Skip to content

Fluxheim 1.3.1

Choose a tag to compare

View all tags
@eldryoth eldryoth released this 16 May 14:21
· 1151 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.3.1
This tag was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.
6128f1d
This commit was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.

Fluxheim 1.3.1 Release Notes

Summary

Fluxheim 1.3.1 starts PHP application support with an explicit php-fpm
compile-time module. It is intended for operators who want Fluxheim to serve
WordPress-style PHP applications directly through php-fpm while keeping PHP out
of default, cache, proxy, and privacy builds.

  • Release type: PHP-FPM feature release
  • Compatibility: opt-in build feature and opt-in vhost/route configuration
  • Primary area: PHP-FPM config, secure script resolution, FastCGI response
    handling, docs, and feature-policy checks

Highlights

  • Added php, php-fpm, php-turbine, and php-phprs feature gates.
  • Implemented the production php-fpm path through fastcgi-client.
  • Added [vhosts.php] and [vhosts.routes.php] typed config.
  • Added strict PHP script resolution below the configured PHP root.
  • Added WordPress-style front-controller dispatch through index.php.
  • Existing non-PHP files under the PHP root can still be served by the normal
    static file path.
  • PHP request bodies are bounded before being sent to php-fpm.
  • PHP response headers are parsed strictly and CRLF/control-byte injection is
    rejected.
  • Added examples/php-fpm.toml and PHP runtime documentation.
  • Added feature-policy checks that reject multiple PHP runtime features in one
    binary.
  • Normalized split browser Cookie headers for both reverse-proxy upstreams
    and PHP-FPM HTTP_COOKIE, fixing WordPress login/admin flows seen behind
    HTTP/2 and container gateways.
  • Added a hardened scripts/browser_wordpress_login_probe.mjs helper for
    capturing browser-level WordPress login behavior when curl succeeds but a
    real browser does not.
  • Hardened cache Vary request hashing with length-prefixed components.
  • Updated compatible Rust dependencies, keeping prometheus pinned where
    Pingora compatibility requires it.
  • Completed a final pentest/code-scanning cleanup pass for the 1.3.1 release
    candidate.

Validation Notes

The 1.3.1 release candidate was validated with:

  • PHP-FPM WordPress install, login, plugin add/delete, and theme add flows.
  • Reverse-proxy WordPress login/admin flows in the dev Wolfi image.
  • CodeQL/code scanning clean after script hardening.
  • Automated pentest clean except for accepted Pingora dependency findings.

Build

PHP-FPM is not compiled by default. Build it explicitly:

cargo build --release --locked --no-default-features \
  --features profile-web-server,php-fpm,acme-client

The broad full profile remains non-PHP by default. Use the PHP-FPM feature set
above, or the PHP-focused container/build profile, when the deployment should
serve PHP applications directly.

Checksums And Signatures

  • Commit: 6128f1d4d507f6ef9639d8852cdc1aa7c6af05e0
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • 1e1d7cede7b147d9f2a30d9c992eaec07ef202302eac2f52917e9892c5f7f8f7 fluxheim-1.3.1.tar.gz
    • ef31837452bb1c67bdaf440ccc57bad08893393de00712b259442181cd0bf60a fluxheim-1.3.1.zip
  • Binary checksums:
    • a8d66571e81355de538515adfda5cc112e4457e71a538d77ef7e061c04d12076 fluxheim-1.3.1-full-x86_64-linux.tar.gz
    • 178266872b0b8a7a88fcd1da482865de07d56312c00d3e310b7431aa90095412 fluxheim-1.3.1-cache-x86_64-linux.tar.gz
    • bde754b0f8823cab722f47234556bce23658a49f7d3160c7bbd94478e56fb623 fluxheim-1.3.1-proxy-x86_64-linux.tar.gz
  • SBOM checksums:
    • 4168e2b5c4c37bed39af84c02d2c635b9abe3c0ae9f4f6501483389d05311c4e fluxheim.spdx.json
    • ce0809801af812b4fccbe41c4366e4cd2a0fd08291b0f92de90f489c81a85581 fluxheim.cyclonedx.json
  • Reproducible build:
    • 2cfb9b20ba441bbc1a259b6601c245a05abeaa242f2c79755a46f67dc1e10ec3
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:0963644e43f9c97899c5c64b371dfb1d607e458df63ad807a034e7bc99eab2d8
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:539a014c71f25fb24b1425def32eddf653fe11bc1d0d3b5bc218227f25b951f5
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:8ba516f43532590415060f92db42238a835208cd2879a22a342014fad37bcde3
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:996e752af0b0fd8496f8a77a532bb5e6449afa3c8bbb274b340e56bee4c9e78a
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:87cb7d617eb01017ccc7f40f2ea3abac0c006fabe3450feecfd3871416afe740
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:97bc69556001ac9a65ea7f1198470cb339d5e08ea618dd6dba7eb39db4c4161b
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:02655ce28faa2c93eff92953f058ad395e0e15790d9937296b5ce743851a201a
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:2c0d73ccf3023d2601752f4c2af65282f4b1d4f163e030ff0a1b02b3e68dd828
  • Proxy Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:0332a912ed2610da4e13f0e267d67fbd06b1c7a5944a30274002ad6ed73ec8a9
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:1b65f51ef33065736dd286fa73438add59907544f673bd85fe72c49a65135c36
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:04fcb2ca3912d197c8a415dd77a89901051f12decaa72dc3dd081a2da03edb5e
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:62f6bec1dd04b87fe8aaf41dcb3a2d2938c9e9d87de8d3451f097d4ce168fbd9
  • Tag signature:
    • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Assets 6
Loading
0 Join discussion