Skip to content

0.13.3

Latest

Choose a tag to compare

@github-actions github-actions released this 05 Jul 06:58
b432ff8

Important Changes

  • The HTTP cache now has a 1 GiB default ceiling on its total size. Previously only the number of cache entries and the per-entry size were bounded, so raising max_cache_each_size could let the cache grow with no explicit total limit (up to max_cache_entry x max_cache_each_size). A new [experimental.cache] key max_cache_total_size (default 1 GiB; integer bytes or a suffixed string like "256m" / "1g") caps the total bytes retained across the on-memory and file tiers; when storing a new response would exceed it, the least recently used entries are evicted until the response fits. Deployments whose cache legitimately grows past 1 GiB should set a larger value or "unlimited" to restore the previous behavior. At the default cache settings the ceiling never binds (the implicit worst case there is ~64 MiB).

Bugfix

  • Fix: the ignore_sni_consistency relaxation no longer applies to applications with client authentication. Client certificates are verified per server name during the TLS handshake, so with ignore_sni_consistency = true a client could complete a handshake under a server name without client authentication and then address a client-authentication application via the Host header, reaching its backend without presenting any client certificate. Requests resolved into a client-authentication application over a TLS session established for a different server name are now rejected before forwarding, regardless of the ignore_sni_consistency setting. Deployments that do not combine ignore_sni_consistency = true with client authentication are unaffected.
  • Fix: reject oversize HTTP/3 request bodies with an error instead of forwarding a silently truncated body upstream.
  • Fix: partition the HTTP cache by the client-facing effective request URI (scheme + authoritative host + path/query) to prevent cross-virtual-host cache poisoning. Previously, with the cache feature enabled, entries were keyed on the request URI after rewrite to the upstream target, so two virtual hosts sharing one upstream could serve each other's cached responses. The scheme is derived with the same trusted-forwarded-proxy boundary used elsewhere, and requests without a safe client-facing URI are served uncached (fail closed). This may lower the cache hit rate when virtual hosts intentionally share a backend; no config change is required.
  • Fix: enforce an explicit ceiling on the total cache size. Previously the cache bounded each entry and the number of entries but never the retained total, so an operator raising the per-entry limit could have the cache consume disk (or memory) without an explicit bound - a denial-of-service risk via cache exhaustion, and one made easier to reach now that cache entries are partitioned per virtual host. The new max_cache_total_size ceiling (see Important Changes) closes this: publishing a response that would exceed it evicts least-recently-used entries first, and a response that could never fit is not cached at all. The ceiling bounds the data referenced by live cache entries; in-flight stores and eviction deletions can transiently use extra disk space beyond it.

Improvement

  • Refactor: remove the blanket #[allow(unused)] / #[allow(dead_code)] attributes across the crates and clear the Clippy backlog, with no behavior change. Items that a blanket allow was masking are now compiled exactly where they are used - the channel-backed request-body plumbing is gated to the HTTP/3 (and test) builds, the streamed response-body machinery and the full() helper to the cache build (the boxed response body and empty() remain always available for synthetic responses), the sticky-cookie load-balance error type to the sticky-cookie build, and Upstream::is_healthy to the health-check-or-sticky-cookie builds (it is consulted by both) - while genuinely dead code (unused getters, an unused watch primitive, redundant re-exports) is deleted outright. The remaining Clippy warnings across the library and binary were also fixed (unnecessary unwrap-after-is_some rewritten as if let, map_or(true, ..) as is_none_or, collapsible ifs as let-chains, a large enum variant boxed, a manual Default derived, and similar idioms), one Japanese-only doc comment was translated to English, and pre-existing rustfmt drift in the header-operation helpers was closed. These are internal cleanups: no configuration, public API, or runtime behavior changes, verified across the feature matrix and the full test suite.

What's Changed

  • chore(deps): bump actions/checkout from 6 to 7 by @dependabot[bot] in #632
  • chore(deps): bump bytes from 1.11.1 to 1.12.0 by @dependabot[bot] in #633
  • refactor: remove rustls-post-quantum dependency in favor of rustls prefer-post-quantum feature by @mvanhorn in #602
  • fix: fix test failures due to the out-of-sync branches before merging post quantum patch by @junkurihara in #634
  • chore(deps): bump rustls from 0.23.40 to 0.23.41 by @dependabot[bot] in #636
  • chore(deps): bump quinn from 0.11.9 to 0.11.11 by @dependabot[bot] in #635
  • chore(deps): bump actions/cache from 5 to 6 by @dependabot[bot] in #637
  • chore(deps): bump anyhow from 1.0.102 to 1.0.103 by @dependabot[bot] in #638
  • fix(cache): key responses by client-facing effective URI by @junkurihara in #639
  • chore(deps): bump aes-gcm from 0.11.0-rc.4 to 0.11.0 by @dependabot[bot] in #640
  • chore(deps): bump aws-lc-rs from 1.17.0 to 1.17.1 by @dependabot[bot] in #641
  • fix(cache): cap the total bytes retained by the cache (default 1 GiB) by @junkurihara in #643
  • fix(tls): never apply the SNI-consistency relaxation to client-auth (mTLS) hosts by @junkurihara in #647
  • refactor(lint): remove allow(unused/dead_code) sprawl and clear clippy backlog by @junkurihara in #648
  • 0.13.3 by @junkurihara in #649

New Contributors

Full Changelog: 0.13.2...0.13.3