Fluxheim 1.3.3

[eldryoth]

Fluxheim 1.3.3 Release Notes

Summary

Fluxheim 1.3.3 is the PHP-FPM hardening and production-compatibility follow-up
for the 1.3 line. It focuses on WordPress and framework migration behavior,
safer php-fpm operation under load, bounded configuration surfaces, and RFC
response correctness discovered during production and pentest testing.

• Release type: compatibility and hardening follow-up
• Compatibility: no broad config break intended
• Primary area: PHP-FPM, WordPress migration, bounded config, and HTTP
  correctness

Highlights

• Added opt-in php-fpm keepalive pooling with idle pruning through
  [vhosts.php.fpm] settings.
• Added safe custom FastCGI parameters with [vhosts.php.params] and
  [vhosts.routes.php.params], while preventing overrides of Fluxheim-managed
  CGI variables.
• Added split filesystem-root support with php.fpm_root and optional final
  root symlink resolution with php.resolve_root_symlink.
• Added typed PHP routing presets with php.try_files and
  php.preset = "wordpress" for front-controller migrations without broad
  rewrite-string interpolation.
• Added php.deny_path_prefixes for defense-in-depth blocking of PHP
  execution under upload/file directories.
• Added php.pass_request_headers, php.pass_request_body,
  php.hide_response_headers, php.ignore_origin_cache_headers, and
  php.intercept_error_statuses for common NGINX/Caddy migration controls.
• Added PHP error-page support with [[vhosts.php.error_pages]] and
  route-level PHP error pages.
• Added configurable PHP response header caps and capped PHP response buffering
  through php.max_response_header_bytes and php.max_response_bytes.
• Added opt-in request-body disk spooling for large PHP uploads through
  php.request_body_spool_threshold_bytes and
  php.request_body_spool_dir.
• Added php-fpm TCP upstream lists, safe-method failover, retry windows, and
  invalid-response/status retry controls.
• Added PHP-specific Prometheus metrics and low-cardinality OTLP trace
  attributes for request outcome, retries, STDERR events, and keepalive pool
  state.
• Added PHP-assisted static offload for X-Accel-Redirect and X-Sendfile,
  plus X-Accel-Expires response handling.
• Added WordPress shared-cache safety helpers through cache.preset = "wordpress" for admin/login/path, cookie-prefix, query-string, and
  authorization bypasses.
• Added PHP app recipe documentation for WordPress, WordPress Multisite,
  Laravel, Symfony, Flarum, MediaWiki, phpBB, XenForo, MyBB, and
  Discourse-as-proxy. The review found no missing PHP-FPM protocol primitive
  for the PHP apps, but flat-root apps still need careful static path exposure
  until Fluxheim has generic static deny/allow policy.
• Capped major config collections, including upstream lists, header mutation
  policies, listener lists, trusted proxies, vhosts, routes, ACME issuers and
  domains, TLS allow-lists, static index files, cache key parts, and metric/log
  label names.
• Hardened HTTP behavior for RFC 9110/9112 findings: ACME 405 responses now
  include Allow, proxied messages append Via, chunked bodies without
  Content-Length are accepted, satisfiable static multi-range requests fall
  back to full responses, and generated text error bodies include
  Content-Type.
• Hardened PHP-FPM CGI parameter handling and runtime path handling after
  post-hardening review: sanitized CGI SERVER_NAME fallback, validated
  CONTENT_TYPE, added defense-in-depth checks for PATH_TRANSLATED, created
  PHP upload spool directories with private Unix permissions, and canonicalized
  existing php.fpm_root paths while preserving separate-container path
  mapping.
• Added private-PKI CA bundle support for OTLP metrics and tracing exporters
  through metrics.otlp.tls_ca_cert_path and
  tracing.otlp.tls_ca_cert_path, plus warnings for plaintext OTLP endpoints
  outside loopback.
• Added stronger operator warnings for high-risk PHP_VALUE and
  PHP_ADMIN_VALUE directives, including an error-level warning when
  PHP_ADMIN_VALUE overrides disable_functions.
• Hardened admin throttling so exhausted per-source tracking fails closed with
  a global lockout.
• Updated base64-ng to 1.0.0.

Notes

Super Cache/W3TC static cache-file probing is not part of 1.3.3. The
implemented WordPress cache preset is a shared-cache safety preset. Static-file
fallback probing remains future work and should use typed file-probing rules
rather than arbitrary rewrite-string interpolation.

FastCGI multiplexing, authorizer, filter, and management roles remain
unsupported in 1.3.x. Fluxheim's PHP-FPM path supports the normal
one-request-at-a-time FCGI_RESPONDER web-serving subset.

Build

Build the PHP-FPM release profile explicitly:

cargo build --release --locked --no-default-features \
  --features profile-web-server,php-fpm,acme-client \
  --bin fluxheim --bin fluxheim-acme

Build the standalone config tester release artifact:

cargo build --release --locked --no-default-features \
  --features profile-development \
  --bin fluxheim-config-tester

Checksums And Signatures

• Commit: 045df2605d219eba7c76510c386209028329f866
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • 1e1d7cede7b147d9f2a30d9c992eaec07ef202302eac2f52917e9892c5f7f8f7 fluxheim-1.3.2.tar.gz
  • ef31837452bb1c67bdaf440ccc57bad08893393de00712b259442181cd0bf60a fluxheim-1.3.2.zip
• Binary checksums:
  • 07f19d681fea240d1bddec62b90c6a53595cd151f70ff4d69eb673e54203aee8 fluxheim-1.3.2-full-x86_64-linux.tar.gz
  • af5611582ebb4d4cbb61a782e59fa0c7d692f1e0e5bdb588116cc4030d958ed8 fluxheim-1.3.2-cache-x86_64-linux.tar.gz
  • 6bd9eab36385e6e19304937f078b8ddbeb3681d46c30dd6db8da9c7359e8d9b2 fluxheim-1.3.2-proxy-x86_64-linux.tar.gz
  • 987a9453c6ae38ebf9244fc81f7962baf31668bebcb7ce928f813428a753a978 fluxheim-1.3.2-php-x86_64-linux.tar.gz
  • d483fe5407f23cc1ce3f72575c456cdd8b5f4b353ffceaa2c4a595a65c135e2e fluxheim-1.3.2-config-tester-x86_64-linux.tar.gz
• SBOM checksums:
  • 3d96bd94f660e52b9e5238821198107d6195964c473d93d6ccc99f28782caf57 fluxheim.spdx.json
  • 583de936d485ee6cd739926134c064ae76d5b0c5c78c8598dcfc791aab129b28 fluxheim.cyclonedx.json
• Reproducible build:
  • 1f9ddf39fb91399fafe62129f3c6bec0d9711d951466adc04f65c02dd1d91d6b
• Full Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:2fa63c243eedf609764a992636e0c5e633d8e0fd4173f4a1077c04b32eadb3b7
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:3b2b444663dba9039eaef3ca58709779713dcaf0a2daba96d3faec0bfe853751
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:05b407e704863afafdf9f28b1ba620318921b3d44520f93a93f3cd996cbe5253
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:60c42682300cc55dbb86685759b1e6a72cb2b62a138076f1654a478ac41ef196
• Cache Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:5f664cbd0db2f142fe8362a4e1888a374ea0e21dbf2da97199511797926a360e
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:596dba55975b6e68454182e787ed7e5636d6298f70fa82301bd381570c518673
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:83304005c33d55610e0d193c7367921c17e55657d878c3a3d6caaede77f04d9b
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:75986c57f02fada0d1999e5969dce61ba76adba7e9c23713f5dde5774da429c1
• Proxy Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:7f9095bdf2501975ba784c0b5a942eb774757400dcbce5a79d85549f5458d32c
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:8430322c2954f05d1954b221fe89bf2e45c0fa313f0743dc50f653c839f9ef62
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:ae123438490fbd7e0180711073aeff2ee82dfc8babc01fba20ce290e6eb8cc35
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:9eb15f703e094b513836542a0ea1623ac5d0ac47e6ae1831d6d755e0bdd2f03b
• PHP Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:8bdf057efc34cd952e04009ec24677844d38355fd9f5fc01a809908b10bd2095
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:6a1034c028083bb9f40b13560258d06cdaee1c0d2576ffe20537a0adddc73b06
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:1133c64ec32f8400dc0d1e6ee735146f136fdca83c2bf421cf9f65ff3809254c
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:b9ed9238c16592054a4b4775660a3d3bc024df2e512f63a10a5bfed1715cbb54
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4

---

This discussion was created from the release Fluxheim 1.3.3.