OpenResty
OpenResty is a web platform based on nginx which can run Lua scripts using its LuaJIT engine.
Websites Using OpenResty
What Is OpenResty?
OpenResty is a high-performance web platform built by bundling the Nginx web server with the LuaJIT just-in-time compiler and a curated collection of Lua libraries and Nginx modules. Created by Yichun "agentzh" Zhang and first released around 2011, OpenResty turns Nginx from a static, configuration-driven server into a fully programmable application platform: you can write request-handling logic, authentication, routing, rate limiting, and even complete APIs in Lua that executes inside the Nginx worker process. Because it is built directly on Nginx, OpenResty inherits Nginx's event-driven architecture and performance while adding a scripting layer that plain Nginx lacks.
OpenResty is not a fork of Nginx in the divergent sense; it tracks upstream Nginx closely and packages it together with the ngx_http_lua_module, lua-resty-* libraries, and other components into a single, coherent distribution. The practical effect is that OpenResty is most commonly found at the edge of large systems: API gateways, CDNs, authentication proxies, web application firewalls, and any place where engineers need to embed custom logic into the request path without standing up a separate application tier. Several well-known API gateway products and CDN platforms are built on top of OpenResty.
How OpenResty Works
To understand OpenResty, start with Nginx. Nginx uses a small number of worker processes, each running a non-blocking event loop that handles thousands of concurrent connections. OpenResty embeds LuaJIT into those workers and exposes hooks at every phase of Nginx's request-processing lifecycle. You can run Lua code when a request arrives, while it is being rewritten or authenticated, when content is generated, and as the response is sent. This is what makes OpenResty programmable: your Lua runs cooperatively inside the same high-performance event loop, not in a separate process.
Key elements of how OpenResty operates:
- LuaJIT scripting in the request path. Lua code executes at defined phases (
rewrite,access,content,header_filter,body_filter,log) via directives likecontent_by_lua_blockandaccess_by_lua_block. LuaJIT compiles hot code paths to machine code, so this scripting is fast. - Non-blocking I/O via cosockets. OpenResty provides "cosocket" APIs that let Lua make non-blocking network calls, for example to a database, Redis, or an upstream HTTP service, without stalling the worker. This is the foundation for building gateways and proxies that enrich, authenticate, or route requests.
- The lua-resty ecosystem. Bundled libraries like
lua-resty-core,lua-resty-redis,lua-resty-mysql,lua-resty-http, andlua-resty-lrucacheprovide ready-made building blocks for caching, data access, and HTTP calls. - Shared memory dictionaries.
ngx.shared.DICTgives all workers a fast, shared key-value store for counters, rate limits, and caches. - Full Nginx capabilities underneath. Everything Nginx does, reverse proxying, load balancing, TLS termination, static serving, caching, remains available, with Lua layered on top.
Because of this design, OpenResty is frequently used to build "smart" edge components. Rather than configuring static rules, engineers write programs that make dynamic decisions per request, such as validating JWTs, performing canary routing, transforming headers, enforcing complex rate limits, or assembling responses from multiple backends. It is the engine behind several popular API gateways and is widely deployed inside CDN infrastructure.
A useful way to frame OpenResty is that it collapses two traditional tiers, the web server and a thin application layer, into one. In a conventional stack, Nginx proxies to an application that does authentication and routing, adding a network hop and a separate process to operate. With OpenResty, that logic lives in the proxy itself, so a request can be authenticated, rate-limited, rewritten, and routed without ever leaving the Nginx worker. The trade-off is that this logic is now written in Lua and runs in the most performance-sensitive part of the system, which rewards careful, non-blocking code and punishes sloppiness. That is the central engineering tension of OpenResty, and recognizing it helps explain both its strengths and the kinds of organizations that adopt it.
How to Tell if a Website Uses OpenResty
OpenResty often identifies itself in the Server header, but because it is so frequently an edge or gateway layer, the usual proxy and CDN caveats are especially important here.
The Server response header
The most direct signal is the HTTP Server header, which for an OpenResty endpoint commonly reads:
Server: openresty
It may include a version, such as Server: openresty/1.25.3.1. Some operators rewrite or suppress this value, leaving a bare openresty or hiding it entirely, much as they would with plain Nginx.
To read it:
- curl:
curl -I https://example.comand look forServer: openresty. - Browser DevTools: In the Network tab, select the document request and inspect the Response Headers for the
Servervalue. - Wappalyzer and similar fingerprinting extensions detect the
openrestyServerstring automatically.
Nginx-like behavior and error pages
Because OpenResty is built on Nginx, it shares Nginx's behavioral fingerprints. Default error pages resemble Nginx's minimal HTML with a centered footer, and gateway errors like 502 Bad Gateway and 504 Gateway Timeout appear when upstreams fail, just as with Nginx. Header ordering and the absence of Apache-style module strings also mirror Nginx. In effect, an OpenResty server "smells like Nginx" in every way except that the Server header says openresty and the platform may expose custom, Lua-driven behaviors.
Edge and gateway tells
OpenResty's typical role as an API gateway or CDN edge produces corroborating signals. You may see custom headers added by Lua logic (for example, gateway-specific request IDs, rate-limit headers, or routing markers), JWT or API-key enforcement behavior, and response patterns consistent with request transformation. Several commercial API gateways built on OpenResty add their own recognizable headers; seeing those alongside Server: openresty strongly suggests an OpenResty-based gateway.
The CDN and proxy masking caveat (especially important here)
OpenResty is, by design, a proxy and edge layer, so the masking problem is at its most acute. A Server: openresty header almost always describes an edge or gateway in front of the real application, which could be anything: Node.js, Python, Java, Go, PHP, or another web server. Conversely, when a site sits behind a CDN that itself runs OpenResty internally, you might see the CDN's branded Server value instead, hiding the OpenResty layer. And a downstream CDN can mask an OpenResty origin entirely. The single most important interpretive rule is therefore: openresty tells you about the edge, rarely about the origin application.
This is precisely the scenario where server-side analysis earns its keep. StackOptic weighs the Server header, Nginx-style fingerprints, gateway-specific headers, and response behavior together to identify OpenResty and reason about the layers in front of and behind it. For the manual techniques, see our guides on how to find out what server software a website runs, how to read a website's HTTP headers, and how to find out where a website is hosted.
Key Features
- Programmable request handling. Embed LuaJIT logic at every Nginx request phase for authentication, routing, transformation, and custom APIs.
- High performance. Inherits Nginx's event-driven concurrency; LuaJIT compiles hot paths to native code for minimal overhead.
- Non-blocking cosockets. Make async calls to databases, caches, and upstream HTTP services from within request handling.
- Rich lua-resty library set. Bundled libraries for Redis, MySQL, HTTP, caching, and JSON handling accelerate development.
- Shared memory stores. Worker-shared dictionaries enable fast rate limiting, counters, and in-process caching.
- Full Nginx feature set. Reverse proxying, load balancing, TLS termination, caching, and static serving all remain available.
- Gateway-ready. A common foundation for API gateways, WAFs, and CDN edge logic.
Pros and Cons
Pros
- Combines Nginx-class performance with full programmability, eliminating a separate app tier for edge logic.
- LuaJIT is fast, and the lua-resty ecosystem provides mature building blocks.
- Ideal for API gateways, authentication proxies, and dynamic routing at scale.
- Tracks upstream Nginx, so it benefits from Nginx's stability and protocol support.
- Open source and widely battle-tested in CDN and gateway products.
Cons
- Requires Lua expertise; the programming model is more complex than static Nginx configuration.
- Smaller community than plain Nginx, and debugging in-worker Lua can be challenging.
- Easy to misuse: blocking calls or heavy logic in the request path can hurt the very performance you sought.
- As an edge layer, it can obscure the true origin, complicating architecture and detection.
OpenResty vs Alternatives
OpenResty is most often compared with plain Nginx, Apache, and LiteSpeed. The table summarizes the trade-offs.
| Feature | OpenResty | Nginx | Apache HTTP Server | LiteSpeed |
|---|---|---|---|---|
| Architecture | Event-driven (Nginx core) | Event-driven | Process/thread MPMs | Event-driven |
| Built-in scripting | Yes (LuaJIT) | No (third-party modules) | Modules / embedded interpreters | Limited |
| Typical role | API gateway, edge logic | Edge proxy, static, LB | App server, shared hosting | Shared hosting, WordPress |
Reads .htaccess | No | No | Yes | Yes |
| Programmability | High (per-request Lua) | Low (config only) | Medium (modules) | Low |
| Common Server header | openresty | nginx | Apache | LiteSpeed |
If you need a straightforward edge proxy without embedded scripting, plain Nginx is the natural alternative; OpenResty is the choice when programmable, per-request logic at the edge is the goal.
Use Cases
- API gateways. Authentication, authorization, rate limiting, request transformation, and routing, often the backbone of commercial gateway products.
- CDN edge logic. Custom caching rules, header manipulation, geolocation routing, and request shaping at points of presence.
- Web application firewalls. Inspecting and filtering requests in Lua before they reach backends.
- Dynamic reverse proxying. Canary deployments, A/B testing, and per-request backend selection driven by Lua.
- High-performance microservice front doors. A programmable, low-latency entry point that enriches or aggregates backend responses.
- Security and competitive research. Identifying OpenResty (and the gateway products built on it) reveals how a target structures its edge and what protections sit in the request path.
Frequently Asked Questions
Is OpenResty the same as Nginx?
OpenResty is built on Nginx and tracks it closely, so it shares Nginx's architecture and performance. The difference is that OpenResty bundles the LuaJIT compiler, the ngx_http_lua_module, and a set of lua-resty libraries, turning Nginx into a programmable platform. In behavior and fingerprints OpenResty looks almost identical to Nginx, except the Server header reports openresty and the platform can run custom Lua logic per request.
What does a "Server: openresty" header actually tell me?
It tells you the endpoint that answered your request is running OpenResty, which is almost always an edge or gateway layer rather than the origin application. The real backend behind it could be Node.js, Python, Java, Go, PHP, or another server. So openresty is best read as "there is a programmable Nginx-based gateway here," not "the whole site is OpenResty."
Why is OpenResty so common at API gateways and CDNs?
Because it lets engineers run fast, non-blocking logic directly in the request path. Authentication, rate limiting, routing, and request transformation can all be implemented in Lua inside the same event loop that proxies traffic, avoiding a separate application tier. That combination of performance and programmability is exactly what gateways and CDN edges need, which is why several well-known gateway and CDN products are built on OpenResty.
How do I distinguish OpenResty from plain Nginx?
The decisive signal is the Server header: openresty versus nginx. Beyond that, both share the same error-page style and gateway error behavior, so look for gateway-specific custom headers, JWT or API-key enforcement, and request-transformation patterns that hint at Lua logic. When the header is hidden, distinguishing the two reliably usually requires server-side analysis that weighs several signals together.
Can OpenResty be hidden behind a CDN?
Yes. If a CDN sits in front of an OpenResty origin, it may overwrite the Server header with its own value and hide OpenResty entirely. Conversely, some CDNs run OpenResty internally, so the openresty you see could itself be the CDN edge. Because OpenResty's whole purpose is to be an edge layer, treat its header as information about a layer, not the origin, and corroborate with additional signals.
Is writing Lua in OpenResty risky for performance?
It can be if misused. LuaJIT is fast and the cosocket APIs are non-blocking, but introducing blocking calls (for example, a synchronous library that stalls the worker) or running heavy computation in the request path can undermine the performance OpenResty is prized for. Following the non-blocking patterns and using the lua-resty libraries as intended keeps OpenResty fast.
Need to identify an OpenResty gateway and reason about the layers in front of and behind it? Run a server-side analysis with StackOptic.
Alternatives to OpenResty
Compare OpenResty
Analyze a Website
Check if any website uses OpenResty and discover its full technology stack.
Analyze Now