h->value.data = r->host_start;
-
-    h->lowcase_key = host.data;
-
-    cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module);
-
-    hh = ngx_hash_find(&cmcf->headers_in_hash, h->hash,
-                       h->lowcase_key, h->key.len);
-
-    if (hh == NULL) {
-        ngx_http_v2_close_stream(r->stream, NGX_HTTP_INTERNAL_SERVER_ERROR);
-        return NGX_ERROR;
-    }
-
-    if (hh->handler(r, h, hh->offset) != NGX_OK) {
-        /*
-         * request has been finalized already
-         * in ngx_http_process_host()
+         * in ngx_http_process_multi_header_lines()
         */
        return NGX_ERROR;
    }
@ -3783,7 +3737,6 @@ ngx_http_v2_construct_host_header(ngx_http_request_t *r)
 static void
 ngx_http_v2_run_request(ngx_http_request_t *r)
 {
-    ngx_str_t                  host;
    ngx_connection_t          *fc;
    ngx_http_v2_srv_conf_t    *h2scf;
    ngx_http_v2_connection_t  *h2c;
@ -3811,54 +3764,12 @@ ngx_http_v2_run_request(ngx_http_request_t *r)

    r->http_state = NGX_HTTP_PROCESS_REQUEST_STATE;

-    if (r->headers_in.server.len == 0) {
-        ngx_log_error(NGX_LOG_INFO, fc->log, 0,
-                      "client sent neither \":authority\" nor \"Host\" header");
-        ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
-        goto failed;
-    }
-
-    if (r->host_end) {
-
-        host.len = r->host_end - r->host_start;
-        host.data = r->host_start;
-
-        if (r->headers_in.host) {
-            if (r->headers_in.host->value.len != host.len
-                || ngx_memcmp(r->headers_in.host->value.data, host.data,
-                              host.len)
-                   != 0)
-            {
-                ngx_log_error(NGX_LOG_INFO, fc->log, 0,
-                              "client sent \":authority\" and \"Host\" headers "
-                              "with different values");
-                ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
-                goto failed;
-            }
-
-        } else {
-            /* compatibility for $http_host */
-
-            if (ngx_http_v2_construct_host_header(r) != NGX_OK) {
-                goto failed;
-            }
-        }
-    }
-
-    if (r->headers_in.content_length) {
-        r->headers_in.content_length_n =
-                            ngx_atoof(r->headers_in.content_length->value.data,
-                                      r->headers_in.content_length->value.len);
-
-        if (r->headers_in.content_length_n == NGX_ERROR) {
-            ngx_log_error(NGX_LOG_INFO, fc->log, 0,
-                          "client sent invalid \"Content-Length\" header");
-            ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+    if (ngx_http_process_request_header(r) != NGX_OK) {
        goto failed;
    }

    if (r->headers_in.content_length_n > 0 && r->stream->in_closed) {
-            ngx_log_error(NGX_LOG_INFO, fc->log, 0,
+        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
                      "client prematurely closed stream");

        r->stream->skip_data = 1;
@ -3867,22 +3778,10 @@ ngx_http_v2_run_request(ngx_http_request_t *r)
        goto failed;
    }

-    } else if (!r->stream->in_closed) {
+    if (r->headers_in.content_length_n == -1 && !r->stream->in_closed) {
        r->headers_in.chunked = 1;
    }

-    if (r->method == NGX_HTTP_CONNECT) {
-        ngx_log_error(NGX_LOG_INFO, fc->log, 0, "client sent CONNECT method");
-        ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
-        goto failed;
-    }
-
-    if (r->method == NGX_HTTP_TRACE) {
-        ngx_log_error(NGX_LOG_INFO, fc->log, 0, "client sent TRACE method");
-        ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
-        goto failed;
-    }
-
    h2c = r->stream->connection;

    h2c->payload_bytes += r->request_length;
@ -4104,14 +4003,15 @@ ngx_http_v2_process_request_body(ngx_http_request_t *r, u_char *pos,
                n = size;
            }

+            if (n > 0) {
+                rb->buf->last = ngx_cpymem(rb->buf->last, pos, n);
+            }
+
            ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0,
                           "http2 request body recv %uz", n);

-            if (n > 0) {
-                rb->buf->last = ngx_cpymem(rb->buf->last, pos, n);
            pos += n;
            size -= n;
-            }

            if (size == 0 && last) {
                rb->rest = 0;
--- a/src/http/v2/ngx_http_v2_filter_module.c
+++ b/src/http/v2/ngx_http_v2_filter_module.c
@ -32,8 +32,7 @@ static ngx_int_t ngx_http_v2_early_hints_filter(ngx_http_request_t *r);
 static ngx_int_t ngx_http_v2_init_stream(ngx_http_request_t *r);

 static ngx_http_v2_out_frame_t *ngx_http_v2_create_headers_frame(
-    ngx_http_request_t *r, u_char *pos, u_char *end, ngx_uint_t fin,
-    ngx_uint_t flush);
+    ngx_http_request_t *r, u_char *pos, u_char *end, ngx_uint_t fin);
 static ngx_http_v2_out_frame_t *ngx_http_v2_create_trailers_frame(
    ngx_http_request_t *r);

@ -610,7 +609,7 @@ ngx_http_v2_header_filter(ngx_http_request_t *r)
    fin = r->header_only
          || (r->headers_out.content_length_n == 0 && !r->expect_trailers);

-    frame = ngx_http_v2_create_headers_frame(r, start, pos, fin, 0);
+    frame = ngx_http_v2_create_headers_frame(r, start, pos, fin);
    if (frame == NULL) {
        return NGX_ERROR;
    }
@ -775,7 +774,7 @@ ngx_http_v2_early_hints_filter(ngx_http_request_t *r)
                                      header[i].value.len, tmp);
    }

-    frame = ngx_http_v2_create_headers_frame(r, start, pos, 0, 1);
+    frame = ngx_http_v2_create_headers_frame(r, start, pos, 0);
    if (frame == NULL) {
        return NGX_ERROR;
    }
@ -826,7 +825,7 @@ ngx_http_v2_init_stream(ngx_http_request_t *r)

 static ngx_http_v2_out_frame_t *
 ngx_http_v2_create_headers_frame(ngx_http_request_t *r, u_char *pos,
-    u_char *end, ngx_uint_t fin, ngx_uint_t flush)
+    u_char *end, ngx_uint_t fin)
 {
    u_char                    type, flags;
    size_t                    rest, frame_size;
@ -917,7 +916,6 @@ ngx_http_v2_create_headers_frame(ngx_http_request_t *r, u_char *pos,
        }

        b->last_buf = fin;
-        b->flush = flush;
        cl->next = NULL;
        frame->last = cl;

@ -1040,7 +1038,7 @@ ngx_http_v2_create_trailers_frame(ngx_http_request_t *r)
                                      header[i].value.len, tmp);
    }

-    return ngx_http_v2_create_headers_frame(r, start, pos, 1, 0);
+    return ngx_http_v2_create_headers_frame(r, start, pos, 1);
 }


--- a/src/http/v3/ngx_http_v3_parse.c
+++ b/src/http/v3/ngx_http_v3_parse.c
@ -623,12 +623,6 @@ ngx_http_v3_parse_literal(ngx_connection_t *c, ngx_http_v3_parse_literal_t *st,
            }

            if (st->huffman) {
-                if (n > NGX_MAX_INT_T_VALUE / 8) {
-                    ngx_log_error(NGX_LOG_INFO, c->log, 0,
-                                  "client sent too large field line");
-                    return NGX_HTTP_V3_ERR_EXCESSIVE_LOAD;
-                }
-
                n = n * 8 / 5;
                st->huffstate = 0;
            }
--- a/src/http/v3/ngx_http_v3_request.c
+++ b/src/http/v3/ngx_http_v3_request.c
@ -904,7 +904,6 @@ ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r)
    u_char     *p;
    ngx_int_t   rc;
    ngx_str_t   host;
-    in_port_t   port;

    if (r->request_line.len) {
        return NGX_OK;
@ -962,11 +961,11 @@ ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r)
        host.len = r->host_end - r->host_start;
        host.data = r->host_start;

-        rc = ngx_http_validate_host(&host, &port, r->pool, 0);
+        rc = ngx_http_validate_host(&host, r->pool, 0);

        if (rc == NGX_DECLINED) {
            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
-                          "client sent invalid \":authority\" header");
+                          "client sent invalid host in request line");
            goto failed;
        }

@ -980,7 +979,6 @@ ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r)
        }

        r->headers_in.server = host;
-        r->port = port;
    }

    if (ngx_list_init(&r->headers_in.headers, r->pool, 20,
@ -1005,7 +1003,6 @@ ngx_http_v3_process_request_header(ngx_http_request_t *r)
 {
    ssize_t                  n;
    ngx_buf_t               *b;
-    ngx_str_t                host;
    ngx_connection_t        *c;
    ngx_http_v3_session_t   *h3c;
    ngx_http_v3_srv_conf_t  *h3scf;
@ -1037,13 +1034,11 @@ ngx_http_v3_process_request_header(ngx_http_request_t *r)
        goto failed;
    }

-    if (r->headers_in.host && r->host_end) {
-
-        host.len = r->host_end - r->host_start;
-        host.data = r->host_start;
-
-        if (r->headers_in.host->value.len != host.len
-            || ngx_memcmp(r->headers_in.host->value.data, host.data, host.len)
+    if (r->headers_in.host) {
+        if (r->headers_in.host->value.len != r->headers_in.server.len
+            || ngx_memcmp(r->headers_in.host->value.data,
+                          r->headers_in.server.data,
+                          r->headers_in.server.len)
               != 0)
        {
            ngx_log_error(NGX_LOG_INFO, c->log, 0,
@ -1218,7 +1213,7 @@ ngx_http_v3_construct_cookie_header(ngx_http_request_t *r)
    if (hh->handler(r, h, hh->offset) != NGX_OK) {
        /*
         * request has been finalized already
-         * in ngx_http_process_header_line()
+         * in ngx_http_process_multi_header_lines()
         */
        return NGX_ERROR;
    }
--- a/src/mail/ngx_mail_auth_http_module.c
+++ b/src/mail/ngx_mail_auth_http_module.c
@ -1321,10 +1321,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
    b->last = ngx_copy(b->last, passwd.data, passwd.len);
    *b->last++ = CR; *b->last++ = LF;

-    if ((s->auth_method == NGX_MAIL_AUTH_APOP
-         || s->auth_method == NGX_MAIL_AUTH_CRAM_MD5)
-        && s->salt.len)
-    {
+    if (s->auth_method != NGX_MAIL_AUTH_PLAIN && s->salt.len) {
        b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1);
        b->last = ngx_copy(b->last, s->salt.data, s->salt.len);

--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t *s, ngx_connection_t *c)
 ngx_int_t
 ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
 {
-    u_char     *p, *pos, *last;
+    u_char     *p, *last;
    ngx_str_t  *arg, plain;

    arg = s->args.elts;
@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
        return NGX_MAIL_PARSE_INVALID_COMMAND;
    }

-    pos = p;
+    s->login.data = p;

    while (p < last && *p) { p++; }

@ -565,8 +565,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
        return NGX_MAIL_PARSE_INVALID_COMMAND;
    }

-    s->login.len = p++ - pos;
-    s->login.data = pos;
+    s->login.len = p++ - s->login.data;

    s->passwd.len = last - p;
    s->passwd.data = p;
@ -584,26 +583,24 @@ ngx_int_t
 ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,
    ngx_uint_t n)
 {
-    ngx_str_t  *arg, login;
+    ngx_str_t  *arg;

    arg = s->args.elts;

    ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
                   "mail auth login username: \"%V\"", &arg[n]);

-    login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
-    if (login.data == NULL) {
+    s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
+    if (s->login.data == NULL) {
        return NGX_ERROR;
    }

-    if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) {
+    if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) {
        ngx_log_error(NGX_LOG_INFO, c->log, 0,
            "client sent invalid base64 encoding in AUTH LOGIN command");
        return NGX_MAIL_PARSE_INVALID_COMMAND;
    }

-    s->login = login;
-
    ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
                   "mail auth login username: \"%V\"", &s->login);

@ -614,7 +611,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,
 ngx_int_t
 ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)
 {
-    ngx_str_t  *arg, passwd;
+    ngx_str_t  *arg;

    arg = s->args.elts;

@ -623,19 +620,18 @@ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)
                   "mail auth login password: \"%V\"", &arg[0]);
 #endif

-    passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
-    if (passwd.data == NULL) {
+    s->passwd.data = ngx_pnalloc(c->pool,
+                                 ngx_base64_decoded_length(arg[0].len));
+    if (s->passwd.data == NULL) {
        return NGX_ERROR;
    }

-    if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) {
+    if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) {
        ngx_log_error(NGX_LOG_INFO, c->log, 0,
            "client sent invalid base64 encoding in AUTH LOGIN command");
        return NGX_MAIL_PARSE_INVALID_COMMAND;
    }

-    s->passwd = passwd;
-
 #if (NGX_DEBUG_MAIL_PASSWD)
    ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
                   "mail auth login password: \"%V\"", &s->passwd);
@ -678,26 +674,24 @@ ngx_int_t
 ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c)
 {
    u_char     *p, *last;
-    ngx_str_t  *arg, login;
+    ngx_str_t  *arg;

    arg = s->args.elts;

    ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
                   "mail auth cram-md5: \"%V\"", &arg[0]);

-    login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
-    if (login.data == NULL) {
+    s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
+    if (s->login.data == NULL) {
        return NGX_ERROR;
    }

-    if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) {
+    if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) {
        ngx_log_error(NGX_LOG_INFO, c->log, 0,
            "client sent invalid base64 encoding in AUTH CRAM-MD5 command");
        return NGX_MAIL_PARSE_INVALID_COMMAND;
    }

-    s->login = login;
-
    p = s->login.data;
    last = p + s->login.len;

@ -1006,11 +1000,13 @@ ngx_mail_log_error(ngx_log_t *log, u_char *buf, size_t len)
    len -= p - buf;
    buf = p;

-    if (s->login.len) {
+    if (s->login.len == 0) {
+        return p;
+    }
+
    p = ngx_snprintf(buf, len, ", login: \"%V\"", &s->login);
    len -= p - buf;
    buf = p;
-    }

    if (s->proxy == NULL) {
        return p;
--- a/src/mail/ngx_mail_proxy_module.c
+++ b/src/mail/ngx_mail_proxy_module.c
@ -531,7 +531,6 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)
    ngx_int_t                  rc;
    ngx_str_t                  line, auth, encoded;
    ngx_buf_t                 *b;
-    uintptr_t                  n;
    ngx_connection_t          *c;
    ngx_mail_session_t        *s;
    ngx_mail_proxy_conf_t     *pcf;
@ -628,10 +627,6 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)
                          CRLF) - 1
                   + s->connection->addr_text.len + s->login.len + s->host.len;

-        n = ngx_escape_uri(NULL, s->login.data, s->login.len,
-                           NGX_ESCAPE_MAIL_XTEXT);
-        line.len += n * 2;
-
 #if (NGX_HAVE_INET6)
        if (s->connection->sockaddr->sa_family == AF_INET6) {
            line.len += sizeof("IPV6:") - 1;
@ -659,14 +654,7 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)

        if (s->login.len && !pcf->smtp_auth) {
            p = ngx_cpymem(p, " LOGIN=", sizeof(" LOGIN=") - 1);
-
-            if (n == 0) {
            p = ngx_copy(p, s->login.data, s->login.len);
-
-            } else {
-                p = (u_char *) ngx_escape_uri(p, s->login.data, s->login.len,
-                                              NGX_ESCAPE_MAIL_XTEXT);
-            }
        }

        p = ngx_cpymem(p, " NAME=", sizeof(" NAME=") - 1);
--- a/src/mail/ngx_mail_smtp_handler.c
+++ b/src/mail/ngx_mail_smtp_handler.c
@ -782,9 +782,6 @@ ngx_mail_smtp_mail(ngx_mail_session_t *s, ngx_connection_t *c)

    ngx_str_set(&s->out, smtp_ok);

-    ngx_str_null(&s->login);
-    ngx_str_null(&s->passwd);
-
    return NGX_OK;
 }

--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@ -97,13 +97,6 @@ static ngx_command_t  ngx_mail_ssl_commands[] = {
      0,
      NULL },

-    { ngx_string("ssl_certificate_compression"),
-      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
-      ngx_conf_set_flag_slot,
-      NGX_MAIL_SRV_CONF_OFFSET,
-      offsetof(ngx_mail_ssl_conf_t, certificate_compression),
-      NULL },
-
    { ngx_string("ssl_dhparam"),
      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
      ngx_conf_set_str_slot,
@ -321,7 +314,6 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
    scf->passwords = NGX_CONF_UNSET_PTR;
    scf->conf_commands = NGX_CONF_UNSET_PTR;
    scf->prefer_server_ciphers = NGX_CONF_UNSET;
-    scf->certificate_compression = NGX_CONF_UNSET;
    scf->verify = NGX_CONF_UNSET_UINT;
    scf->verify_depth = NGX_CONF_UNSET_UINT;
    scf->builtin_session_cache = NGX_CONF_UNSET;
@ -351,9 +343,6 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
    ngx_conf_merge_value(conf->prefer_server_ciphers,
                         prev->prefer_server_ciphers, 0);

-    ngx_conf_merge_value(conf->certificate_compression,
-                         prev->certificate_compression, 0);
-
    ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
                         (NGX_CONF_BITMASK_SET|NGX_SSL_DEFAULT_PROTOCOLS));

@ -457,13 +446,6 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
        return NGX_CONF_ERROR;
    }

-    if (ngx_ssl_certificate_compression(cf, &conf->ssl,
-                                        conf->certificate_compression)
-        != NGX_OK)
-    {
-        return NGX_CONF_ERROR;
-    }
-
    if (conf->verify) {

        if (conf->verify != 3
--- a/src/mail/ngx_mail_ssl_module.h
+++ b/src/mail/ngx_mail_ssl_module.h
@ -21,7 +21,6 @@

 typedef struct {
    ngx_flag_t       prefer_server_ciphers;
-    ngx_flag_t       certificate_compression;

    ngx_ssl_t        ssl;

--- a/src/stream/ngx_stream_core_module.c
+++ b/src/stream/ngx_stream_core_module.c
@ -476,169 +476,68 @@ ngx_stream_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc)
 {
    u_char  *h, ch;
    size_t   i, dot_pos, host_len;
-    ngx_int_t   port;

    enum {
-        sw_host_start = 0,
-        sw_host,
-        sw_host_ip_literal,
-        sw_host_end,
-        sw_port,
+        sw_usual = 0,
+        sw_literal,
+        sw_rest
    } state;

    dot_pos = host->len;
    host_len = host->len;
-    port = 0;

    h = host->data;

-    state = sw_host_start;
+    state = sw_usual;

    for (i = 0; i < host->len; i++) {
        ch = h[i];

-        switch (state) {
-
-        case sw_host_start:
-
-            if (ch == '[') {
-                state = sw_host_ip_literal;
-                break;
-            }
-
-            state = sw_host;
-
-            /* fall through */
-
-        case sw_host:
-
-            if (ch >= 'A' && ch <= 'Z') {
-                alloc = 1;
-                break;
-            }
-
-            if (ch >= 'a' && ch <= 'z') {
-                break;
-            }
-
-            if (ch >= '0' && ch <= '9') {
-                break;
-            }
-
        switch (ch) {
+
+        case '.':
+            if (dot_pos == i - 1) {
+                return NGX_DECLINED;
+            }
+            dot_pos = i;
+            break;
+
        case ':':
+            if (state == sw_usual) {
                host_len = i;
-                state = sw_port;
-                break;
-            case '-':
-                break;
-            case '.':
-                if (dot_pos == i - 1) {
-                    return NGX_DECLINED;
-                }
-                dot_pos = i;
-                break;
-            case '_':
-            case '~':
-                /* unreserved */
-                break;
-            case '!':
-            case '$':
-            case '&':
-            case '\'':
-            case '(':
-            case ')':
-            case '*':
-            case '+':
-            case ',':
-            case ';':
-            case '=':
-                /* sub-delims */
-                break;
-            case '%':
-                /* pct-encoded */
-                break;
-            default:
-                return NGX_DECLINED;
+                state = sw_rest;
            }
            break;

-        case sw_host_ip_literal:
+        case '[':
+            if (i == 0) {
+                state = sw_literal;
+            }
+            break;
+
+        case ']':
+            if (state == sw_literal) {
+                host_len = i + 1;
+                state = sw_rest;
+            }
+            break;
+
+        default:
+
+            if (ngx_path_separator(ch)) {
+                return NGX_DECLINED;
+            }
+
+            if (ch <= 0x20 || ch == 0x7f) {
+                return NGX_DECLINED;
+            }

            if (ch >= 'A' && ch <= 'Z') {
                alloc = 1;
-                break;
            }

-            if (ch >= 'a' && ch <= 'z') {
            break;
        }
-
-            if (ch >= '0' && ch <= '9') {
-                break;
-            }
-
-            switch (ch) {
-            case ':':
-                break;
-            case ']':
-                host_len = i + 1;
-                state = sw_host_end;
-                break;
-            case '-':
-                break;
-            case '.':
-                if (dot_pos == i - 1) {
-                    return NGX_DECLINED;
-                }
-                dot_pos = i;
-                break;
-            case '_':
-            case '~':
-                /* unreserved */
-                break;
-            case '!':
-            case '$':
-            case '&':
-            case '\'':
-            case '(':
-            case ')':
-            case '*':
-            case '+':
-            case ',':
-            case ';':
-            case '=':
-                /* sub-delims */
-                break;
-            default:
-                return NGX_DECLINED;
-            }
-            break;
-
-        case sw_host_end:
-
-            if (ch == ':') {
-                state = sw_port;
-                break;
-            }
-            return NGX_DECLINED;
-
-        case sw_port:
-
-            if (ch >= '0' && ch <= '9') {
-                if (port >= 6553 && (port > 6553 || (ch - '0') > 5)) {
-                    return NGX_DECLINED;
-                }
-
-                port = port * 10 + (ch - '0');
-                break;
-            }
-            return NGX_DECLINED;
-        }
-    }
-
-    if (state == sw_host_ip_literal) {
-        return NGX_DECLINED;
    }

    if (dot_pos == host_len - 1) {
--- a/src/stream/ngx_stream_geo_module.c
+++ b/src/stream/ngx_stream_geo_module.c
@ -61,7 +61,6 @@ typedef struct {
    unsigned                           outside_entries:1;
    unsigned                           allow_binary_include:1;
    unsigned                           binary_include:1;
-    unsigned                           no_cacheable:1;
 } ngx_stream_geo_conf_ctx_t;


@ -434,7 +433,6 @@ ngx_stream_geo_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
                  + sizeof(ngx_stream_variable_value_t)
                  + 0x10000 * sizeof(ngx_stream_geo_range_t *);
    ctx.allow_binary_include = 1;
-    ctx.no_cacheable = 0;

    save = *cf;
    cf->pool = pool;
@ -450,10 +448,6 @@ ngx_stream_geo_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
        goto failed;
    }

-    if (ctx.no_cacheable) {
-        var->flags |= NGX_STREAM_VAR_NOCACHEABLE;
-    }
-
    if (ctx.ranges) {

        if (ctx.high.low && !ctx.binary_include) {
@ -589,12 +583,6 @@ ngx_stream_geo(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)

            goto done;
        }
-
-        else if (ngx_strcmp(value[0].data, "volatile") == 0) {
-            ctx->no_cacheable = 1;
-            rv = NGX_CONF_OK;
-            goto done;
-        }
    }

    if (cf->args->nelts != 2) {
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@ -680,7 +680,6 @@ ngx_stream_proxy_set_local(ngx_stream_session_t *s, ngx_stream_upstream_t *u,
    }

    if (val.len == 0) {
-        u->peer.local = NULL;
        return NGX_OK;
    }

@ -697,7 +696,6 @@ ngx_stream_proxy_set_local(ngx_stream_session_t *s, ngx_stream_upstream_t *u,
    if (rc != NGX_OK) {
        ngx_log_error(NGX_LOG_ERR, s->connection->log, 0,
                      "invalid local address \"%V\"", &val);
-        u->peer.local = NULL;
        return NGX_OK;
    }

--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@ -126,13 +126,6 @@ static ngx_command_t  ngx_stream_ssl_commands[] = {
      0,
      NULL },

-    { ngx_string("ssl_ech_file"),
-      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
-      ngx_conf_set_str_array_slot,
-      NGX_STREAM_SRV_CONF_OFFSET,
-      offsetof(ngx_stream_ssl_srv_conf_t, ech_files),
-      NULL },
-
    { ngx_string("ssl_password_file"),
      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
      ngx_stream_ssl_password_file,
@ -140,13 +133,6 @@ static ngx_command_t  ngx_stream_ssl_commands[] = {
      0,
      NULL },

-    { ngx_string("ssl_certificate_compression"),
-      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
-      ngx_conf_set_flag_slot,
-      NGX_STREAM_SRV_CONF_OFFSET,
-      offsetof(ngx_stream_ssl_srv_conf_t, certificate_compression),
-      NULL },
-
    { ngx_string("ssl_dhparam"),
      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
      ngx_conf_set_str_slot,
@ -246,7 +232,7 @@ static ngx_command_t  ngx_stream_ssl_commands[] = {
      NULL },

    { ngx_string("ssl_ocsp"),
-      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
      ngx_conf_set_enum_slot,
      NGX_STREAM_SRV_CONF_OFFSET,
      offsetof(ngx_stream_ssl_srv_conf_t, ocsp),
@ -364,9 +350,6 @@ static ngx_stream_variable_t  ngx_stream_ssl_vars[] = {
    { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 },

-    { ngx_string("ssl_sigalg"), NULL, ngx_stream_ssl_variable,
-      (uintptr_t) ngx_ssl_get_sigalg, NGX_STREAM_VAR_CHANGEABLE, 0 },
-
    { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 },

@ -379,13 +362,6 @@ static ngx_stream_variable_t  ngx_stream_ssl_vars[] = {
    { ngx_string("ssl_alpn_protocol"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 },

-    { ngx_string("ssl_ech_status"), NULL, ngx_stream_ssl_variable,
-      (uintptr_t) ngx_ssl_get_ech_status, NGX_STREAM_VAR_CHANGEABLE, 0 },
-
-    { ngx_string("ssl_ech_outer_server_name"), NULL, ngx_stream_ssl_variable,
-      (uintptr_t) ngx_ssl_get_ech_outer_server_name,
-      NGX_STREAM_VAR_CHANGEABLE, 0 },
-
    { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 },

@ -421,9 +397,6 @@ static ngx_stream_variable_t  ngx_stream_ssl_vars[] = {
    { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 },

-    { ngx_string("ssl_client_sigalg"), NULL, ngx_stream_ssl_variable,
-      (uintptr_t) ngx_ssl_get_client_sigalg, NGX_STREAM_VAR_CHANGEABLE, 0 },
-
      ngx_stream_null_variable
 };

@ -575,27 +548,8 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
        return SSL_TLSEXT_ERR_ALERT_FATAL;
    }

-    if (c->ssl->sni_accepted) {
-        return SSL_TLSEXT_ERR_OK;
-    }
-
-    if (c->ssl->handshake_rejected) {
-        *ad = SSL_AD_UNRECOGNIZED_NAME;
-        return SSL_TLSEXT_ERR_ALERT_FATAL;
-    }
-
    s = c->data;

-    if (arg) {
-        host = *(ngx_str_t *) arg;
-
-        if (host.data == NULL) {
-            ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0,
-                           "SSL server name: null");
-            goto done;
-        }
-
-    } else {
    servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);

    if (servername == NULL) {
@ -604,17 +558,17 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
        goto done;
    }

-        host.len = ngx_strlen(servername);
-        host.data = (u_char *) servername;
-    }
-
    ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0,
-                   "SSL server name: \"%V\"", &host);
+                   "SSL server name: \"%s\"", servername);
+
+    host.len = ngx_strlen(servername);

    if (host.len == 0) {
        goto done;
    }

+    host.data = (u_char *) servername;
+
    rc = ngx_stream_validate_host(&host, c->pool, 1);

    if (rc == NGX_ERROR) {
@ -635,12 +589,35 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
        goto done;
    }

+    sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module);
+
+#if (defined TLS1_3_VERSION                                                   \
+     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
+
+    /*
+     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
+     * but servername being negotiated in every TLSv1.3 handshake
+     * is only returned in OpenSSL 1.1.1+ as well
+     */
+
+    if (sscf->verify) {
+        const char  *hostname;
+
+        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
+
+        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
+            c->ssl->handshake_rejected = 1;
+            *ad = SSL_AD_ACCESS_DENIED;
+            return SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
+    }
+
+#endif
+
    s->srv_conf = cscf->ctx->srv_conf;

    ngx_set_connection_log(c, cscf->error_log);

-    sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module);
-
    if (sscf->ssl.ctx) {
        if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
            goto error;
@ -679,7 +656,6 @@ done:
        return SSL_TLSEXT_ERR_ALERT_FATAL;
    }

-    c->ssl->sni_accepted = 1;
    return SSL_TLSEXT_ERR_OK;

 error:
@ -902,11 +878,9 @@ ngx_stream_ssl_create_srv_conf(ngx_conf_t *cf)
    sscf->certificates = NGX_CONF_UNSET_PTR;
    sscf->certificate_keys = NGX_CONF_UNSET_PTR;
    sscf->certificate_cache = NGX_CONF_UNSET_PTR;
-    sscf->ech_files = NGX_CONF_UNSET_PTR;
    sscf->passwords = NGX_CONF_UNSET_PTR;
    sscf->conf_commands = NGX_CONF_UNSET_PTR;
    sscf->prefer_server_ciphers = NGX_CONF_UNSET;
-    sscf->certificate_compression = NGX_CONF_UNSET;
    sscf->reject_handshake = NGX_CONF_UNSET;
    sscf->verify = NGX_CONF_UNSET_UINT;
    sscf->verify_depth = NGX_CONF_UNSET_UINT;
@ -940,9 +914,6 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    ngx_conf_merge_value(conf->prefer_server_ciphers,
                         prev->prefer_server_ciphers, 0);

-    ngx_conf_merge_value(conf->certificate_compression,
-                         prev->certificate_compression, 0);
-
    ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);

    ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
@ -958,8 +929,6 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    ngx_conf_merge_ptr_value(conf->certificate_cache, prev->certificate_cache,
                         NULL);

-    ngx_conf_merge_ptr_value(conf->ech_files, prev->ech_files, NULL);
-
    ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);

    ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
@ -1022,16 +991,8 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    cln->data = &conf->ssl;

 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
-    {
-    static ngx_ssl_client_hello_arg cb = { ngx_stream_ssl_servername };
-
-    if (ngx_ssl_set_client_hello_callback(&conf->ssl, &cb) != NGX_OK) {
-        return NGX_CONF_ERROR;
-    }
-
    SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
                                           ngx_stream_ssl_servername);
-    }
 #endif

 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
@ -1078,13 +1039,6 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
        {
            return NGX_CONF_ERROR;
        }
-
-        if (ngx_ssl_certificate_compression(cf, &conf->ssl,
-                                            conf->certificate_compression)
-            != NGX_OK)
-        {
-            return NGX_CONF_ERROR;
-        }
    }

    if (conf->verify) {
@ -1141,10 +1095,6 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
        return NGX_CONF_ERROR;
    }

-    if (ngx_ssl_ech_files(cf, &conf->ssl, conf->ech_files) != NGX_OK) {
-        return NGX_CONF_ERROR;
-    }
-
    if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
@ -1184,19 +1134,13 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)

    if (conf->stapling) {

-        if (conf->certificate_compression) {
-            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                          "\"ssl_stapling\" is incompatible with "
-                          "\"ssl_certificate_compression\"");
-            return NGX_CONF_ERROR;
-        }
-
        if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
                             &conf->stapling_responder, conf->stapling_verify)
            != NGX_OK)
        {
            return NGX_CONF_ERROR;
        }
+
    }

    if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
--- a/src/stream/ngx_stream_ssl_module.h
+++ b/src/stream/ngx_stream_ssl_module.h
@ -18,7 +18,6 @@ typedef struct {
    ngx_msec_t        handshake_timeout;

    ngx_flag_t        prefer_server_ciphers;
-    ngx_flag_t        certificate_compression;
    ngx_flag_t        reject_handshake;

    ngx_ssl_t         ssl;
@ -49,7 +48,6 @@ typedef struct {

    ngx_str_t         ciphers;

-    ngx_array_t      *ech_files;
    ngx_array_t      *passwords;
    ngx_array_t      *conf_commands;