Fluxheim 1.3.2

Fluxheim 1.3.2 Release Notes

Summary

Fluxheim 1.3.2 starts the operational follow-up for ACME first issuance and
container diagnostics. The first implemented slice is a standalone
fluxheim-config-tester binary that can be downloaded from release assets and
used to validate mounted configs without starting the gateway container.

• Release type: operational follow-up
• Compatibility: no config format break intended
• Primary area: config validation, release diagnostics, and ACME operations

Highlights

• Added fluxheim-config-tester as a separate binary target.
• Added target-profile validation for full, cache, proxy, web-php,
  development, and future load-balancer profiles.
• Added tester modes for runtime-path validation, TLS storage checks, ACME
  target preview, upstream DNS resolution, and --explain output.
• Added the fluxheim-acme companion binary with renew and targets
  commands.
• Added a local Unix-domain certificate reload socket for companion-driven live
  certificate activation after renewal.
• Added fluxheim-acme status and fluxheim-acme renew --vhost <name> for
  single-target ACME checks and renewal on multi-site gateways.
• Added fluxheim-acme reload for explicit certificate-handle reload requests
  through the local control socket.
• Added fluxheim_acme_events_total{event} metrics for pending, renewed,
  failed, and reload outcomes with bounded labels only.
• Packaged fluxheim-acme into RPMs and runtime images for external
  service/timer and container companion workflows.
• Kept the tester out of normal RPM installation and runtime images; it is a
  release diagnostics artifact.
• Hardened ACME reload socket responses with a bounded read, kept ACME/cache
  secret-file intermediates in zeroizing buffers, and capped Admin API JSON
  response/error sizes.
• Hardened the certificate reload control socket with private bind/listen
  sequencing and read timeouts.
• Hardened filesystem opens with portable Unix O_NOFOLLOW coverage for
  config, snapshot, web, runtime-log, ACME, and admin-token paths.
• Hardened trace-context generation so CSPRNG failure disables tracing for the
  request instead of spinning indefinitely.
• Hardened admin authentication and responses with per-process HMAC token
  digests, generic internal-error responses, and global-only throttling for
  indeterminate client sources.
• Documented the current protobuf advisory boundary: Fluxheim's Pingora metrics
  endpoint uses text encoding directly and does not expose protobuf parsing.

Build

Build the main runtime and tester for a profile explicitly:

cargo build --release --locked --no-default-features \
  --features profile-web-server,php-fpm,acme-client \
  --bin fluxheim --bin fluxheim-acme --bin fluxheim-config-tester

Checksums And Signatures

• Commit: 28d90cdcde54927f5cb3f9221081ad7e4dc46fc5
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • 759d4508c8ca1a92c1bbdf4da46d31eac9ba5331ac2edeb7e4b30f2e940cf4cb fluxheim-1.3.2.tar.gz
  • 10cea316f0ec521e33e450179df656625571542d1ba26c3d181a19af21320ef6 fluxheim-1.3.2.zip
• Binary checksums:
  • 2c83ffd66dcc49d440d257b78720584d1dd2a5e40dd9a4ab53730938d8226e1e fluxheim-1.3.2-full-x86_64-linux.tar.gz
  • 68cdbf628ed034ab016e51a9076f0c3a4717c4c797666a2ec3eb57070e0f55ed fluxheim-1.3.2-cache-x86_64-linux.tar.gz
  • 7c6b01532a14953a414a5aeda678cd9c224f07a433a82b212021b7d7d8cd9486 fluxheim-1.3.2-proxy-x86_64-linux.tar.gz
  • af732a4298d7382255216ba13aff9efa285a6f317e2fab09ba1936084e3c067b fluxheim-1.3.2-php-x86_64-linux.tar.gz
  • 43201db54cd30a702f27a6f03e61b8a5b054191edddcd1492e0e855927559480 fluxheim-1.3.2-config-tester-x86_64-linux.tar.gz
• SBOM checksums:
  • 5f72e3f3a872264f2c402ef186f27bdbb451920f08381d35ff74a89d417dd627 fluxheim.spdx.json
  • 65a8caf5b078708be95f16361b0ae0fbf1e77acf2ff816b6f349cd34a80ae45d fluxheim.cyclonedx.json
• Reproducible build:
  • cd1daa3e02891ab7b6989d72f6268438318563ce4e618335f8ef00c4822b35be
• Full Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:7a77d5470235703695b91387701052b69af901e3e05d3e906c0be83daf8630f5
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:4332283d133072109bf7a080fa63c7d264c7ce1206621ddd887018950f9f5a85
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:22dad36c9707ca4a43bfc8f773c9cb7a5daa1ca82eb59deed457fb4b28517ceb
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:3ce73c97b015699c1a0d86243ec62155a97123e9853fa3d922878e2154dfb3d2
• Cache Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:4ba7fca9502cabf6db74017065a184d8e7736f366e84b32b67149a1ad514089c
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:6835551bf6943ad6fc09b158a075462d0613a288bb418bbdc33b1728f73ea629
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:6bcefc03a0e2ce7cb2dffbfb267e2ba4b435e1e3c5dcf2f012cd3166c499aa4e
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:3a6250bc8a992a4ad2d48f1f06aa1c1ca92488eff7ef89837fd1a3dbc7f2df09
• Proxy Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:b6a6c808a48549d248ac92a7dacd471db26e3da633a3546ee7b7411252712d67
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:bfb5561adee079e5ab034026d56e67731b4e1e5228035da541a9d0647cfd899d
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:c9087d4cd3a81e9bedbb4a24eb8987e6fcc5525acd4d365dc674154245eb762c
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:0a6eb78464ea723b160a7deef39dd5bf932ba3e8e3f0c275d791ba05b1769333
• PHP Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:0b6d527ddd1c27a0752f0e118139ef835eccf363c49449f1d1d977ee3d790650
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0a059ff721654167d704e64fc4c3540757704ad112cd3fdec3de569940fc96a7
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:c9247cd924fed788e096130b664db0cd2a10a6db7a44dc6b7a9a639615da251c
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:06311ffa9425f885f30e0ba006a914282764de5e69f380e2d1b4a8bb955fbb57
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4