Skip to content

Fluxheim 1.3.3

Choose a tag to compare

View all tags
@eldryoth eldryoth released this 20 May 18:58
· 1042 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.3.3
This tag was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.
045df26
This commit was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.

Fluxheim 1.3.3 Release Notes

Summary

Fluxheim 1.3.3 is the PHP-FPM hardening and production-compatibility follow-up
for the 1.3 line. It focuses on WordPress and framework migration behavior,
safer php-fpm operation under load, bounded configuration surfaces, and RFC
response correctness discovered during production and pentest testing.

  • Release type: compatibility and hardening follow-up
  • Compatibility: no broad config break intended
  • Primary area: PHP-FPM, WordPress migration, bounded config, and HTTP
    correctness

Highlights

  • Added opt-in php-fpm keepalive pooling with idle pruning through
    [vhosts.php.fpm] settings.
  • Added safe custom FastCGI parameters with [vhosts.php.params] and
    [vhosts.routes.php.params], while preventing overrides of Fluxheim-managed
    CGI variables.
  • Added split filesystem-root support with php.fpm_root and optional final
    root symlink resolution with php.resolve_root_symlink.
  • Added typed PHP routing presets with php.try_files and
    php.preset = "wordpress" for front-controller migrations without broad
    rewrite-string interpolation.
  • Added php.deny_path_prefixes for defense-in-depth blocking of PHP
    execution under upload/file directories.
  • Added php.pass_request_headers, php.pass_request_body,
    php.hide_response_headers, php.ignore_origin_cache_headers, and
    php.intercept_error_statuses for common NGINX/Caddy migration controls.
  • Added PHP error-page support with [[vhosts.php.error_pages]] and
    route-level PHP error pages.
  • Added configurable PHP response header caps and capped PHP response buffering
    through php.max_response_header_bytes and php.max_response_bytes.
  • Added opt-in request-body disk spooling for large PHP uploads through
    php.request_body_spool_threshold_bytes and
    php.request_body_spool_dir.
  • Added php-fpm TCP upstream lists, safe-method failover, retry windows, and
    invalid-response/status retry controls.
  • Added PHP-specific Prometheus metrics and low-cardinality OTLP trace
    attributes for request outcome, retries, STDERR events, and keepalive pool
    state.
  • Added PHP-assisted static offload for X-Accel-Redirect and X-Sendfile,
    plus X-Accel-Expires response handling.
  • Added WordPress shared-cache safety helpers through cache.preset = "wordpress" for admin/login/path, cookie-prefix, query-string, and
    authorization bypasses.
  • Added PHP app recipe documentation for WordPress, WordPress Multisite,
    Laravel, Symfony, Flarum, MediaWiki, phpBB, XenForo, MyBB, and
    Discourse-as-proxy. The review found no missing PHP-FPM protocol primitive
    for the PHP apps, but flat-root apps still need careful static path exposure
    until Fluxheim has generic static deny/allow policy.
  • Capped major config collections, including upstream lists, header mutation
    policies, listener lists, trusted proxies, vhosts, routes, ACME issuers and
    domains, TLS allow-lists, static index files, cache key parts, and metric/log
    label names.
  • Hardened HTTP behavior for RFC 9110/9112 findings: ACME 405 responses now
    include Allow, proxied messages append Via, chunked bodies without
    Content-Length are accepted, satisfiable static multi-range requests fall
    back to full responses, and generated text error bodies include
    Content-Type.
  • Hardened PHP-FPM CGI parameter handling and runtime path handling after
    post-hardening review: sanitized CGI SERVER_NAME fallback, validated
    CONTENT_TYPE, added defense-in-depth checks for PATH_TRANSLATED, created
    PHP upload spool directories with private Unix permissions, and canonicalized
    existing php.fpm_root paths while preserving separate-container path
    mapping.
  • Added private-PKI CA bundle support for OTLP metrics and tracing exporters
    through metrics.otlp.tls_ca_cert_path and
    tracing.otlp.tls_ca_cert_path, plus warnings for plaintext OTLP endpoints
    outside loopback.
  • Added stronger operator warnings for high-risk PHP_VALUE and
    PHP_ADMIN_VALUE directives, including an error-level warning when
    PHP_ADMIN_VALUE overrides disable_functions.
  • Hardened admin throttling so exhausted per-source tracking fails closed with
    a global lockout.
  • Updated base64-ng to 1.0.0.

Notes

Super Cache/W3TC static cache-file probing is not part of 1.3.3. The
implemented WordPress cache preset is a shared-cache safety preset. Static-file
fallback probing remains future work and should use typed file-probing rules
rather than arbitrary rewrite-string interpolation.

FastCGI multiplexing, authorizer, filter, and management roles remain
unsupported in 1.3.x. Fluxheim's PHP-FPM path supports the normal
one-request-at-a-time FCGI_RESPONDER web-serving subset.

Build

Build the PHP-FPM release profile explicitly:

cargo build --release --locked --no-default-features \
  --features profile-web-server,php-fpm,acme-client \
  --bin fluxheim --bin fluxheim-acme

Build the standalone config tester release artifact:

cargo build --release --locked --no-default-features \
  --features profile-development \
  --bin fluxheim-config-tester

Checksums And Signatures

  • Commit: 045df2605d219eba7c76510c386209028329f866
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • 5d75d264f8156302bb18fc775b9b2910f15722e7655ab54ee45fe2fd4fcd83a4 fluxheim-1.3.3.tar.gz
    • 683597a97e7682a960739200dcb161e8610f202cd94a8dd1b0976776c008945f fluxheim-1.3.3.zip
  • Binary checksums:
    • 07f19d681fea240d1bddec62b90c6a53595cd151f70ff4d69eb673e54203aee8 fluxheim-1.3.3-full-x86_64-linux.tar.gz
    • af5611582ebb4d4cbb61a782e59fa0c7d692f1e0e5bdb588116cc4030d958ed8 fluxheim-1.3.3-cache-x86_64-linux.tar.gz
    • 6bd9eab36385e6e19304937f078b8ddbeb3681d46c30dd6db8da9c7359e8d9b2 fluxheim-1.3.3-proxy-x86_64-linux.tar.gz
    • 987a9453c6ae38ebf9244fc81f7962baf31668bebcb7ce928f813428a753a978 fluxheim-1.3.3-php-x86_64-linux.tar.gz
    • d483fe5407f23cc1ce3f72575c456cdd8b5f4b353ffceaa2c4a595a65c135e2e fluxheim-1.3.3-config-tester-x86_64-linux.tar.gz
  • SBOM checksums:
    • 3d96bd94f660e52b9e5238821198107d6195964c473d93d6ccc99f28782caf57 fluxheim.spdx.json
    • 583de936d485ee6cd739926134c064ae76d5b0c5c78c8598dcfc791aab129b28 fluxheim.cyclonedx.json
  • Reproducible build:
    • 1f9ddf39fb91399fafe62129f3c6bec0d9711d951466adc04f65c02dd1d91d6b
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:2fa63c243eedf609764a992636e0c5e633d8e0fd4173f4a1077c04b32eadb3b7
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:3b2b444663dba9039eaef3ca58709779713dcaf0a2daba96d3faec0bfe853751
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:05b407e704863afafdf9f28b1ba620318921b3d44520f93a93f3cd996cbe5253
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:60c42682300cc55dbb86685759b1e6a72cb2b62a138076f1654a478ac41ef196
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:5f664cbd0db2f142fe8362a4e1888a374ea0e21dbf2da97199511797926a360e
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:596dba55975b6e68454182e787ed7e5636d6298f70fa82301bd381570c518673
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:83304005c33d55610e0d193c7367921c17e55657d878c3a3d6caaede77f04d9b
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:75986c57f02fada0d1999e5969dce61ba76adba7e9c23713f5dde5774da429c1
  • Proxy Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:7f9095bdf2501975ba784c0b5a942eb774757400dcbce5a79d85549f5458d32c
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:8430322c2954f05d1954b221fe89bf2e45c0fa313f0743dc50f653c839f9ef62
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:ae123438490fbd7e0180711073aeff2ee82dfc8babc01fba20ce290e6eb8cc35
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:9eb15f703e094b513836542a0ea1623ac5d0ac47e6ae1831d6d755e0bdd2f03b
  • PHP Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:8bdf057efc34cd952e04009ec24677844d38355fd9f5fc01a809908b10bd2095
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:6a1034c028083bb9f40b13560258d06cdaee1c0d2576ffe20537a0adddc73b06
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:1133c64ec32f8400dc0d1e6ee735146f136fdca83c2bf421cf9f65ff3809254c
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:b9ed9238c16592054a4b4775660a3d3bc024df2e512f63a10a5bfed1715cbb54
  • Tag signature:
    • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Assets 8
Loading
0 Join discussion