Contact Information
github: servet-oz
1Panel Version
v1.10.32-lts
Problem Description
After upgrading to 1panel/openresty:1.29.2.4-0-noble, the bundled 1pwaf fails to start with:
init_by_lua_file error: ./config.lua:189: attempt to index field 'log' (a nil value)
After adding a "log" section to global.json, the error changes to:
./config.lua:189: bad argument #1 to 'ipairs' (table expected, got nil)
The config.lua is compiled LuaJIT bytecode and cannot be patched by users. The init_global_config function at line 189 expects config keys/directories that don't exist in the current data structure (likely log rules or ip_group directory).
This is a security-critical issue because users cannot upgrade OpenResty to receive patches for:
CVE-2026-42945: Buffer overflow in ngx_http_rewrite_module
CVE-2026-42946: Buffer overread in ngx_http_scgi_module and ngx_http_uwsgi_module
CVE-2026-42934: Buffer overread in ngx_http_charset_module
CVE-2026-40460: HTTP/3 address spoofing
CVE-2026-40701: Resolver use-after-free in OCSP
Users are forced to either run a vulnerable OpenResty version or disable the WAF entirely.
Steps to Reproduce
- Use 1panel/openresty:1.29.2.4-0-noble image
- Keep existing 1pwaf data directory from previous version (1.21.x)
- Start container
- OpenResty fails to start due to 1pwaf init_by_lua_file error
The expected correct result
1pwaf should be compatible with the 1.29.2.4-0-noble image, or the image should ship with updated bytecode that matches the expected config schema. At minimum, the Lua code should gracefully handle missing config keys with defaults instead of crashing.
Related log output
2026/05/22 16:39:50 [error] 1#1: init_by_lua_file error: ./config.lua:189: attempt to index field 'log' (a nil value)
stack traceback:
./config.lua:189: in function 'init_global_config'
./config.lua:259: in function 'load_config_file'
./init.lua:6: in main chunkAdditional Information
- Docker image: 1panel/openresty:1.29.2.4-0-noble
- Previous working image: 1panel/openresty:1.21.4.3-3-3-focal
- All .lua files in /usr/local/openresty/1pwaf/ are compiled bytecode — users cannot patch them
- The global.json config from the old version is missing keys the new bytecode expects
- Workaround: commenting out all *_by_lua_file directives in waf.conf (disables WAF entirely)
- No migration documentation or schema change notes provided
Contact Information
github: servet-oz
1Panel Version
v1.10.32-lts
Problem Description
After upgrading to 1panel/openresty:1.29.2.4-0-noble, the bundled 1pwaf fails to start with:
init_by_lua_file error: ./config.lua:189: attempt to index field 'log' (a nil value)After adding a "log" section to global.json, the error changes to:
./config.lua:189: bad argument #1 to 'ipairs' (table expected, got nil)The config.lua is compiled LuaJIT bytecode and cannot be patched by users. The init_global_config function at line 189 expects config keys/directories that don't exist in the current data structure (likely log rules or ip_group directory).
This is a security-critical issue because users cannot upgrade OpenResty to receive patches for:
CVE-2026-42945: Buffer overflow in ngx_http_rewrite_module
CVE-2026-42946: Buffer overread in ngx_http_scgi_module and ngx_http_uwsgi_module
CVE-2026-42934: Buffer overread in ngx_http_charset_module
CVE-2026-40460: HTTP/3 address spoofing
CVE-2026-40701: Resolver use-after-free in OCSP
Users are forced to either run a vulnerable OpenResty version or disable the WAF entirely.
Steps to Reproduce
The expected correct result
1pwaf should be compatible with the 1.29.2.4-0-noble image, or the image should ship with updated bytecode that matches the expected config schema. At minimum, the Lua code should gracefully handle missing config keys with defaults instead of crashing.
Related log output
Additional Information