Fluxheim 1.6.29

[eldryoth]

Fluxheim 1.6.29 Release Notes

Fluxheim 1.6.29 continues the Pingora-exit work by moving inherited
compression, header-policy behavior, and safe forwarded-header ownership into
the native HTTP/1 proxy path.

Highlights

• Native HTTP/1 plain proxy responses can now use inherited global/vhost
  compression policy when gzip, brotli, or zstd support is compiled.
• Native HTTP/1 route proxy responses now inherit global/vhost compression
  when a route does not override compression locally.
• Native route proxy construction now merges root/vhost header policy with the
  route overlay before building native request and response header policies.
• Root and vhost header mutation policy no longer blocks native HTTP/1 proxy
  cutover when it only uses supported header set/remove/append behavior.
• Native HTTP/1 proxy handling now owns the safe forwarded-client-IP header
  modes: X-Forwarded-For = off, X-Forwarded-For = replace, X-Real-IP,
  X-Forwarded-Host, X-Forwarded-Proto, and RFC Forwarded.
• Native HTTP/1 route proxy handling now owns trusted-chain
  X-Forwarded-For = append for routes and programmatic builders, preserving
  inbound chains only when the direct peer matches configured trusted sources.
• Native HTTP/1 route proxy handling now owns regex route matching and
  path-only rewrite_template capture expansion, including exact route,
  longest-prefix route, first-regex route, and fallback precedence.
• Native HTTP/1 route proxy handling now owns IP/CIDR allow/deny access policy
  at both vhost and route scope, using trusted X-Forwarded-For client
  restoration when configured trusted sources identify the direct peer.
• Native HTTP/1 route proxy handling now owns vhost and route concurrency
  limits, including immediate rejection and bounded queued waits.
• Native HTTP/1 route proxy handling now owns vhost and route local rate
  limits, including token-bucket rejection and delay-mode admission.
• Native HTTP/1 proxy responses now carry configured downstream write timeout,
  total response timeout, and minimum send-rate policy.
• Native HTTP/1 upstream establishment now honors
  proxy.upstream_total_connection_timeout_secs across DNS, TCP connect, and
  optional TLS handshake setup.
• Native HTTP/1 upstream socket creation now honors
  proxy.upstream_tcp_recv_buffer_bytes, proxy.upstream_dscp, and the
  upstream TCP keepalive triple before connecting. On targets with
  TCP_USER_TIMEOUT, it also honors proxy.upstream_tcp_user_timeout_ms.
• Native HTTP/1 request-body parsing now honors
  proxy.downstream_read_timeout_secs selected by the matched proxy before
  forwarding to upstreams.
• Native HTTP/1 requests now carry typed optional TLS client identity and Geo
  context fields. Rustls and OpenSSL listener tests prove downstream TLS
  request context is populated with negotiated protocol, cipher, and peer
  certificate fingerprint where available.
• Native route-proxy access evaluation now enforces client-certificate
  fingerprint and Geo country/ASN rules when typed request context is present,
  so cert/Geo policy no longer blocks the native HTTP/1 cutover inventory.
• Managed local ACME HTTP-01 challenge serving now has a native route action.
  Live route-proxy tests prove direct and alias vhost challenge ownership, safe
  token-file loading, GET/HEAD handling, and 405 Allow: GET, HEAD behavior.
• Native ACME HTTP-01 challenge file loading now runs on Tokio's blocking pool
  instead of blocking the async worker thread.
• Native HTTP/1 proxy handling now supports safe-method traffic mirroring when
  the traffic-mirror feature is compiled, including recursion protection,
  sampling, forwarded-header selection, mirror response caps, and per-target
  in-flight limits.
• Native HTTP/1 proxy handling now supports proxy.auth_request when the
  auth-request server feature is compiled, including trusted context header
  synthesis, bounded blocking subrequests, response-header allowlisting, and
  deny-before-forwarding behavior.
• Native HTTP/1 route proxy handling now honors route-scoped
  [vhosts.routes.grpc] validation, rejecting non-POST requests, duplicate
  Content-Type headers, and non-gRPC content types before forwarding.
• The compatibility proxy's gRPC route Content-Type gate now matches the
  native gate by rejecting duplicate Content-Type headers and accepting
  case-insensitive gRPC media types.
• Root and vhost compression no longer blocks native HTTP/1 proxy cutover when
  a matching compression backend feature is compiled.
• Native route-proxy construction now mirrors the compatibility route order for
  vhost synthetic routes: explicit ACME HTTP-01 upstream challenge routes,
  configured routes, then vhost redirect fallback routes.
• Vhost redirects and explicit ACME HTTP-01 upstream challenge routes no longer
  block the native cutover inventory when their generated route policies are
  otherwise native-safe.
• Live native listener tests now prove plain-proxy gzip compression, inherited
  route gzip compression, inherited request-header mutation, inherited
  response-header mutation, and standard response security headers.

Security Notes

• Inherited native compression keeps the same guarded behavior as route-level
  compression: bounded input/output size, negotiated Accept-Encoding, safe
  method/status checks, and privacy-sensitive header exclusions.
• Native compression strips origin ETag and Content-Length, appends
  Vary: accept-encoding, and lets native response framing compute the final
  compressed length.
• Native route request headers are removed or overwritten before the upstream
  request is sent, matching the compatibility-path policy order for the
  supported mutation subset.
• The low-level native upstream writer no longer hardcodes client-IP forwarding;
  proxy/header policy now owns X-Forwarded-For so privacy-mode and ordinary
  builds share one explicit policy boundary.
• Native route request-header overlay builders now start from the same secure
  forwarded-header baseline as config-driven policy, so omitted overlay fields
  still strip spoofable inbound client-IP headers and synthesize owned
  forwarding context.
• Future trusted-chain append handling reads the inbound X-Forwarded-For chain
  after any configured spoofable-header stripping, so strip-plus-append degrades
  to the direct peer address instead of preserving attacker-supplied hops.
• Native route tests prove ACME challenge paths are selected before a vhost
  redirect fallback, preserving the HTTP-01 exception ordering used by the
  compatibility path for explicit upstream challenge forwarding.
• Native cutover now rejects route request-header overlays that set
  enabled = false, because disabling the request header policy would also
  disable forwarded-client-IP sanitation on that native route.
• Native vhost fallback proxy traffic now receives the merged root/vhost header
  policy, so requests that miss named routes still strip spoofable
  client-IP headers and synthesize owned forwarding context.
• Privacy-mode native route request headers are stripped after all configured
  request-header mutations, preventing operator set or append rules from
  reintroducing spoofable forwarded-client-IP fields.
• Programmatic native route constructors now start with the same safe default
  request-header policy used by config-built routes, instead of a no-op policy.
• Native trusted append uses the same effective-client-IP restoration helper as
  the compatibility path, so untrusted direct peers cannot preserve spoofed
  inbound forwarding chains.
• Native regex rewrite templates percent-encode bounded capture values and
  reject rewritten paths that would traverse or introduce unsafe forwarding
  paths before any upstream connection is opened.
• Native regex rewrite captures now encode slash characters and fail closed
  under the native safe-forward-path policy, so regex captures cannot introduce
  path hierarchy that was not present in the static rewrite template.
• Native access policy denies before redirects, static-web actions, or upstream
  proxying run, so rejected requests cannot be transformed into downstream
  effects first.
• Native vhost access policy uses the same trusted forwarded-chain restoration
  helper as forwarded-header synthesis, so allow/deny decisions see the
  effective client IP only when the direct peer is trusted.
• Native route access policy also checks a percent-decoded policy path, matching
  the compatibility path's encoded-route bypass hardening for access decisions.
• Native concurrency limits are enforced before rewrite, local static,
  redirect, or upstream proxy actions run; permits are held until the native
  response is produced.
• Native rate limits are enforced before rewrite, local static, redirect, or
  upstream proxy actions run; excess requests are rejected before the native
  upstream path is reached, and delay-mode sleeps run before concurrency permit
  acquisition so delayed requests cannot exhaust configured concurrency budgets.
• Native trusted-proxy client restoration joins duplicate inbound
  X-Forwarded-For headers before ACL and rate-limit identity decisions.
• Malformed X-Forwarded-For trusted-proxy chains now fail closed on both the
  native header crate path and the compatibility proxy path, falling back to
  the direct peer address instead of skipping poisoned hops.
• Native rate-limit table eviction sweeps are bounded so a full bucket table
  cannot trigger repeated full-table scans on every new identity.
• Native rate-limit tables are now sharded so stale-entry pruning only blocks
  one shard of identities at a time.
• Native proxy config now accepts response-side downstream policy and per-proxy
  downstream request-read timeout policy on the native path.
• Native proxy config now accepts total upstream connection timeout while
  keeping TCP Fast Open as an explicit native transport blocker.
• The configuration reference now documents that
  proxy.upstream_tcp_fast_open remains compatibility-runtime only during the
  1.6 native preview until a safe native socket path has parity tests.
• Native proxy config and live loopback tests now prove receive-buffer and DSCP
  socket options plus TCP keepalive and supported TCP user-timeout are accepted
  and still connect through the native proxy path.
• Native listener tests now prove plain HTTP requests leave TLS client identity
  and Geo context unset by default.
• Native route tests now prove client-certificate fingerprint and Geo
  country/ASN policies reject requests before upstream forwarding when the
  typed request context does not satisfy the configured policy.
• Native HTTP/1 proxy tests now prove traffic mirroring reaches a local mirror
  endpoint without changing the origin response.
• Native HTTP/1 proxy tests now prove auth-request allow responses can inject
  configured upstream headers and auth-request deny responses stop before any
  upstream connection is made.
• Native cutover-plan tests now prove proxy.auth_request and safe-method
  traffic mirroring are native-ready only when their matching server feature
  gates are compiled.
• Native traffic mirroring now honors only Fluxheim's signed internal mirror
  marker for loop prevention, so client-supplied X-Fluxheim-Mirror headers
  cannot suppress the configured mirror feed.
• Native proxy forwarding now strips inbound X-Fluxheim-Mirror and
  X-Fluxheim-Mirror-Signature headers before forwarding to the origin.
• Native traffic-mirror marker signatures are now compared through
  sanitization::ct::ConstantTimeEq; this release also updates
  sanitization to 1.2.1 and rustls to 0.23.41.
• Native auth-request 2xx response bodies that are read only for the configured
  size cap are now zeroized before release, and allowlisted auth response
  headers use zeroizing temporary storage before being copied into the upstream
  request.
• Native proxy tests now prove a slow request body times out before any
  upstream connection is attempted when proxy.downstream_read_timeout_secs
  is selected.
• Native proxy and cutover-plan tests now prove upstream HTTP/2 and H2 tuning
  knobs remain explicit native blockers for the dedicated 1.6.30 upstream H2
  connection-manager slice.
• Native route tests now prove gRPC policy rejects non-gRPC requests, rejects
  duplicate Content-Type, emits gRPC status metadata on local rejections, and
  forwards valid case-insensitive application/grpc* requests.
• Compatibility-path gRPC policy tests now prove duplicate Content-Type
  headers are rejected and case-insensitive application/grpc* media types are
  accepted.
• Native HTTP/1 now sends 408 Request Timeout before closing connections that
  exceed the selected request-body timeout.
• Native route proxy timeout selection no longer lets redirect or static-web
  routes inherit a fallback proxy's longer request-body timeout.
• Native DSCP fallback compilation now covers targets without Tokio IPv6
  traffic-class support, and the receive-buffer conversion rejects an
  impossible oversized value with a dedicated diagnostic instead of silently
  ignoring it.
• Config validation and native regex route compilation now apply the same
  explicit NFA and DFA cache limits.
• Privacy-mode native route proxy handling now strips spoofable
  X-Forwarded-Host and X-Forwarded-Proto headers along with client-IP
  forwarding headers.
• Native trusted-source CIDR matching now rejects directly constructed invalid
  prefix lengths without relying on implicit shift arithmetic.
• Programmatic request-header policy defaults now match TOML deserialization for
  X-Real-IP, avoiding divergent native route behavior between config-built and
  builder-created routes.
• Privacy-mode native proxy builds strip spoofable inbound client-IP headers and
  do not compile the non-privacy forwarded-header synthesis helpers.
• Native route responses now apply inherited standard security headers such as
  X-Content-Type-Options, X-Frame-Options, Referrer-Policy, CSP, and HSTS
  where configured.
• The configuration reference now warns that disabling inbound forwarded-header
  stripping while also disabling owned X-Forwarded-Host or
  X-Forwarded-Proto synthesis permits client-supplied values for those
  headers to reach upstreams.

Compatibility

This release does not remove Pingora from normal builds yet. The remaining
compatibility blockers are upstream TCP Fast Open, cache lookup/fill/stale
behavior, PHP-FPM routing, dynamic discovery, health-aware load balancing,
persistence, priority/backup/drain state, hash-based load-balancer selection,
and upstream HTTP/2 connection-manager parity.

Checksums And Signatures

• Commit: 12e744dcc613283b914ddf15016c844c0127fc1d
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • df2b7127fbf7c4acb94beb217b7be4b9692dee451ed676f369fb8e5279b9d5cb fluxheim-1.6.29.tar.gz
  • f391b24a757b3ce6e5d7ee7f9e045a41143afe0c135ae97635bba86cc363fd96 fluxheim-1.6.29.zip
• Binary checksums:
  • x86_64:
    • c4b3c15dce49308e99d1fc029220d6b6a5a8fe7f70dd915321ede59870e66705 fluxheim-1.6.29-full-x86_64-linux.tar.gz
    • bde328b3d53a7a2dbb3ea936806614300f5ab01c14ea6f0cfeac9203f942f67a fluxheim-1.6.29-cache-x86_64-linux.tar.gz
    • 2f58ccf8a987b1bf6f7f8e52ee7d108b2763ae3fd25e32b344ac4aeec53d0a11 fluxheim-1.6.29-proxy-x86_64-linux.tar.gz
    • d6a8758fd551adf9e11330c155c37cc0cee29721b766bcc2284c954e89a8828e fluxheim-1.6.29-php-x86_64-linux.tar.gz
    • 521bc13f0e67660c6141047a35df87e40975ac8a76f831c3059d4207aa550365 fluxheim-1.6.29-load-balancer-x86_64-linux.tar.gz
    • 9c9f216c22c24beba07ea07b3766826314ef865d066ffac48043d1c451ae868c fluxheim-1.6.29-config-tester-x86_64-linux.tar.gz
  • aarch64:
    • 8d21f3b870a7f9f3e95b0d8bf411edbfcf888c9603c2ba5d27f81df4c6e4f1fb fluxheim-1.6.29-full-aarch64-linux.tar.gz
    • 771f13eb1024ba24e1c544e08e0dfab45f06d1daf76decaf8b7864685b9aa089 fluxheim-1.6.29-cache-aarch64-linux.tar.gz
    • a13c0c47bc6c25db7f924734f7ee0d26acf607bec8dcd92b08d7a0675917251d fluxheim-1.6.29-proxy-aarch64-linux.tar.gz
    • bbbce4e20fbc6cefb0f998e4bea3e8c1863a4435dba7544695cf54bf8116349c fluxheim-1.6.29-php-aarch64-linux.tar.gz
    • fac2e61e31af7fbd07298c1ae39b24348392f6a4a0bb3c74f4527a71b32f1549 fluxheim-1.6.29-load-balancer-aarch64-linux.tar.gz
    • ea0b8d503dd4e2f18251ebc1df289b3bccd87913e0ce244aecba4b20e6f1f2a6 fluxheim-1.6.29-config-tester-aarch64-linux.tar.gz
  • macos:
    • d01985f36055b963bd74c23186cf1326f3c05ce743d73816ff7a78c1d67e4ec5 fluxheim-1.6.29-dev-aarch64-macos.tar.gz
• SBOM checksums:
  • 52b76ee2f29f2ce5793b80d7661ced54f3baeaa23f6e2e88a80c1d543726513c fluxheim.spdx.json
  • 88cb3053840d5e5fb9ed04ff5ab04dac772b0b0cc97a031f2d70efc82d775cea fluxheim.cyclonedx.json
• Reproducible build:
  • 17706cd45a8b56a5e09912b4f3693c2ebfbd6c3b89dad1cd020335ea87cc364f x86_64
  • 214a5936aa479bd2ba02cbcf418d7090d300f9e55a9bfdedaf2c533f6f2fd94b aarch64
  • addc01ed52c2f06d633cd9c388eb7310d0554378b73a7f5c39f217e1081abcb5 macos
• Full Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:c738544766ef230b5903ae6f6ff8a681ef41c4c7265d2ef5d4e040db5a73cd37
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0b57b7eb15dbf665c479f6fe59486f3df1f0d775b9fa95eef9b90976cabe4bfa
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:4b3c32e8f23f09dc13c2c8896b77c5c148f693262f0ba14020576294327a51ab
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:0bd031a9b4e506a7a9b3b25bb00685972f8c8cf8bc6ce7b1a22f5fa3a53500ad
• Cache Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:3cc3b5f4566b2305cf31cd029f730778d08b0cb6fa91f7b627d9bf6a196513db
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0c959efa96e3b96c4caf5220f1d37e94497fc711bad19b3328e3e15b81e2102e
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:1e7cc497a950939ea83d143f16269cc31ef885ff7ea09a6ca80de16a0a99a114
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:24993e1db066b6106c5a84899e72ce478a5b6db895cd503c739915368899953f
• Proxy Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1237664d117fca833f632ab570e550eb889fde0efb0b7490928536a4c62f6637
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:8385c021798df0800500f02ab3193de815cc4ff7ba902756c3860af58c69b0a3
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:258a4253bdd56ab2289825751be24686ca70777e1807e3d391b414290688311a
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:1a1f703e4985d05cf06b2689a86d4e3d06daebcdf6811d2866f81b8f76ecca3c
• PHP Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:23283e8b6b0e7acf19e7c7de473566cb4293a90531fc6352deebb15d8c26e623
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0cb5e7cd7b1c3acebd0f6b335ae7c2c068b1f65823969ba5104d87441876d38c
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:7b5dd755d40d5bf5db9a462d72c2c50dc7c8183ef45fb3eea4f75a9833427796
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:3fa15264f731120fd1492630b2e754a8ce989104a5a831dac98869fb148ec208
• Load Balancer Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:3f220ef6735bf274ee854597a5a7334072fee0d04b2cf8d82f173a47e8aa0bd1
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:963deaf685655ec9bffa7eccd8e18aecde085e2fccf3a4160cd3c2389266f3ef
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:ae85e8d9498bcf33ccdc2f9a64f474851293265fdea7bc464b192f3b637f28b3
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:1aa2ca8f9d7cfa3c7f3e17a6ec12126df429e20141b8f70dd3fa20daca7728ad
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4

---

This discussion was created from the release Fluxheim 1.6.29.