Skip to content

Releases: MichaelPaddon/hypershunt

hypershunt v1.1.0

Choose a tag to compare

@github-actions github-actions released this 01 Jul 23:10

hypershunt 1.1.0

The headline of this release is a standards-compliant HTTP response
cache
(RFC 9111). hypershunt can now cache eligible responses and
serve them directly, cutting tail latency and upstream load:

  • RFC 9111 caching --- freshness from Cache-Control / Expires
    plus heuristic freshness, with correct handling of Vary, private /
    no-store, and authenticated responses.
  • Conditional revalidation --- stale entries are revalidated with
    If-None-Match / If-Modified-Since and refreshed on a 304.
  • Single-flight --- concurrent requests for the same key coalesce
    into one upstream fetch instead of a thundering herd.
  • Client directives + stale serving (RFC 5861) --- honours
    Cache-Control request directives and can serve
    stale-while-revalidate / stale-if-error content.

It also fixes two background tasks that could pin a CPU core: the OCSP
refresh task busy-looping after certificate rotation, and the listener
accept loop spinning on file-descriptor exhaustion.

Minor version bump (1.0.0 to 1.1.0): fully backward compatible, no
configuration changes required.

Features

  • Serving --- static files (range, ETag, try-files), redirects,
    inline responses, custom error pages.
  • Routing --- virtual hosts (literal + regex), request matchers,
    URL rewrites with regex captures.
  • Reverse proxy --- HTTP/1, HTTP/2, HTTP/3 upstreams; load
    balancing, health checks, retries; FastCGI, SCGI, CGI.
  • Layer-4 proxy --- TCP, UDP, and Unix-socket forwarders with
    optional TLS termination.
  • TLS --- ACME (HTTP-01, DNS-01, TLS-ALPN-01), file-based PEM,
    self-signed; OCSP stapling; mTLS with CRLs.
  • Auth & access control --- HTTP Basic (PAM, LDAP, htpasswd),
    JWT sessions, OIDC SSO, firewall-style policy blocks.
  • Operations --- compression, structured access logs, status page,
    health endpoints, hot reload, seamless binary upgrade, .deb /
    .rpm / OCI image.

…and more --- see the configuration reference.

Standards

HTTP/1.1, HTTP/2, HTTP/3 RFC 9112, RFC 9113, RFC 9114
WebSocket; extended CONNECT RFC 6455, RFC 8441
TLS 1.2 / 1.3 RFC 5246, RFC 8446
ACME (HTTP-01, DNS-01, TLS-ALPN-01) RFC 8555, RFC 8737
OCSP stapling RFC 6066 §8
JWT (ES256) / JWS / JWK / JWK thumbprint RFC 7519, RFC 7515, RFC 7517, RFC 7638
OAuth 2.0 PKCE, token revocation, resource indicators, iss param RFC 7636, RFC 7009, RFC 8707, RFC 9207
OpenID Connect 1.0 + back-channel logout OIDC Core, OIDC Back-Channel Logout
HAProxy PROXY protocol v1 / v2 HAProxy spec
CGI / FastCGI / SCGI RFC 3875, FastCGI 1.0, SCGI 1.0
KDL configuration KDL v2

See the README and docs for configuration and usage.

hypershunt v1.0.0

Choose a tag to compare

@github-actions github-actions released this 21 Jun 04:41

hypershunt 1.0.0 — first stable release

The configuration format is stable and the project follows semantic
versioning from this release onward.

Highlights since the 1.0.0-rc series:

  • Cleared all known dependency security advisories.
  • Upgraded the OIDC stack (openidconnect 4) and the PAM stack
    (pam-client2).
  • Removed the bundled AWS SDK; Route 53 DNS-01 now runs through the
    exec provider.
  • Extended the request-header (Slowloris) timeout to HTTP/2 and HTTP/3.

Features

  • Serving --- static files (range, ETag, try-files), redirects,
    inline responses, custom error pages.
  • Routing --- virtual hosts (literal + regex), request matchers,
    URL rewrites with regex captures.
  • Reverse proxy --- HTTP/1, HTTP/2, HTTP/3 upstreams; load
    balancing, health checks, retries; FastCGI, SCGI, CGI.
  • Layer-4 proxy --- TCP, UDP, and Unix-socket forwarders with
    optional TLS termination.
  • TLS --- ACME (HTTP-01, DNS-01, TLS-ALPN-01), file-based PEM,
    self-signed; OCSP stapling; mTLS with CRLs.
  • Auth & access control --- HTTP Basic (PAM, LDAP, htpasswd),
    JWT sessions, OIDC SSO, firewall-style policy blocks.
  • Operations --- compression, structured access logs, status page,
    health endpoints, hot reload, seamless binary upgrade, .deb /
    .rpm / OCI image.

…and more --- see the configuration reference.

Standards

HTTP/1.1, HTTP/2, HTTP/3 RFC 9112, RFC 9113, RFC 9114
WebSocket; extended CONNECT RFC 6455, RFC 8441
TLS 1.2 / 1.3 RFC 5246, RFC 8446
ACME (HTTP-01, DNS-01, TLS-ALPN-01) RFC 8555, RFC 8737
OCSP stapling RFC 6066 §8
JWT (ES256) / JWS / JWK / JWK thumbprint RFC 7519, RFC 7515, RFC 7517, RFC 7638
OAuth 2.0 PKCE, token revocation, resource indicators, iss param RFC 7636, RFC 7009, RFC 8707, RFC 9207
OpenID Connect 1.0 + back-channel logout OIDC Core, OIDC Back-Channel Logout
HAProxy PROXY protocol v1 / v2 HAProxy spec
CGI / FastCGI / SCGI RFC 3875, FastCGI 1.0, SCGI 1.0
KDL configuration KDL v2

See the README and docs for configuration and usage.

hypershunt v1.0.0-rc18

Pre-release

Choose a tag to compare

@github-actions github-actions released this 20 Jun 03:12

What's new in 1.0.0-rc18

Breaking changes

  • Drop built-in Route53 provider and the AWS SDK (#71)

New features

  • Apply request-header timeout to HTTP/2 and HTTP/3 (#72)

Features

  • Serving --- static files (range, ETag, try-files), redirects,
    inline responses, custom error pages.
  • Routing --- virtual hosts (literal + regex), request matchers,
    URL rewrites with regex captures.
  • Reverse proxy --- HTTP/1, HTTP/2, HTTP/3 upstreams; load
    balancing, health checks, retries; FastCGI, SCGI, CGI.
  • Layer-4 proxy --- TCP, UDP, and Unix-socket forwarders with
    optional TLS termination.
  • TLS --- ACME (HTTP-01, DNS-01, TLS-ALPN-01), file-based PEM,
    self-signed; OCSP stapling; mTLS with CRLs.
  • Auth & access control --- HTTP Basic (PAM, LDAP, htpasswd),
    JWT sessions, OIDC SSO, firewall-style policy blocks.
  • Operations --- compression, structured access logs, status page,
    health endpoints, hot reload, seamless binary upgrade, .deb /
    .rpm / OCI image.

…and more --- see the configuration reference.

Standards

HTTP/1.1, HTTP/2, HTTP/3 RFC 9112, RFC 9113, RFC 9114
WebSocket; extended CONNECT RFC 6455, RFC 8441
TLS 1.2 / 1.3 RFC 5246, RFC 8446
ACME (HTTP-01, DNS-01, TLS-ALPN-01) RFC 8555, RFC 8737
OCSP stapling RFC 6066 §8
JWT (ES256) / JWS / JWK / JWK thumbprint RFC 7519, RFC 7515, RFC 7517, RFC 7638
OAuth 2.0 PKCE, token revocation, resource indicators, iss param RFC 7636, RFC 7009, RFC 8707, RFC 9207
OpenID Connect 1.0 + back-channel logout OIDC Core, OIDC Back-Channel Logout
HAProxy PROXY protocol v1 / v2 HAProxy spec
CGI / FastCGI / SCGI RFC 3875, FastCGI 1.0, SCGI 1.0
KDL configuration KDL v2

See the README and docs for configuration and usage.

hypershunt v1.0.0-rc17

Pre-release

Choose a tag to compare

@github-actions github-actions released this 19 Jun 14:12

What's new in 1.0.0-rc17

Maintenance release.

Features

  • Serving --- static files (range, ETag, try-files), redirects,
    inline responses, custom error pages.
  • Routing --- virtual hosts (literal + regex), request matchers,
    URL rewrites with regex captures.
  • Reverse proxy --- HTTP/1, HTTP/2, HTTP/3 upstreams; load
    balancing, health checks, retries; FastCGI, SCGI, CGI.
  • Layer-4 proxy --- TCP, UDP, and Unix-socket forwarders with
    optional TLS termination.
  • TLS --- ACME (HTTP-01, DNS-01, TLS-ALPN-01), file-based PEM,
    self-signed; OCSP stapling; mTLS with CRLs.
  • Auth & access control --- HTTP Basic (PAM, LDAP, htpasswd),
    JWT sessions, OIDC SSO, firewall-style policy blocks.
  • Operations --- compression, structured access logs, status page,
    health endpoints, hot reload, seamless binary upgrade, .deb /
    .rpm / OCI image.

…and more --- see the configuration reference.

Standards

HTTP/1.1, HTTP/2, HTTP/3 RFC 9112, RFC 9113, RFC 9114
WebSocket; extended CONNECT RFC 6455, RFC 8441
TLS 1.2 / 1.3 RFC 5246, RFC 8446
ACME (HTTP-01, DNS-01, TLS-ALPN-01) RFC 8555, RFC 8737
OCSP stapling RFC 6066 §8
JWT (ES256) / JWS / JWK / JWK thumbprint RFC 7519, RFC 7515, RFC 7517, RFC 7638
OAuth 2.0 PKCE, token revocation, resource indicators, iss param RFC 7636, RFC 7009, RFC 8707, RFC 9207
OpenID Connect 1.0 + back-channel logout OIDC Core, OIDC Back-Channel Logout
HAProxy PROXY protocol v1 / v2 HAProxy spec
CGI / FastCGI / SCGI RFC 3875, FastCGI 1.0, SCGI 1.0
KDL configuration KDL v2

See the README and docs for configuration and usage.

hypershunt v1.0.0-rc16

Pre-release

Choose a tag to compare

@github-actions github-actions released this 19 Jun 14:12

What's new in 1.0.0-rc16

Maintenance release.

Features

  • Serving --- static files (range, ETag, try-files), redirects,
    inline responses, custom error pages.
  • Routing --- virtual hosts (literal + regex), request matchers,
    URL rewrites with regex captures.
  • Reverse proxy --- HTTP/1, HTTP/2, HTTP/3 upstreams; load
    balancing, health checks, retries; FastCGI, SCGI, CGI.
  • Layer-4 proxy --- TCP, UDP, and Unix-socket forwarders with
    optional TLS termination.
  • TLS --- ACME (HTTP-01, DNS-01, TLS-ALPN-01), file-based PEM,
    self-signed; OCSP stapling; mTLS with CRLs.
  • Auth & access control --- HTTP Basic (PAM, LDAP, htpasswd),
    JWT sessions, OIDC SSO, firewall-style policy blocks.
  • Operations --- compression, structured access logs, status page,
    health endpoints, hot reload, seamless binary upgrade, .deb /
    .rpm / OCI image.

…and more --- see the configuration reference.

Standards

HTTP/1.1, HTTP/2, HTTP/3 RFC 9112, RFC 9113, RFC 9114
WebSocket; extended CONNECT RFC 6455, RFC 8441
TLS 1.2 / 1.3 RFC 5246, RFC 8446
ACME (HTTP-01, DNS-01, TLS-ALPN-01) RFC 8555, RFC 8737
OCSP stapling RFC 6066 §8
JWT (ES256) / JWS / JWK / JWK thumbprint RFC 7519, RFC 7515, RFC 7517, RFC 7638
OAuth 2.0 PKCE, token revocation, resource indicators, iss param RFC 7636, RFC 7009, RFC 8707, RFC 9207
OpenID Connect 1.0 + back-channel logout OIDC Core, OIDC Back-Channel Logout
HAProxy PROXY protocol v1 / v2 HAProxy spec
CGI / FastCGI / SCGI RFC 3875, FastCGI 1.0, SCGI 1.0
KDL configuration KDL v2

See the README and docs for configuration and usage.

hypershunt v1.0.0-rc15

Pre-release

Choose a tag to compare

@github-actions github-actions released this 13 Jun 14:16

What's new in 1.0.0-rc15

Fixes

  • OIDC: username-claim / groups-claim now read claims from
    the ID token. Previously the username silently fell back to sub
    and groups came back empty unless the UserInfo endpoint supplied
    them (#66).
  • OCSP: staple when available; a certificate with no responder
    URL is served unstapled instead of being treated as a fetch
    failure — the normal case for ACME CAs since 2025 (#64).
  • Config: require kdl 6.7.1 (6.5.x mis-parsed a node whose
    inline children block was followed by a trailing comment,
    swallowing the next node); accept the unix-stream: scheme for
    fastcgi / scgi sockets (#65).

Documentation

  • Full correctness review of the docs: corrected wrong defaults,
    stale behaviour, and non-parsing KDL examples across the reference
    and guide (#65).

Features

  • Serving --- static files (range, ETag, try-files), redirects,
    inline responses, custom error pages.
  • Routing --- virtual hosts (literal + regex), request matchers,
    URL rewrites with regex captures.
  • Reverse proxy --- HTTP/1, HTTP/2, HTTP/3 upstreams; load
    balancing, health checks, retries; FastCGI, SCGI, CGI.
  • Layer-4 proxy --- TCP, UDP, and Unix-socket forwarders with
    optional TLS termination.
  • TLS --- ACME (HTTP-01, DNS-01, TLS-ALPN-01), file-based PEM,
    self-signed; OCSP stapling; mTLS with CRLs.
  • Auth & access control --- HTTP Basic (PAM, LDAP, htpasswd),
    JWT sessions, OIDC SSO, firewall-style policy blocks.
  • Operations --- compression, structured access logs, status page,
    health endpoints, hot reload, seamless binary upgrade, .deb /
    .rpm / OCI image.

…and more --- see the configuration reference.

Standards

HTTP/1.1, HTTP/2, HTTP/3 RFC 9112, RFC 9113, RFC 9114
WebSocket; extended CONNECT RFC 6455, RFC 8441
TLS 1.2 / 1.3 RFC 5246, RFC 8446
ACME (HTTP-01, DNS-01, TLS-ALPN-01) RFC 8555, RFC 8737
OCSP stapling RFC 6066 §8
JWT (ES256) / JWS / JWK / JWK thumbprint RFC 7519, RFC 7515, RFC 7517, RFC 7638
OAuth 2.0 PKCE, token revocation, resource indicators, iss param RFC 7636, RFC 7009, RFC 8707, RFC 9207
OpenID Connect 1.0 + back-channel logout OIDC Core, OIDC Back-Channel Logout
HAProxy PROXY protocol v1 / v2 HAProxy spec
CGI / FastCGI / SCGI RFC 3875, FastCGI 1.0, SCGI 1.0
KDL configuration KDL v2

See the README and docs for configuration and usage.

hypershunt v1.0.0-rc14

Pre-release

Choose a tag to compare

@github-actions github-actions released this 12 Jun 15:47

What's new in 1.0.0-rc14

Maintenance release.

Features

  • Serving --- static files (range, ETag, try-files), redirects,
    inline responses, custom error pages.
  • Routing --- virtual hosts (literal + regex), request matchers,
    URL rewrites with regex captures.
  • Reverse proxy --- HTTP/1, HTTP/2, HTTP/3 upstreams; load
    balancing, health checks, retries; FastCGI, SCGI, CGI.
  • Layer-4 proxy --- TCP, UDP, and Unix-socket forwarders with
    optional TLS termination.
  • TLS --- ACME (HTTP-01, DNS-01, TLS-ALPN-01), file-based PEM,
    self-signed; OCSP stapling; mTLS with CRLs.
  • Auth & access control --- HTTP Basic (PAM, LDAP, htpasswd),
    JWT sessions, OIDC SSO, firewall-style policy blocks.
  • Operations --- compression, structured access logs, status page,
    health endpoints, hot reload, seamless binary upgrade, .deb /
    .rpm / OCI image.

…and more --- see the configuration reference.

Standards

HTTP/1.1, HTTP/2, HTTP/3 RFC 9112, RFC 9113, RFC 9114
WebSocket; extended CONNECT RFC 6455, RFC 8441
TLS 1.2 / 1.3 RFC 5246, RFC 8446
ACME (HTTP-01, DNS-01, TLS-ALPN-01) RFC 8555, RFC 8737
OCSP stapling RFC 6066 §8
JWT (ES256) / JWS / JWK / JWK thumbprint RFC 7519, RFC 7515, RFC 7517, RFC 7638
OAuth 2.0 PKCE, token revocation, resource indicators, iss param RFC 7636, RFC 7009, RFC 8707, RFC 9207
OpenID Connect 1.0 + back-channel logout OIDC Core, OIDC Back-Channel Logout
HAProxy PROXY protocol v1 / v2 HAProxy spec
CGI / FastCGI / SCGI RFC 3875, FastCGI 1.0, SCGI 1.0
KDL configuration KDL v2

See the README and docs for configuration and usage.

hypershunt v1.0.0-rc13

Pre-release

Choose a tag to compare

@github-actions github-actions released this 11 Jun 11:55

What's new in 1.0.0-rc13

New features

  • Add respond handler for inline static responses (#57)
  • Drain-aware health readiness + configurable health endpoints (#56)

Features

  • Serving --- static files (range, ETag, try-files, opt-in
    directory listings, ~user/), redirects, custom error pages,
    per-location header injection.
  • Routing --- virtual hosts (literal + regex), per-location
    matchers (method, header, query), URL rewrites with regex
    captures, alias names, per-SNI ALPN.
  • Reverse proxy --- HTTP/1, HTTP/2, HTTP/3 upstreams with
    connection pooling; multi-upstream load balancing (round-robin,
    least-conn, ip-hash, header-hash, random); active and passive
    health checks; retries; per-location rate limits and body caps;
    FastCGI, SCGI, CGI.
  • Layer-4 proxy --- TCP, UDP, and unix-stream / unix-dgram /
    unix-seqpacket forwarders with optional TLS termination.
  • TLS --- ACME (HTTP-01, DNS-01 via acme-dns / Cloudflare /
    Route 53 / exec, TLS-ALPN-01), file-based PEM, ephemeral
    self-signed; OCSP stapling on by default; mTLS with CRLs;
    shared certificate blocks across listeners.
  • Auth & access control --- HTTP Basic (PAM, LDAP, htpasswd
    with bcrypt / SHA-512 crypt / Argon2id), subrequest auth, JWT
    session cookies (ES256, JWKS endpoint), OIDC SSO with PKCE and
    back-channel logout, OAuth 2.0 bearer resource-server mode,
    firewall-style policy blocks (IP / user / group / GeoIP country).
  • Operations --- gzip / brotli / zstd response compression,
    structured access logs (NCSA Common/Combined, JSON), built-in
    status page, health endpoints, hot config reload (SIGHUP),
    seamless binary upgrade (SIGUSR2), socket activation,
    hypershunt --check-config, systemd unit, .deb / .rpm / OCI image.

Standards

HTTP/1.1, HTTP/2, HTTP/3 RFC 9112, RFC 9113, RFC 9114
WebSocket; extended CONNECT RFC 6455, RFC 8441
TLS 1.2 / 1.3 RFC 5246, RFC 8446
ACME (HTTP-01, DNS-01, TLS-ALPN-01) RFC 8555, RFC 8737
OCSP stapling RFC 6066 §8
JWT (ES256) / JWS / JWK / JWK thumbprint RFC 7519, RFC 7515, RFC 7517, RFC 7638
OAuth 2.0 PKCE, token revocation, resource indicators, iss param RFC 7636, RFC 7009, RFC 8707, RFC 9207
OpenID Connect 1.0 + back-channel logout OIDC Core, OIDC Back-Channel Logout
HAProxy PROXY protocol v1 / v2 HAProxy spec
CGI / FastCGI / SCGI RFC 3875, FastCGI 1.0, SCGI 1.0
KDL configuration KDL v2

See the README and docs for configuration and usage.

hypershunt v1.0.0-rc12

Pre-release

Choose a tag to compare

@github-actions github-actions released this 11 Jun 10:33

What's new in 1.0.0-rc12

New features

  • Per-listener vhost scoping; remove default-vhost (#53)

Features

  • Serving --- static files (range, ETag, try-files, opt-in
    directory listings, ~user/), redirects, custom error pages,
    per-location header injection.
  • Routing --- virtual hosts (literal + regex), per-location
    matchers (method, header, query), URL rewrites with regex
    captures, alias names, per-SNI ALPN.
  • Reverse proxy --- HTTP/1, HTTP/2, HTTP/3 upstreams with
    connection pooling; multi-upstream load balancing (round-robin,
    least-conn, ip-hash, header-hash, random); active and passive
    health checks; retries; per-location rate limits and body caps;
    FastCGI, SCGI, CGI.
  • Layer-4 proxy --- TCP, UDP, and unix-stream / unix-dgram /
    unix-seqpacket forwarders with optional TLS termination.
  • TLS --- ACME (HTTP-01, DNS-01 via acme-dns / Cloudflare /
    Route 53 / exec, TLS-ALPN-01), file-based PEM, ephemeral
    self-signed; OCSP stapling on by default; mTLS with CRLs;
    shared certificate blocks across listeners.
  • Auth & access control --- HTTP Basic (PAM, LDAP, htpasswd
    with bcrypt / SHA-512 crypt / Argon2id), subrequest auth, JWT
    session cookies (ES256, JWKS endpoint), OIDC SSO with PKCE and
    back-channel logout, OAuth 2.0 bearer resource-server mode,
    firewall-style policy blocks (IP / user / group / GeoIP country).
  • Operations --- gzip / brotli / zstd response compression,
    structured access logs (NCSA Common/Combined, JSON), built-in
    status page, health endpoints, hot config reload (SIGHUP),
    seamless binary upgrade (SIGUSR2), socket activation,
    hypershunt --check-config, systemd unit, .deb / .rpm / OCI image.

Standards

HTTP/1.1, HTTP/2, HTTP/3 RFC 9112, RFC 9113, RFC 9114
WebSocket; extended CONNECT RFC 6455, RFC 8441
TLS 1.2 / 1.3 RFC 5246, RFC 8446
ACME (HTTP-01, DNS-01, TLS-ALPN-01) RFC 8555, RFC 8737
OCSP stapling RFC 6066 §8
JWT (ES256) / JWS / JWK / JWK thumbprint RFC 7519, RFC 7515, RFC 7517, RFC 7638
OAuth 2.0 PKCE, token revocation, resource indicators, iss param RFC 7636, RFC 7009, RFC 8707, RFC 9207
OpenID Connect 1.0 + back-channel logout OIDC Core, OIDC Back-Channel Logout
HAProxy PROXY protocol v1 / v2 HAProxy spec
CGI / FastCGI / SCGI RFC 3875, FastCGI 1.0, SCGI 1.0
KDL configuration KDL v2

See the README and docs for configuration and usage.

hypershunt v1.0.0-rc11

Pre-release

Choose a tag to compare

@github-actions github-actions released this 12 Jun 22:06

What's new in 1.0.0-rc11

Fixes

  • Tighten viewBox framing
  • Center sidebar logo

Features

  • Serving --- static files (range, ETag, try-files, opt-in
    directory listings, ~user/), redirects, custom error pages,
    per-location header injection.
  • Routing --- virtual hosts (literal + regex), per-location
    matchers (method, header, query), URL rewrites with regex
    captures, alias names, per-SNI ALPN.
  • Reverse proxy --- HTTP/1, HTTP/2, HTTP/3 upstreams with
    connection pooling; multi-upstream load balancing (round-robin,
    least-conn, ip-hash, header-hash, random); active and passive
    health checks; retries; per-location rate limits and body caps;
    FastCGI, SCGI, CGI.
  • Layer-4 proxy --- TCP, UDP, and unix-stream / unix-dgram /
    unix-seqpacket forwarders with optional TLS termination.
  • TLS --- ACME (HTTP-01, DNS-01 via acme-dns / Cloudflare /
    Route 53 / exec, TLS-ALPN-01), file-based PEM, ephemeral
    self-signed; OCSP stapling on by default; mTLS with CRLs;
    shared certificate blocks across listeners.
  • Auth & access control --- HTTP Basic (PAM, LDAP, htpasswd
    with bcrypt / SHA-512 crypt / Argon2id), subrequest auth, JWT
    session cookies (ES256, JWKS endpoint), OIDC SSO with PKCE and
    back-channel logout, OAuth 2.0 bearer resource-server mode,
    firewall-style policy blocks (IP / user / group / GeoIP country).
  • Operations --- gzip / brotli / zstd response compression,
    structured access logs (NCSA Common/Combined, JSON), built-in
    status page, health endpoints, hot config reload (SIGHUP),
    seamless binary upgrade (SIGUSR2), socket activation,
    hypershunt --check-config, systemd unit, .deb / .rpm / OCI image.

Standards

HTTP/1.1, HTTP/2, HTTP/3 RFC 9112, RFC 9113, RFC 9114
WebSocket; extended CONNECT RFC 6455, RFC 8441
TLS 1.2 / 1.3 RFC 5246, RFC 8446
ACME (HTTP-01, DNS-01, TLS-ALPN-01) RFC 8555, RFC 8737
OCSP stapling RFC 6066 §8
JWT (ES256) / JWS / JWK / JWK thumbprint RFC 7519, RFC 7515, RFC 7517, RFC 7638
OAuth 2.0 PKCE, token revocation, resource indicators, iss param RFC 7636, RFC 7009, RFC 8707, RFC 9207
OpenID Connect 1.0 + back-channel logout OIDC Core, OIDC Back-Channel Logout
HAProxy PROXY protocol v1 / v2 HAProxy spec
CGI / FastCGI / SCGI RFC 3875, FastCGI 1.0, SCGI 1.0
KDL configuration KDL v2

See the README and docs for configuration and usage.