Version 1.27.1.2 - 14 Mar 2025

• upgraded lua-nginx-module to v0.10.28
  • bugfix: setkeepalive failure on TLSv1.3 Thanks Zhefeng C. for the patch.
  • bugfix: remove http2 hardcode limitation in ngx.location subrequest API. Thanks Jun Ouyang for the patch.
  • bugfix: removed null terminator. Thanks n-bes for the patch.
  • doc: more accurate error message. Thanks willmafh for the patch.
  • doc: clarify base64 for url encoding and padding. Thanks Thijs Schreijer for the patch.
  • doc: Redraw directives png (#2353) Thanks xiaobiaozhao for the patch.
  • doc: clarify the backlog option (#2367) Thanks Thijs Schreijer for the patch.
  • doc: improve grammar. Thanks Josh Soref for the patch.
  • feature: add ngx.resp.set_status(status, reason). Thanks lijunlong for the patch.
  • feature: implemented ngx_http_lua_ffi_decode_base64mime. Thanks WenMing for the patch.
  • optimize: removed unreachable code in ngx_http_lua_send_http10_headers(). Thanks lijunlong for the patch.
  • optimize: remove duplicate check in ngx.send_headers Thanks spacewander for the patch.
  • tests: add support for openssl3.0. Thanks lijunlong for the patch.
• upgraded stream-lua-nginx-module to v0.0.16
  • feature: enable ngx.var at the ssl_certificate_by_lua and ssl_client_hello_by_lua. Thanks lijunlong for the patch.
  • bugfix: setkeepalive failure on TLSv1.3 Thanks Zhefeng C. for the patch.
• upgraded lua-resty-core to v0.1.31
  • feature: implemented decode_base64mime. Thanks WenMing for the patch.
  • feature: add ngx.resp.set_status(status, reason). Thanks lijunlong for the patch.
  • feature: update nginx to v1.27.1. Thanks lijunlong for the patch.
• upgraded luajit2 to v2.1-20250117
  • Fix recording of BC_VARG. Thanks Mike Pall for the patch.
  • Reject negative getfenv()/setfenv() levels to prevent compiler warning. Thanks Mike Pall for the patch.
  • Bump copyright date. Thanks Mike Pall for the patch.
  • Force fallback source name for stripped bytecode. Thanks Mike Pall for the patch.
  • Remove dependency on <limits.h>. Thanks Mike Pall for the patch.
  • Restore state when recording __concat metamethod throws OOM. Thanks Mike Pall for the patch.
  • MIPS64: Fix pcall() error case. Thanks Mike Pall for the patch.
  • Fix detection of inconsistent renames due to sunk values. Thanks Mike Pall for the patch.
  • Windows: Allow amalgamated static builds with msvcbuild.bat. Thanks Mike Pall for the patch.
  • Always close profiler output file. Thanks Mike Pall for the patch.
  • Fix override of INSTALL_LJLIBD in the presence of DESTDIR. Thanks Mike Pall for the patch.
  • Fix bit op coercion for shifts in DUALNUM builds. Thanks Mike Pall for the patch.
  • macOS: Remove obsolete -single_module flag. Thanks Mike Pall for the patch.
  • macOS: Workaround for buggy XCode 15.0 - 15.2 linker. Thanks Mike Pall for the patch.
  • macOS: Fix macOS 15 / Clang 16 build. Thanks Mike Pall for the patch.
  • Fix bit op coercion in DUALNUM builds. Thanks Mike Pall for the patch.
  • Fix compiliation of getmetatable() for UDTYPE_IO_FILE. Thanks Mike Pall for the patch.
  • Remove ancient RtlUnwindEx workaround for MinGW64. Thanks Mike Pall for the patch.
  • Drop unused function wrapper. Thanks Mike Pall for the patch.
  • Fix limit check in narrow_conv_backprop(). Thanks Mike Pall for the patch.
  • Always use IRT_NIL for IR_TBAR. Thanks Mike Pall for the patch.
  • ARM64: Use ldr literal to load FP constants. Thanks Mike Pall for the patch.
  • FFI: Add missing coercion when recording 64-bit bit.*(). Thanks Mike Pall for the patch.
  • ARM64: Make tobit conversions match JIT backend behavior. Thanks Mike Pall for the patch.
  • ARM: Make hard-float tobit conversions match JIT backend behavior. Thanks Mike Pall for the patch.
  • FFI: Drop finalizer table rehash after GC cycle. Thanks Mike Pall for the patch.
  • Fix another potential file descriptor leak in luaL_loadfile*(). Thanks Mike Pall for the patch.
  • MIPS32: Fix little-endian IR_RETF. Thanks Mike Pall for the patch.
  • Correctly close VM state after early OOM during open. Thanks Mike Pall for the patch.
  • Fix potential file descriptor leak in luaL_loadfile*(). Thanks Mike Pall for the patch.

Version 1.27.1.1 - 16 Oct 2024

• upgraded the nginx core to 1.27.1
  • see the changes here: http://nginx.org/en/CHANGES
• upgraded lua-nginx-module to 0.10.27
  • bugfix: fixed keepalive error in cosocket. Thanks lijunlong for the patch.
  • bugfix: ensure compatibility with older nginx versions lacking TLS 1.3 support. Thanks lijunlong for the patch.
  • bugfix: initialize ASN1_GENERALIZEDTIME pointers in ssl_validate_ocsp_response. Thanks lijunlong for the patch.
  • bugfix: nginx crashed when binding local address failed from lua. Thanks lijunlong for the patch.
  • bugfix: treat shared dict entries with TTL of 0 as expired. Thanks lijunlong for the patch.
  • bugfix: let balancer.recreate_request API work for body data changed case. Thanks Jun Ouyang for the patch.
  • feature: add support for SSL trusted certificates in client verification. Thanks xiangwei for the patch.
  • bugfix: respect max retry after using balancer pool. Thanks kurt for the patch.
  • feature: support ngx.location.capture and ngx.location.capture_multi with headers option. Thanks Tinglong Yang for the patch.
  • bugfix: undefined symbol SSL_client_hello_get0_ext when linking against libressl. Thanks lijunlong for the patch.
  • bugfix: fixed compilation errors when building without SSL. Thanks Johnny Wang for the patch.
  • change: should match the local address when get connection from the keepalive pool. Thanks lijunlong for the patch.
  • feature: implemented keepalive pooling in balancer_by_lua*. Thanks lijunlong for the patch.
  • bugfix: prevent main thread access to freed fake request in init_worker. Thanks fesily for the patch.
  • bugfix: preserve lua-nginx-module context when ngx.send_header() triggers filter_finalize. Thanks Jun Ouyang for the patch.
  • bugfix: fix config test for signalfd with gcc 11. Thanks Jiří Setnička for the patch.
  • bugfix: worker thread Lua VM may take lots of memory. Thanks lijunlong for the patch.
  • bugfix: ensure proper connection closure when setting empty body before last chunk. Thanks Liu Wei for the patch.
  • bugfix: wrong arguments of setkeepalive() result in the compromise of data integrity. Thanks lijunlong for the patch.
  • bugfix: Fixing compatibility issues with BoringSSL. Thanks lijunlong for the patch.
  • feature: validate and expose nextUpdate field in OCSP response. Thanks Elvin Efendi for the patch.
  • feature: add support for deriving key from tls master secret. Thanks bas-vk for the patch.
  • feature: add UDP cosocket bind api. Thanks syz for the patch.
  • bugfix: fixed HTTP HEAD request smuggling issue. Thanks lijunlong for the patch.
  • optimize: allow to reenable the tls for the upstream. Thanks lijunlong for the patch.
  • feature: add FFI function for balancer.disable_ssl(). Thanks lijunlong for the patch.
  • bugfix: correct offset vector memory allocation size for PCRE2. Thanks Zhongwei Yao for the patch.
  • feature: implemented ngx_http_lua_ffi_ssl_client_random. Thanks Ruidong-X for the patch.
  • bugfix: fix memory corruption in consecutive regex calls. Thanks Zhongwei Yao for the patch.
  • feature: add ngx_http_lua_ffi_parse_der_cert and ngx_http_lua_ffi_parse_der_key functions. Thanks Brian Rak for the patch.
• upgraded stream-lua-nginx-module to 0.0.15
  • bugfix: fixed keepalive error in cosocket. Thanks lijunlong for the patch.
  • bugfix: treat shared dict entries with TTL of 0 as expired. Thanks lijunlong for the patch.
  • feature: add support for SSL trusted certificates in client verification. Thanks xiangwei for the patch.
  • feature: support lua balancer set proxy bind dynamic Thanks ytlm for the patch.
  • bugfix: check for SSL context instead of listen flag for nginx 1.25.5+ compatibility. Thanks Konstantin Pavlov for the patch.
  • bugfix: wrong arguments of setkeepalive() result in the compromise of data integrity. Thanks lijunlong for the patch.
  • bugfix: correct offset vector memory allocation size for PCRE2. Thanks Zhongwei Yao for the patch.
  • feature: implemented ngx_stream_lua_ffi_ssl_client_random. Thanks Ruidong-X for the patch.
  • bugfix: wrong argument for pcre2_match. Thanks lijunlong for the patch.
  • feature: add functions to parse DER formatted certificates/keys. Thanks Brian Rak for the patch.
  • changes: remove the useless pcre config. Thanks swananan for the patch.
• upgraded lua-resty-core to 0.1.29
  • feature: add ssl_trusted_certificate argument for ssl.verify_client(). Thanks xiangwei for the patch.
  • feature: add balancer.bind_to_local_addr for stream module. Thanks ytlm for the patch.
  • feature: makes outgoing connections to a proxied server originate from the specified local IP address with an optional port. Thanks lijunlong for the patch.
  • feature: implemented keepalive pooling in balancer_by_lua*. Thanks lijunlong for the patch.
  • bugfix: initialize next_update pointer to avoid potential stale values. Thanks YanLIU for the patch.
  • optimize: localize tonumber for ngx.worker.pids. Thanks Chrono for the patch.
  • feature: validate_ocsp_response should return nextUpdate if available. Thanks Elvin Efendi for the patch.
  • feature: add ssl.get_req_ssl_pointer. Thanks James Callahan for the patch.
  • feature: add support for exporting key material to derive keys from the tls master secret. Thanks bas-vk for the patch.
  • feature: add balancer.set_upstream_tls(on). Thanks lijunlong for the patch.
  • feature: add ssl.get_client_random. Thanks Ruidong-X for the patch.
  • optimize: explicit requirement to use bash. Thanks lynch for the patch.
  • feature: add parse_der_cert and parse_der_priv_key functions. Thanks Brian Rak for the patch.
• upgraded lua-resty-websocket to 0.12
  • feature: add send_continue method. Thanks Toru for the patch.
  • feature: client:connect() returns HTTP response header. Thanks Michael Martin for the patch.
  • feature: custom sec-websocket-key in client. Thanks Michael Martin for the patch.
  • feature: add support for discrete send/recv payload limits in WebSocket client. Thanks Michael Martin for the patch.
  • feature: support custom host header in client. Thanks flrgh for the patch.
  • feature: support connecting to unix sockets. Thanks Petter Berven for the patch.
  • optimization: check ssl_support early. Thanks Michael Martin for the patch.
• upgraded lua-resty-redis to v0.31
  • optimize: cache the table for sending requests. Thanks lijunlong for the patch.
• upgraded lua-resty-string to 0.16
  • feature: add AAD support in aes gcm. Thanks wzxjohn for the patch.
  • change: make random.bytes cryptographically strong by default. Thanks rfl890 for the patch.
• upgraded lua-cjson to 2.1.0.14
  • feature: Lua 5.3 + 5.4 integer support, with CI and conflicts fixed. Thanks Hisham Muhammad for the patch.
  • bugfix: bus error or SIGSEGV caused by encode not keep buffer. Thanks hyw0810 for the patch.
• upgraded lua-resty-signal to 0.04
  • bugfix: handle '?.so' in package.cpath. Thanks Michael Martin for the patch.
• upgraded lua-resty-lrucache to v0.14
  • optimize: echo warning message when install this library to "/usr/local/lib/lua/" and copy installation guide from lua_resty_core module. Thanks lynch for the patch.
• upgraded rds-json-nginx-module to 0.17
  • bugfix: failed to compilation on rockylinux 9. Thanks lijunlong for the patch.
• upgraded luajit2 to 2.1-20240815
  • Reflect override of INSTALL_LJLIBD in package.path.
  • ARM64: Use movi to materialize FP constants.
  • Add more FOLD rules for integer conversions.
  • Different fix for partial snapshot restore due to stack overflow. Reported by Junlong Li. Fixed by Peter Cawley.
  • change: disable hash computation optimization in the OpenResty branch (agentzh-v2.1) due to the possibility of severe performance degradation (CVE-2024-39702). This issue is specific to our branch and does not affect upstream LuaJIT. Thanks to Zhongwei Yao from Kong Inc. for reporting this issue. Thanks lijunlong for the patch.
  • bugfix: Enabled ppc64le arch on travis and fixed one failing test case. Thanks Alhad Deshpande for the patch.
  • Prevent sanitizer warning in snap_restoredata().
  • Limit number of string format elements to compile.
  • FFI: Clarify scalar boxing behavior.
  • OSX/iOS: Fix SDK incompatibility.
  • Windows/MSVC: Cleanup msvcbuild.bat and always generate PDB.
  • Fix segment release check in internal memory allocator.
  • FFI: Turn FFI finalizer table into a proper GC root.
  • OSX/iOS: Always generate 64 bit non-FAT Mach-O object files.
  • Show name of NYI bytecode in -jv and -jdump.
  • Use generic trace error for OOM during trace stitching.
  • feature: add s390x disassembler. Thanks Aditya Bisht for the patch.
  • Handle all types of errors during trace stitching.
  • Fix recording of __concat metamethod.
  • Prevent down-recursion for side traces.
  • Check frame size limit before returning to a lower frame.
  • FFI: Treat cdata finalizer table as a GC root.
  • Handle stack reallocation in debug.setmetatable() and lua_setmetatable().
  • optimize: [ppc64le] Aligned code as per other archs for next_1 function and relevant code changes. Thanks Alhad Deshpande for the patch.
  • Rework stack overflow handling.
  • Preserve keys with dynamic values in template tables when saving bytecode.
  • Prevent include of luajit_rolling.h.
  • Fix zero stripping in %g number formatting.
  • Fix unsinking of IR_FSTORE for NULL metatable.
  • DynASM/x86: Add endbr instruction.
  • MIPS64 R2/R6: Fix FP to integer conversions.
  • Add cross-32/64 bit and deterministic bytecode generation.
  • DynASM/x86: Allow [&expr] operand.
  • Check for IR_HREF vs. IR_HREFK aliasing in non-nil store check.
  • Respect jit.off() on pending trace exit.
  • Simplify handling of instable types in TNEW/TDUP load forwarding.
  • Only emit proper parent references in snapshot replay.
  • Fix anchoring for string buffer set() method (again).
  • ARM: Fix stack restore for FP slots.
  • Document workaround for multilib vs. cross-compiler conflict.
  • Fix anchoring for string buffer set() method.
  • Fix runtime library flags for MSVC debug builds.
  • Fix .debug_abbrev section in GDB JIT API.
  • Optimize table.new() with constant args to (sinkable) IR_TNEW.
  • Emit sunk IR_NEWREF only once per key on snapshot replay.