Systemd Patches + CVE Patch

version

@@ -1,4 +1,4 @@
-export NGINX="1.30.0"
+export NGINX="1.31.0"
 
 # Lua Path
 export LUA_SCRIPTS="/usr/nginx_lua"
@@ -58,3 +58,31 @@ export NGX_MOD_LUA_SRCACHE="0.33"
 # Zstandard compression module. Chrome 123+ and Firefox 126+ send
 # `Accept-Encoding: zstd`; older clients fall back to brotli/gzip.
 export NGX_MOD_ZSTD="0.1.1"
+
+# https://github.com/zlib-ng/zlib-ng/releases
+# Drop-in libz replacement with SIMD-accelerated DEFLATE. Built in --zlib-compat
+# mode, installed to /usr/local/zlib-ng/. ~2-3x faster gzip CPU vs stock zlib.
+export SYSTEM_ZLIBNG="2.3.3"
+
+# ---------------------------------------------------------------------------
+# Patches applied on top of upstream nginx source (committed at build/patches/).
+# 1 = apply, 0 = skip. Each patch's filename embeds the nginx version it was
+# authored against — bumping NGINX above means reviewing/refreshing every patch
+# in build/patches/.
+# ---------------------------------------------------------------------------
+# Required for Type=notify in the systemd unit. Mainline nginx has the
+# #if (NGX_HAVE_SYSTEMD) guards but no actual sd_notify call sites; every distro
+# carries their own patch. Without this, `Type=notify` times out at startup.
+export APPLY_PATCH_SYSTEMD_NOTIFY=1
+
+# Cloudflare's dynamic TLS records: ssl_dyn_rec_* directives. Varies TLS record
+# size based on connection state. -1 RTT TTFB on first byte, +reduced overhead
+# at steady state. Patch shipped at build/patches/.
+export APPLY_PATCH_DYNAMIC_TLS_RECORDS=1
+
+# Cloudflare's HPACK dynamic-table encoder: --with-http_v2_hpack_enc. Smaller
+# HTTP/2 response headers on the wire. Upstream patch is stale (last touched
+# 2017; nginx 1.31 has already absorbed parts of it upstream and the remaining
+# hunks reference internals that have drifted). Patch NOT yet shipped — would
+# need a full rebase. Keep toggle here for the day someone ports it.
+export APPLY_PATCH_HTTP2_HPACK_ENC=0