Skip to content

hypershunt v1.1.0

Latest

Choose a tag to compare

@github-actions github-actions released this 01 Jul 23:10

hypershunt 1.1.0

The headline of this release is a standards-compliant HTTP response
cache
(RFC 9111). hypershunt can now cache eligible responses and
serve them directly, cutting tail latency and upstream load:

  • RFC 9111 caching --- freshness from Cache-Control / Expires
    plus heuristic freshness, with correct handling of Vary, private /
    no-store, and authenticated responses.
  • Conditional revalidation --- stale entries are revalidated with
    If-None-Match / If-Modified-Since and refreshed on a 304.
  • Single-flight --- concurrent requests for the same key coalesce
    into one upstream fetch instead of a thundering herd.
  • Client directives + stale serving (RFC 5861) --- honours
    Cache-Control request directives and can serve
    stale-while-revalidate / stale-if-error content.

It also fixes two background tasks that could pin a CPU core: the OCSP
refresh task busy-looping after certificate rotation, and the listener
accept loop spinning on file-descriptor exhaustion.

Minor version bump (1.0.0 to 1.1.0): fully backward compatible, no
configuration changes required.

Features

  • Serving --- static files (range, ETag, try-files), redirects,
    inline responses, custom error pages.
  • Routing --- virtual hosts (literal + regex), request matchers,
    URL rewrites with regex captures.
  • Reverse proxy --- HTTP/1, HTTP/2, HTTP/3 upstreams; load
    balancing, health checks, retries; FastCGI, SCGI, CGI.
  • Layer-4 proxy --- TCP, UDP, and Unix-socket forwarders with
    optional TLS termination.
  • TLS --- ACME (HTTP-01, DNS-01, TLS-ALPN-01), file-based PEM,
    self-signed; OCSP stapling; mTLS with CRLs.
  • Auth & access control --- HTTP Basic (PAM, LDAP, htpasswd),
    JWT sessions, OIDC SSO, firewall-style policy blocks.
  • Operations --- compression, structured access logs, status page,
    health endpoints, hot reload, seamless binary upgrade, .deb /
    .rpm / OCI image.

…and more --- see the configuration reference.

Standards

HTTP/1.1, HTTP/2, HTTP/3 RFC 9112, RFC 9113, RFC 9114
WebSocket; extended CONNECT RFC 6455, RFC 8441
TLS 1.2 / 1.3 RFC 5246, RFC 8446
ACME (HTTP-01, DNS-01, TLS-ALPN-01) RFC 8555, RFC 8737
OCSP stapling RFC 6066 §8
JWT (ES256) / JWS / JWK / JWK thumbprint RFC 7519, RFC 7515, RFC 7517, RFC 7638
OAuth 2.0 PKCE, token revocation, resource indicators, iss param RFC 7636, RFC 7009, RFC 8707, RFC 9207
OpenID Connect 1.0 + back-channel logout OIDC Core, OIDC Back-Channel Logout
HAProxy PROXY protocol v1 / v2 HAProxy spec
CGI / FastCGI / SCGI RFC 3875, FastCGI 1.0, SCGI 1.0
KDL configuration KDL v2

See the README and docs for configuration and usage.