Fluxheim 0.5.0

Fluxheim 0.5.0 Release Notes

Version

• Version: 0.5.0
• Release date: 2026-05-06
• Git tag: v0.5.0
• Git commit: 134274f
• License: EUPL-1.2

Scope

Fluxheim 0.5.0 is the basic-sites preview. It is intended for normal static
HTML websites and simple whole-vhost reverse proxying with static TLS
certificates.

Stable preview scope:

• static web serving for HTML, CSS, JavaScript, images, fonts, and other normal
  site assets;
• vhost routing by Host header;
• static downstream TLS certificates, with rustls as the default backend;
• optional global HTTP-to-HTTPS redirect;
• simple whole-vhost reverse proxying to one upstream;
• request/header/body limits;
• default Server: fluxheim response header, removable by config;
• secure header mutation policy;
• static cache headers, ETag, conditional requests, and byte ranges;
• rootless Podman/container examples for Wolfi, Alpine, SUSE Micro, and Debian
  runtime variants;
• self-contained packaged default site and config serving
  /srv/fluxheim/index.html on port 8080;
• RPM packaging spec for RHEL/openSUSE-style builds from vendored Cargo
  dependencies;
• release checks for formatting, linting, tests, dependency policy, advisory
  policy, CodeQL, and local smoke coverage.

Default Cargo features:

• proxy
• web
• cache
• tls-rustls
• security

Highlights

• Basic vhost static hosting and simple reverse proxying are now documented as
  the preview release promise.
• Fresh packaged containers and RPMs serve the bundled Fluxheim default page
  without needing external JavaScript, fonts, or images.
• Container deployment examples include explicit graceful shutdown settings so
  normal podman compose down does not fall back to SIGKILL.
• The public 1.0.0 target is now defined as the gateway-ready release needed
  for representative real multi-site configs.

Security And Stability Gate

Release evidence to record immediately before publishing:

• Gate command: scripts/stable_release_gate.sh check or stronger
• Gate report directory: to be filled
• Result: to be filled
• cargo audit result: to be filled
• cargo deny check result: to be filled
• TLS scan result: to be filled, or explicitly marked not run for this preview
• Load smoke result: to be filled, or explicitly marked not run for this preview
• Request-framing smoke result: to be filled, or explicitly marked not run for
  this preview
• Fuzz target compile result: to be filled, or explicitly marked not run for
  this preview
• Podman smoke result: to be filled

Reviewed Advisory Exceptions

• protobuf < 3.7.2 may appear transitively through Pingora dependencies until
  upstream updates. Before publishing, record the exact dependency path from
  cargo audit, confirm whether Fluxheim parses attacker-supplied protobuf
  through that dependency in this release, and remove the exception as soon as
  the upstream fix is available.

Breaking Changes

• This is a pre-1.0.0 preview release. Config shape and behavior may still
  change when the change improves security or the 1.0.0 gateway target.

Upgrade Notes

• Prefer upstreams = ["host:port"] over the older single upstream = "host:port"
  field. Do not configure both in the same proxy block.
• Use [headers.*.add]/remove for user-friendly header changes. The older
  set/unset names remain compatible.
• For containers, keep the container stop timeout higher than
  server.process.grace_period_seconds + graceful_shutdown_timeout_seconds.

Known Limitations

These are intentional 1.0.0 blockers, not 0.5.0 promises:

• no multi-certificate SNI selection at runtime yet;
• no route/location layer yet;
• no route-level redirect/proxy/static actions yet;
• no websocket-specific upgrade support yet;
• no per-route body limits or upstream timeouts yet;
• no custom upstream error pages yet;
• no static alias or directory listing support yet;
• no runtime ACME issuance yet.

Container Images

Planned image tags after release validation:

• GitHub Container Registry: ghcr.io/valkyoth/fluxheim:v0.5.0-wolfi
• GitHub Container Registry: ghcr.io/valkyoth/fluxheim:v0.5.0-alpine
• GitHub Container Registry: ghcr.io/valkyoth/fluxheim:v0.5.0-suse-micro
• GitHub Container Registry: ghcr.io/valkyoth/fluxheim:v0.5.0-debian
• Docker Hub: matching variant tags when Docker Hub credentials are configured
• Runtime user: 65532:65532 by default
• Default config path: /etc/fluxheim/fluxheim.toml
• Default static site path: /srv/fluxheim/index.html
• Operator static site path: commonly mounted under /srv/sites/...
• Cache path: /var/cache/fluxheim
• State path: /var/lib/fluxheim

RPM Packaging

The release includes packaging/rpm/fluxheim.spec
and packaging/rpm/fluxheim.tmpfiles.

The spec expects a source tarball plus a vendored Cargo dependency tarball, then
builds with cargo --offline:

cargo vendor vendor > /tmp/fluxheim-cargo-config.toml
tar -czf fluxheim-0.5.0-vendor.tar.gz vendor

The default RPM feature set is profile-core. Builders can override it with:

rpmbuild -ba packaging/rpm/fluxheim.spec --define 'fluxheim_features profile-static-site'

Checksums And Signatures

• Source archive checksums:
  • c6ac3dba6be96130dd565f8fddbce1bf32bad9f576df69102934908b5f5a3da8 fluxheim-0.5.0.tar.gz
  • a69f62b9a135fa3984a8ec823e24f2ac15ca3e4bb1283b532f0c0a5d74b78625 fluxheim-0.5.0.zip
• Binary checksums:
  • 43227a55b23f4d2b01d4cd5be3e33a4980366745e6cc9c3127e31d8e32dbc770 fluxheim-0.5.0-linux-x86_64.tar.gz
• Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:daeb6819fe4cc818e29685576380eeb3342abdd54241406666c1c4aa24100acd
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:dabacaabdce9126bf7acc868b6e83e4d80cb8d53c4d5a4b77f8452f3459eaa81
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:2e8fae9cc12a21c7c0dc6cd11ac166d8c7ac6cd073a1ec0af280dc032a74e6ad
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:38d11e1bf05b8bdd8e606141e9e9889d3388f9908ba9421fa6a19a789ed1fa09
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4