Fluxheim 1.4.0

Fluxheim 1.4.0 Release Notes

Fluxheim 1.4.0 is the first production proxy parity release. It consolidates
the planned edge-policy, upstream-resilience, TLS/identity, and HTTP/2/gRPC
proxy work into one larger 1.4 baseline instead of splitting it across several
small unreleased milestones.

Highlights

• Edge policy controls: trusted-proxy-aware IP ACLs, local token-bucket request
  limits, in-flight concurrency limits, bounded delay/queue behavior, and
  Prometheus counters for policy decisions.
• Compression: opt-in gzip, Zstandard, and Brotli response compression with
  vhost and route overrides, MIME/size limits, output-size caps, conservative
  sensitive-response handling, and cache-safe Vary: Accept-Encoding.
  Official production profile aliases compile all three codecs; runtime config
  still controls which vhosts and routes use them.
• Upstream selection and resilience: weighted round-robin, least connections,
  power-of-two, source/URI/header/cookie hash selection, consistent-hash
  support, backup/drain policies, slow start, retry budgets, passive
  failure/5xx/latency ejection, and active HTTP health checks.
• Proxy rewrite controls: response Location, Refresh, and Set-Cookie
  domain/path rewrite rules plus route rewrite_prefix mapping for common
  NGINX/Apache reverse-proxy migrations.
• Observability: structured access log fields for trusted client IP, cache
  phase, route, selected upstream, downstream TLS identity, and applied
  compression; OTLP spans use resolved route identity and report compression.
• TLS and identity: listener client-certificate authentication, downstream TLS
  identity header template variables, route/vhost client-cert fingerprint
  policy, and admin client-cert fingerprint hardening for trusted terminators.
• Upstream protocol controls: upstream certificate and hostname verification
  controls, custom trust roots, upstream mTLS client certificates, PROXY
  protocol v1/v2 receive/send, upstream HTTP version selection, bounded HTTP/2
  controls, and route-scoped gRPC pass-through policy.
• Upstream connection tuning: total connection timeout, idle timeout, TCP
  keepalive, Linux user timeout, receive-buffer size, DSCP, and TCP Fast Open
  controls.

Security Hardening

• Hardened route strip_prefix / rewrite_prefix forwarding against
  double-encoded traversal segments and decoded ASCII control bytes such as
  %00.
• Replaced concurrency-limit polling waiters with semaphore-backed permits and
  bounded max_queue waiters so saturated routes cannot create an unbounded
  wakeup loop.
• Changed admin and route/vhost client-certificate fingerprint list checks to
  compare across the full list without short-circuiting on the first matching
  byte prefix.
• Rejected TLS identity templates in request-header append policies. Use
  add/set for TLS identity headers so Fluxheim strips any inbound spoofed
  copy before forwarding the trusted value.
• Added reject_indeterminate to rate-limit policies so operators can reject
  requests when no effective client IP is available instead of sharing one
  anonymous bucket.
• Bounded process-global slice-cache fill concurrency keys and abort on a
  poisoned slice-fill lock.
• Removed the process ID from generated snapshot IDs returned by the
  authenticated admin API.
• Documented the shared anonymous rate-limit bucket used when no effective
  client IP is available, and added a startup security warning for
  admin-client-certificate header gates on loopback listeners.

Compatibility Notes

• The new proxy controls are opt-in. Existing static, proxy, cache, PHP-FPM,
  ACME, and FIPS/ISO-capable configurations remain on their existing defaults
  unless the new config blocks are enabled.
• [vhosts.concurrency] and [vhosts.routes.concurrency] now accept
  max_queue; 0 derives a bounded queue size from max_in_flight.
• Compression requires the compression feature plus at least one codec
  feature: compression-gzip, compression-zstd, or compression-brotli.
  privacy-mode rejects compression at compile time.
• Client-certificate authentication requires a configured CA bundle and a TLS
  backend path that exposes the needed verification hooks. s2n remains
  fail-closed for client-auth and selected upstream PEM-loader paths until the
  backend can be wired without panic-prone helpers.
• gRPC support is pass-through only. Fluxheim does not perform gRPC-Web or JSON
  transcoding in 1.4.0.
• Dynamic upstream discovery, file-watched upstream lists, traffic mirroring,
  richer regex/template rewrites, local operational sockets, and typed hook
  points have been moved to the planned 1.4.1 proxy-operations release.

Checksums And Signatures

• Commit: 8509198c72704fea87901c952706b7dcad7a6193
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • 1e1d7cede7b147d9f2a30d9c992eaec07ef202302eac2f52917e9892c5f7f8f7 fluxheim-1.4.0.tar.gz
  • ef31837452bb1c67bdaf440ccc57bad08893393de00712b259442181cd0bf60a fluxheim-1.4.0.zip
• Binary checksums:
  • 2534b80db229e4406a8849e5c81643a6b1f7b799b8b83f77b8a44b729b3f8c7d fluxheim-1.4.0-full-x86_64-linux.tar.gz
  • 3be656f31c31862d33cbe495eb530bf4e8d5630aa10b3eb939ec36f0f0383028 fluxheim-1.4.0-cache-x86_64-linux.tar.gz
  • ec25debe830c756c67762e922eda45a98d27c5cf2751ef90466d7f8de7cb7198 fluxheim-1.4.0-proxy-x86_64-linux.tar.gz
  • 63250dba7363f9f982b39e7954ada3e24dba90ced00def4ce7791dd002af3c2e fluxheim-1.4.0-php-x86_64-linux.tar.gz
  • 499aa0da78bfe8a32009974187711e7c9e80756adc6c73efade96b6bd2bd2c6d fluxheim-1.4.0-config-tester-x86_64-linux.tar.gz
• SBOM checksums:
  • 5ff63860c00c39217a3ce673969f839176d30916b98af583dbc96f561632a7a5 fluxheim.spdx.json
  • 99a054fc977a6cc798544c7740c29438ee2e1fbbd69a18db97c840d97f1a4cee fluxheim.cyclonedx.json
• Reproducible build:
  • 971a64a81710b1c0ed08458588e7a6cd220a5e02b8a9519cc61a9db477cac42d
• Full Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:06cb2f4a0e0a8ffbd3687108585f612d74cc679aabc44ec3a2ce8d1cf78e8360
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:9aa2c8696a7e864794f33b9c6c401ef95ab846b6ba89bc73478b4ce617885746
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:b5b7bfa55d8976c8651356dbe44571449334bc6923a282a5fed9a9d9658e27d0
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:5f2f992f643ede10aa1a7a192cc978ad28ab182ea57499b0ed78eb7e3d896c7d
• Cache Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:002c6bc912183a3b7f48e7a9fe72d9d5575955188b8572507f70f6227d57efe0
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:97f5998ba034afb5fdfc2c7fd249cc93c2595b27ddabc56f6597d8d9288c0532
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:1250403ae2fe05b294233131cc6c4aaece1ec3a8f08d9b516501aa9ce5c3cc18
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:b627694d0af4976b4af231048f8c5eacfffdd7e42657631129c7c6f18234e98f
• Proxy Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:68fc0eaa24e0ac3d90c4d378379859ce8d3e71f9f163ebd4e78ed3e2f03f826b
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:a6fadeeb327dda1584882d87f0c8207964f87cb8e97c46e58e4a2ef4b3ffe1d4
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:c0eed77b36f70eaa0bf0e54d6d656b626d6d18ec5e83ee95269763b077f69345
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:9aebd96706a98b5cb3b5900692fe1b87f83a5bfe48f227d2c308a23f99c95644
• PHP Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:608853f9f375b7d9bdd371af9d2f7076f7fd7e3647941f6143ca81ad07643ee7
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:57337998fe0bec876117ced1ee125dd228feb9fdd919409fdb6538185c857bd6
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:1f208de3ac919ee0831dd729bc15c6064e31f9017f882bb11250848ddf568ebc
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:7bc27e183c14ccc977fd928a7b20782a02da8643274974d899a9c682ca1608fb
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4