OpenResty®

OpenResty XRay

Advanced observability built for OpenResty and more

OpenResty XRay Live Demo →

×
limited time offer
Request TRIAL today and receive a diagnostic REPORT
Learn more
 OpenResty 1.31.1.1 
 OpenResty 1.29.2.5 
  Taming Internal Traffic Chaos with OpenResty Edge 
  OpenResty XRay Version 26.5.11. Now Available 
  OpenResty Edge Data Protection: From Scheduled Backups to Automatic Failover 
  Automating Kubernetes Gateway Node Lifecycle with OpenResty Edge 
  Managing OpenResty Edge Configuration with YAML and Git: A Practical Guide to `edge2yaml` 
  Binary Evidence-Driven Vulnerability Scanning: Eliminating False Positives with OpenResty XRay 

OpenResty 1.31.1.1 Released

lijunlong , 13 May 2026 (created 13 May 2026)

We are happy to announce the new formal release, 1.31.1.1, of the OpenResty web platform based on NGINX and LuaJIT.

Download this version here.

The (portable) source code distribution, the pre-built binary Linux packages for Ubuntu, Debian, Fedora, CentOS, RHEL, OpenSUSE, Amazon Linux are provided on this Download page.

Version highlights

  • Nginx core

    • upgraded from nginx 1.29.2 to 1.31.1.

  • OpenSSL

    • upgraded from version 3.5.5 to 3.5.6.

  • upgraded lua-nginx-module to v0.10.31

    • feature: add ffi ngx_http_lua_ffi_socket_tcp_get_ssl_pointer() and ffi ngx_http_lua_ffi_socket_tcp_get_ssl_ctx(). Thanks lijunlong for the patch.
    • feature: add new API: tcpsock:getsslsession. Thanks lijunlong for the patch.
    • feature: add ngx_http_lua_ffi_get_upstream_ssl_pointer. Thanks lijunlong for the patch.
    • feature: add precontent_by_lua directives Thanks Hanada for the patch.
    • feature: add server random and master key fetch api. Thanks xiangwei for the patch.
    • feature: add socket options keepintvl and keepcnt for tcp. Thanks lijunlong for the patch.
    • feature: proxy_ssl_verify_by_lua* directives Thanks willmafh for the patch.
    • feature: support custom trusted CA store for cosocket TLS handshake. (#2495) Thanks Walker Zhao for the patch.
    • bugfix: add dump in nginx -T. Thanks Y.Horie for the patch.
    • bugfix: clear wait timer in ngx_http_lua_pipe_proc_wait_cleanup to prevent SIGSEGV on QUIC connection close Thanks Jun Ouyang for the patch.
    • bugfix: fix the compatibility issue for freenginx. Thanks Y.Horie for the patch.
    • bugfix: fixed typo in config. Thanks xuruidong for the patch.
    • bugfix: prevent NULL dereference in SSL cache by ensuring old_cycle is set Thanks Jun Ouyang for the patch.
    • bugfix: prevent SIGSEGV in event timer rbtree during worker shutdown. Thanks Gabriel Clima for the patch.
    • bugfix: prevent use-after-free crash in ngx_http_lua_pipe by ensuring connections are closed before pool destruction in quic connection close path. Thanks Jun Ouyang for the patch.
    • bugfix: prevent uthread crash by checking coroutine reference before deletion. Thanks Jun Ouyang for the patch.
    • change: allow table for multiple values in ngx.header['WWW-Authenticate']. Thanks BotoX for the patch.
    • optimize: add compatibility for freenginx. Thanks Sergey A. Osokin for the patch.
    • optimize: add upstream server information to the error log of cosocket. Thanks lijunlong for the patch.

  • upgraded stream-lua-nginx-module to v0.0.19

    • feature: add ffi api ngx_stream_lua_ffi_socket_tcp_getfd. Thanks lijunlong for the patch.
    • feature: add ffi functions ngx_stream_lua_ffi_socket_tcp_get_ssl_pointer() and ngx_stream_lua_ffi_socket_tcp_get_ssl_ctx(). Thanks lijunlong for the patch.
    • feature: add new API: tcpsock:get_ssl_session. Thanks lijunlong for the patch.
    • feature: add ngx_stream_lua_ffi_get_upstream_ssl_pointer. Thanks lijunlong for the patch.
    • feature: add reuseport for binding local port for udp cosocket. Thanks lijunlong for the patch.
    • feature: add socket options keepintvl and keepcnt for tcp. Thanks lijunlong for the patch.
    • feature: implement serversslhandshake method on downstream sockets (#392) Thanks Rob Mueller for the patch.
    • feature: proxy_ssl_certificate_by_lua directives Thanks willmafh for the patch.
    • feature: support custom trusted CA store for cosocket TLS handshake. (#401) Thanks Walker Zhao for the patch.
    • optimize: add upstream server information to the error log of cosocket. Thanks lijunlong for the patch.
    • bugfix: didn't close cosocket when nginx shutdown timer has been triggered. Thanks lijunlong for the patch.
    • bugfix: prevent uthread crash by checking coroutine reference before deletion. Thanks Jun Ouyang for the patch.

  • upgraded lua-resty-core to v0.1.34rc2

    • feature: add fetch server random and master key lua api Thanks mengxiangwei for the patch.
    • feature: add new API: tcpsock:getsslsession. Thanks lijunlong for the patch.
    • feature: add precontent_by_lua directives. Thanks Hanada for the patch.
    • feature: add socket options keepintvl and keepcnt for tcp. Thanks lijunlong for the patch.
    • feature: add sock:getsslpointer() and sock:getsslctx(). Thanks lijunlong for the patch.
    • feature: add ssl.get_upstream_ssl_pointer. Thanks lijunlong for the patch.
    • feature: add tcpsock.getfd() for stream subsystem. Thanks lijunlong for the patch.
    • feature: add tcpsock:settrustedstore() for per-handshake trusted CAs Thanks Walker Zhao for the patch.
    • feature: proxy_ssl_certificate_by_lua directives Thanks willmafh for the patch.
    • feature: support tcpsock:settrustedstore() for stream subsystem. Thanks Walker Zhao for the patch.

  • upgraded luajit2 to v2.1-20260415

    • Add ffi.abi("dualnum"). Thanks Mike Pall for the patch.
    • Allow mcode allocations outside of the jump range to the support code. Thanks Mike Pall for the patch.
    • ARM64: Enable unaligned accesses if indicated by the toolchain. Thanks Mike Pall for the patch.
    • ARM64: Fix disassembly of >2GB branch targets. Thanks Mike Pall for the patch.
    • ARM64: Fix disassembly of certain sub-word-size loads/stores. Thanks Mike Pall for the patch.
    • ARM64: More fixes for ARM BTI. Thanks Mike Pall for the patch.
    • Avoid recording interference due to invocation of VM hooks. Thanks Mike Pall for the patch.
    • Avoid use of subnormals for internal registry keys. Thanks Mike Pall for the patch.
    • Back out MSVC LJ_CONSTF declaration. Thanks Mike Pall for the patch.
    • bcsave.lua: add ppc64 and ppc64le mappings Thanks Piotr Kubaj for the patch.
    • bugfix: failed to build with LUA_USE_TRACE_LOGS defined. Thanks lijunlong for the patch.
    • DUALNUM: Add missing type conversion for FORI slots. Thanks Mike Pall for the patch.
    • DUALNUM: Fix narrowing of unary minus. Thanks Mike Pall for the patch.
    • DUALNUM: Fix recording of loops broken by previous change. Thanks Mike Pall for the patch.
    • DUALNUM: Improve/fix edge cases of unary minus. Thanks Mike Pall for the patch.
    • ELF/Mach-O: Force default visibility for public API functions. Thanks Mike Pall for the patch.
    • FFI: Avoid dangling cts->L. Thanks Mike Pall for the patch.
    • FFI: Fix constructor index resolution in JIT compiler. Thanks Mike Pall for the patch.
    • FFI: Fix pointer difference operation on 64 bit platforms. Thanks Mike Pall for the patch.
    • FFI: Shrink container of packed bitfield. Thanks Mike Pall for the patch.
    • Fix compiler warning. Thanks Mike Pall for the patch.
    • Fix edge cases when generating IR for string.byte/sub/find. Thanks Mike Pall for the patch.
    • Fix edge cases when recording string.byte/sub. Thanks Mike Pall for the patch.
    • Fix G->jit_base relocation on stack resize. Thanks Mike Pall for the patch.
    • Fix minilua undefined behavior in bit.tohex. Thanks Mike Pall for the patch.
    • Fix MSVC LJ_CONSTF declaration. Thanks Mike Pall for the patch.
    • Fix string.format for limited precision FP conversions. Thanks Mike Pall for the patch.
    • Fix VM event error handling for finalizers. Thanks Mike Pall for the patch.
    • Ignore PDB files for git. Thanks Mike Pall for the patch.
    • Implement double-to-integer conversions for s390x (#256) Thanks Ilya Leoshkevich for the patch.
    • macOS: Change Mach-O object file layout required by XCode 15.0. Thanks Mike Pall for the patch.
    • MIPS64: Avoid unaligned load in lj_vm_exit_interp. Thanks Mike Pall for the patch.
    • PPC: Fix soft-float lj_num2u64(). Thanks Mike Pall for the patch.
    • Prevent false positive sanitizer warning in unpack(). Thanks Mike Pall for the patch.
    • Prevent recording of loops with -0 step or NaN values. Thanks Mike Pall for the patch.
    • Prevent snapshot purge while recording a function header. Thanks Mike Pall for the patch.
    • Remove compiler flag for FP conversions. Now unnecessary. Thanks Mike Pall for the patch.
    • Remove pointless GCC/MSVC const function attributes. Thanks Mike Pall for the patch.
    • Run VM events and finalizers in separate state. Thanks Mike Pall for the patch.
    • s390x: simplify ceil/floor code (#246) Thanks J. Neuschäfer for the patch.
    • Unify Lua number to FFI integer conversions. Thanks Mike Pall for the patch.
    • x64/!LJ_GC64: The allocation limit is required for a no-JIT build, too. Thanks Mike Pall for the patch.
    • x86/x64: Backport fix for math.min()/math.max() argument check. Thanks Mike Pall for the patch.

  • upgraded ngx_postgres to v1.1

    • bugfix: recover postgres peer data when wrapped by another module. Thanks lijunlong for the patch.

  • upgraded lua-resty-mysql to v0.30

    • feature: add support for ed25519. Thanks lijunlong for the patch.

  • upgraded lua-resty-string to v0.17

    • feature: add AES-256-CTR binding and reuse buffers. Thanks ^_^ for the patch.

  • upgraded lua-cjson to v2.1.0.17

    • bugfix: fix truncation of decoded numbers outside lua_Integer's range (#116) Thanks James McCoy for the patch.
    • feature: add option to allow comments in decode. Thanks skewb1k for the patch.
    • feature: add option to indent encoded output. Thanks skewb1k for the patch.
    • bugfix: warning for explicit pointer to int conversion. Thanks Deyan Dobromirov for the patch.

  • upgraded drizzle-nginx-module to v0.1.13

    • bugfix: stash peer data in module ctx to survive upstream wrappers. (#52) Thanks lijunlong for the patch.

Notable nginx changes

This release ships with the nginx 1.31.1 core, which contains some important behavioral changes in the upstream module. Users upgrading from earlier versions should review the following:

  • The default value of the proxy_http_version directive has been changed from 1.0 to 1.1.
  • Since nginx 1.29.7, upstream keepalive connections are enabled by default, with a default limit of 32 connections per worker process.
  • If you rely on balancer_by_lua_block together with the ngx.balancer.enable_keepalive API to manage upstream keepalive connections from Lua, do NOT also configure the nginx keepalive directive in the corresponding upstream {} block. The two mechanisms conflict with each other and must not be used together.
  • Since nginx 1.29.4, validation of host and port in the request line, the Host request header, and the :authority pseudo-header (HTTP/2 / HTTP/3) has been tightened to strictly follow RFC 3986. In particular:
    • The host component only accepts unreserved characters (A-Z a-z 0-9 - . _ ~), pct-encoded, and sub-delims (! $ & ' ( ) * + , ; =); whitespace, control characters, and other non-ASCII bytes are no longer tolerated.
    • IPv6 literals must be wrapped in square brackets, e.g. [::1]:8080.
    • The port component must be all digits; an empty port (e.g. example.com:) or a port containing letters (e.g. example.com:80a) is now rejected outright.
    • HTTP/2 / HTTP/3 clients constructing the :authority pseudo-header are subject to the same constraints. Before upgrading, audit every source that may send non-standard Host or :authority values to OpenResty (internal RPC frameworks, service-mesh sidecars, load-testing tools, hand-rolled HTTP clients, etc.); requests that used to succeed may now be rejected with a 400.

Complete change logs since the last (formal) release, 1.29.2.5, can be browsed in the page Change Log for 1.31.1.x.

Testing

We have run extensive testing on our Amazon EC2 test cluster and ensured that all the components (including the Nginx core) play well together. The latest test report can always be found here:

https://qa.openresty.org/

We also always run our OpenResty Edge commercial software based on the latest open source version of OpenResty in our own global CDN network (dubbed "mini CDN") powering our openresty.org and openresty.com websites. See https://openresty.com/ for more details.

Community Support

See the Community Page.

Commercial Support

Commercial technical support and real-time noninvasive online monitoring and profiling solution is provided through the official OpenResty XRay product.

Feedback

Feedback on this release is more than welcome. Feel free to create new GitHub issues or send emails to one of our mailing lists.