NGINX 1.31.1 Ships With OpenSSL 4.0, a New Tunnel Module, and Quietly Buries Three Old Reverse-Proxy Patterns

NGINX 1.31.1 dropped on May 22, 2026, three days ago, and like most NGINX point releases it shipped with the unassuming label "stability and SSL compatibility." That label hides four changes that, taken together, end three patterns most of us have been carrying around since 2016: hand-rolled CONNECT tunnels behind proxy_pass, configure-time hacks to disable the sticky module, and brittle round-robin upstreams for latency-sensitive traffic. If you run NGINX in production — and if you read this newsletter, you almost certainly do — this is the quietest important release of the year.

1. OpenSSL 4.0 Compatibility Is Now Real

OpenSSL 4.0 went GA in April 2026, and 1.31.1 is the first NGINX release that compiles cleanly against it without patching. That matters more than it sounds. OpenSSL 4.0 removes a long list of deprecated APIs (notably much of the ENGINE machinery), tightens default cipher selections, and changes how providers are loaded. If you bake your own NGINX from source — common in Taiwan-hosted environments using Alpine or Rocky Linux — your existing 1.30.x build is going to start failing on any host that updated libssl. Plan a rebuild window in June; do not let an unattended security update force the issue at 3 a.m.

2. The New ngx_http_tunnel_module

This is the headline. NGINX now ships a first-class HTTP tunnel module, which lets you treat CONNECT requests as a real upstream protocol rather than a string of proxy_pass + proxy_http_version 1.1 + proxy_set_header Upgrade incantations. For teams running internal AI agent gateways — which, in May 2026, is most of them — this matters: agentic clients open long-lived bidirectional streams, and the old "upgrade-and-pray" pattern dropped about 1 in every 800 sessions under load. The tunnel module fixes that with a proper state machine, per-connection budgets, and explicit timeouts.

The migration is small. Replace your CONNECT-handling location block with tunnel_pass, add a single tunnel_buffer_size, and remove the legacy Upgrade headers. You will see fewer dropped WebSockets and noticeably cleaner error logs.

3. The "least_time" Directive Is Out of NGINX Plus

For a decade, least_time — the load-balancing method that routes new requests to the upstream with the lowest average response time — was an NGINX Plus feature. 1.31.1 ports it into open-source NGINX. If you run a small fleet of Laravel or Node backends behind NGINX and you are still using least_conn or default round-robin, switching to least_time header or least_time last_byte typically shaves 8–15% off p95 response time without any application changes. This is one of the rare configuration changes that costs nothing and is measurably better.

4. proxy_ssl_alpn in the Stream Module

The stream module finally supports proxy_ssl_alpn, which means you can now do TLS passthrough with explicit ALPN negotiation — useful for HTTP/2 and HTTP/3 origin servers, and required for some modern gRPC services that strictly check ALPN tokens. If you have been running an awkward "L4 in front, L7 behind" architecture because you could not get ALPN right at the edge, you can probably collapse that into a single NGINX layer now.

5. Disabling the Sticky Module at Build Time

Small, but appreciated: --without-stream_sticky_module is now a real configure flag. Container teams who minimize NGINX builds will save a few hundred kilobytes per image, and more importantly, will stop accidentally enabling a feature they never use.

6. The Logging-Level Change That Will Quietly Improve Your On-Call

1.31.1 demotes a class of routine SSL handshake errors from error to info. If your Sentry or Loki ingester pages on NGINX error log lines, you have been losing engineering hours to false positives — clients dropping TLS connections mid-handshake because they backgrounded the app, captive portals, mobile networks switching. After this update, your error stream gets noticeably quieter. Re-tune your alert thresholds during the upgrade; do not just lift-and-shift the old ones.

7. The Upgrade Path

For Debian/Ubuntu users on the official nginx.org repo, this is a straight apt upgrade. For Alpine and Rocky users, wait for the distro repo to catch up unless you are comfortable rebuilding from source; OpenSSL 4.0 alone is a reason to take this carefully. Before flipping the switch in production: bring up one node, watch its handshake error rate for 30 minutes, then roll the rest. The tunnel module and ALPN changes are backwards compatible, but config syntax for tunnel_pass is new — your config validation (nginx -t) is your safety net here.

My Take

The reason NGINX is still the default reverse proxy in 2026, despite Envoy and Caddy taking obvious mindshare, is that releases like 1.31.1 do exactly what NGINX has always done: solve specific operational pain quietly, with backward compatibility, and without asking you to rebuild your architecture. The tunnel module is the headline, but for most teams the day-one win is going to be the logging level change and switching to least_time. Two five-minute changes, real measurable improvement in p95 latency and alert noise. That is the kind of release I want from infrastructure software.

The deeper signal is that NGINX is bracing for the agentic-traffic era. Long-lived bidirectional tunnels, strict ALPN, OpenSSL 4.0 — these are not features for HTML websites. They are features for the AI agent fleets that are going to be hitting your origin servers in the second half of 2026. If your reverse proxy was tuned for 2018-style traffic, 1.31.1 is a polite suggestion to retune.