05/13/2026 | By

NGINX on Debian 13 Trixie: What Changed and How to Upgrade

Debian 13 — codenamed Trixie — is Debian’s current testing branch, due to become stable in mid-2025. If you’re already running Trixie or preparing to migrate from Debian 12 Bookworm, there are some meaningful changes under the hood that affect every NGINX and Angie deployment. New compiler, new OpenSSL, new PHP defaults, new systemd — and some package transitions that could trip you up if you’re not paying attention.

The good news: the myguard APT repository has shipped Trixie packages since day one of the testing cycle. Install NGINX or Angie from deb.myguard.nl and you automatically get builds compiled natively on Trixie’s toolchain — not backports, not compatibility shims, not “should work” guesswork.

What Is Debian 13 Trixie?

Trixie is the development codename for Debian’s next stable release. Debian names its releases after Toy Story characters — after Bookworm (Debian 12) comes Trixie, the triceratops. Once Trixie is declared stable (expected 2025–2026), it will become “Debian 13” and receive five-plus years of security support.

Right now, Trixie is in “testing” status: it receives updates continuously, packages are more recent than Bookworm’s, and it’s broadly stable but not yet officially blessed for production. Many sysadmins run Trixie on servers where they want newer software without compiling from source. The myguard repository treats Trixie as a first-class target.

What Changed in Trixie That Affects NGINX

GCC 14 Compiler

Our Trixie NGINX and Angie packages are compiled with GCC 14, which enables more aggressive auto-vectorization and improved link-time optimization. GCC 14 is also stricter about certain C code patterns — this pushed a few module patches to ensure clean compilation. The result: measurably better performance on modern CPUs, especially for compression (brotli, zstd, gzip) which is heavily vectorized.

Approximate GCC 14 gains on amd64:

  • Brotli compression: ~8–12% faster encoding from improved Huffman codec vectorization
  • zstd compression: ~6–10% faster at level 3 via AVX2 path improvements
  • TLS handshakes: ~5% improvement from better P-256 curve codegen

OpenSSL 3.3 (vs 3.0 on Bookworm)

Bookworm shipped with OpenSSL 3.0 LTS. Trixie upgrades to OpenSSL 3.3, which brings improved TLS 1.3 internals, better QUIC support, and performance improvements in elliptic curve operations. This matters even if you use our dedicated openssl-nginx package (which is compiled independently), because the system OpenSSL is used by tools you run alongside NGINX — certbot, curl, the openssl CLI, Python scripts.

OpenSSL 3.3 is also stricter about malformed certificates that 3.0 accepted with warnings. Validate internal/self-signed certs before upgrading: openssl verify -CAfile /path/to/ca.pem /path/to/cert.pem

PHP 8.4 Default

Trixie’s default PHP version is 8.4. If you’re running PHP-FPM with NGINX for WordPress, check plugin compatibility before upgrading. PHP 8.4 promoted some dynamic property deprecation warnings to errors — well-maintained plugins are fine, but older ones that haven’t been updated since 2020 may throw fatal errors.

Quick compatibility check before upgrading:

php8.4 -f /path/to/wp-config.php 2>&1 | grep -i fatal
php8.4 -m | grep -v '[' | sort  # List loaded modules

For PHP security hardening, the myguard repository ships php8.4-snuffleupagus — install it alongside PHP-FPM for interpreter-level protection.

systemd 256

Trixie ships systemd 256, which introduces more aggressive cgroup isolation defaults. This is mostly transparent for NGINX, but if you use custom systemd service overrides touching PrivateTmp, ProtectSystem, or cgroup limits, review them. The standard NGINX and Angie systemd units from the myguard packages are already updated for systemd 256 compatibility.

Linux Kernel 6.11+

Trixie tracks a much newer kernel than Bookworm’s 6.1. For NGINX specifically, the newer kernel improves kTLS (Kernel TLS offload) performance, improves io_uring support, and has better QUIC-layer socket handling. If you enable kTLS on Trixie, you’re getting noticeably better TLS offload than on Bookworm.

# Verify kTLS is available
modprobe tls && lsmod | grep tls

# Enable in nginx.conf
ssl_conf_command Options KTLS;

Installing NGINX or Angie on Trixie

Same as any other Debian release — add the myguard repository and install:

wget https://deb.myguard.nl/pool/myguard.deb
dpkg -i myguard.deb
apt-get update
apt-get install nginx    # or: apt-get install angie

Verify build info and check for the Trixie toolchain:

nginx -V 2>&1

New to the myguard repository? Follow the two-minute setup guide.

Upgrading from Bookworm to Trixie

# Step 1 — Back up NGINX config
tar -czf /tmp/nginx-config-backup.tar.gz /etc/nginx/

# Step 2 — Note current versions
nginx -V 2>&1 > /tmp/nginx-v-before.txt

# Step 3 — Update Debian sources
sed -i 's/bookworm/trixie/g' /etc/apt/sources.list
apt update
apt full-upgrade

# Step 4 — myguard repo auto-detects Trixie, no changes needed
apt install nginx   # refresh to Trixie build

# Step 5 — Test and reload
nginx -t && systemctl reload nginx

Fresh Install Checklist for Trixie

  1. Add myguard repository: wget https://deb.myguard.nl/pool/myguard.deb && dpkg -i myguard.deb
  2. Install NGINX: apt-get install nginx — pulls in openssl-nginx automatically
  3. Add modules: brotli, ModSecurity, Lua, GeoIP2 — all available as dynamic modules
  4. Open UDP 443: HTTP/3 requires it — ufw allow 443/udp
  5. Configure TLS: Use the TLS guide for A+ on SSL Labs
  6. Install PHP-FPM: apt-get install php8.4-fpm php8.4-mysql php8.4-xml php8.4-curl
  7. Harden PHP: apt-get install php8.4-snuffleupagus

Module Compatibility on Trixie

All 50+ dynamic modules in the myguard repository are compiled natively for Trixie — no compatibility layer, built against the same NGINX and library versions as the main packages:

apt-get install libnginx-mod-http-brotli       # Brotli compression
apt-get install libnginx-mod-http-modsecurity  # ModSecurity WAF
apt-get install libnginx-mod-http-lua          # Lua scripting
apt-get install libnginx-mod-http-zstd         # Zstandard compression
apt-get install libnginx-mod-http-geoip2       # GeoIP2 routing

Known Issues and Gotchas

PHP 8.4 strict deprecations

Some older WordPress plugins throw deprecation notices under PHP 8.4. They won’t break your site but may spam the error log. Suppress them with error_reporting = E_ALL & ~E_DEPRECATED in your FPM pool config while waiting for plugin updates.

systemd 256 PrivateTmp changes

If you use a custom /etc/systemd/system/nginx.service.d/override.conf that modifies PrivateTmp with custom paths, review it. systemd 256 changed how PrivateTmp interacts with bind-mounted directories. The default myguard service unit is already correct.

Frequently Asked Questions

Is Trixie stable enough for production?
Trixie is Debian’s testing branch — broadly stable, but it hasn’t had the final freeze and stabilization pass that a Debian stable release gets. Many sysadmins run it on production servers without issues. For critical systems, Bookworm (Debian 12) is the safer choice until Trixie goes stable.
Do I need to change the myguard repository URL for Trixie?
No. The myguard repository uses a “stable” suite that automatically maps to the correct packages for your Debian release. The same sources.list entry works on Bookworm, Trixie, and future releases.
Which PHP version should I use on Trixie for WordPress?
PHP 8.4 is Trixie’s default and is compatible with all well-maintained WordPress plugins. Run compatibility checks before upgrading production. Pair it with php8.4-snuffleupagus from the myguard repository for interpreter-level security hardening.
Will my existing NGINX config work on Trixie?
Yes. NGINX configuration syntax hasn’t changed. Your /etc/nginx/ directory is preserved during the Bookworm-to-Trixie upgrade. Run nginx -t after upgrading to verify, then reload.
Does HTTP/3 work better on Trixie than Bookworm?
Slightly yes — Trixie’s kernel (6.11+) has improved QUIC socket handling vs Bookworm’s 6.1. The difference is most noticeable under high concurrent connection load. For most sites the improvement is marginal; for high-traffic servers it’s measurable.
What is the Debian 13 release date?
Debian doesn’t commit to fixed release dates — it releases when ready. Trixie is expected to go stable in 2025–2026. Follow the freeze schedule at debian.org/releases.
Does Angie work on Trixie the same as NGINX?
Yes. Angie packages for Trixie are in the myguard repository alongside NGINX. Same installation process, same dynamic modules, same configuration syntax. Angie adds native ACME (Let’s Encrypt without Certbot) and a JSON monitoring API.

Related Posts