Fluxheim 1.6.10

Fluxheim 1.6.10 Release Notes

Fluxheim 1.6.10 continues the 1.6 Pingora-exit line by adding the first
Fluxheim-owned native HTTP/1 upstream/proxy foundation. The active production
HTTP runtime still uses the Pingora compatibility adapter until route policy,
cache, PHP-FPM, ACME, observability, and failure-semantics parity are green on
the native path.

Added

• Added a bounded native HTTP/1 upstream client for plain static upstreams.
• Added upstream request serialization, response-head parsing, fixed-length
  response bodies, chunked response bodies, and close-delimited response bodies
  to the native HTTP/1 migration path.
• Added native proxy candidate inventory in fluxheim-server so eligible
  vhost and route proxy configurations can be discovered before cutover.
• Added a staged native proxy handler for plain static upstreams.
• Added Fluxheim-owned native proxy Via and X-Forwarded-For header
  injection parity with the compatibility proxy path.
• Added a fluxheim-server privacy-mode feature and wired the root
  privacy-mode feature into it.

Hardened

• Native upstream forwarding strips inbound hop-by-hop framing headers, prior
  Via, and prior X-Forwarded-For before writing Fluxheim-owned proxy
  headers.
• Privacy-mode builds suppress native X-Forwarded-For injection.
• Native close-delimited upstream responses now accept exact-limit bodies and
  reject oversized bodies immediately after the configured limit is exceeded.
• Native proxy eligibility fails closed for unsupported policy layers,
  dynamic discovery, load balancing, upstream TLS, upstream PROXY protocol,
  HTTP/2 upstreams, and websocket upgrade.
• Connection pooling remains deferred performance parity for the upstream
  connector/pooling work planned in v1.6.13; 1.6.10 focuses on correctness
  and bounded native HTTP/1 proxy foundations.

Tests

• Added native upstream tests for content-length responses, chunked responses,
  close-delimited responses, exact-limit close-delimited bodies, oversized
  close-delimited bodies, timeout handling, invalid forwarded request headers,
  and Fluxheim-owned proxy headers.
• Added a privacy-mode regression test proving native upstream forwarding does
  not emit X-Forwarded-For.
• Extended scripts/smoke_native_http1_proxy.sh to explicitly run the real
  TCP downstream listener to native proxy to upstream socket test.

Verification

• cargo fmt --all --check
• scripts/smoke_native_http1_proxy.sh
• scripts/validate-modularity-policy.sh check
• RUSTFLAGS='-D warnings' cargo check --locked -p fluxheim-server -p fluxheim-protocol
• RUSTFLAGS='-D warnings' cargo check --locked --features profile-full --lib
• cargo test --locked -p fluxheim-server --features privacy-mode privacy_mode_native_upstream_does_not_add_forwarded_for
• cargo check --locked --workspace --all-targets

Checksums And Signatures

• Commit: 3992569f74f010aac31ec55e8c372d43549135e1
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • 2f79dbf25eac7f0bcefab6ae168e9c92a6c5f781fcef43d2cbd0db159be932f9 fluxheim-1.6.10.tar.gz
  • 5baca4fa2c01920efe2f082a2dc5184f9b3ef844b07c41d54b4845ee23447477 fluxheim-1.6.10.zip
• Binary checksums:
  • x86_64:
    • af0cb1efc690a0fe018015d3aa7046d3ae43daca2c3d8dc58d750a057e2ab987 fluxheim-1.6.10-full-x86_64-linux.tar.gz
    • 8db823fede0734f0ee060d91a4a1c577976ee8b4caf5fb1e1d79b709453c2345 fluxheim-1.6.10-cache-x86_64-linux.tar.gz
    • b3d0bb061a6b122dbb99569f41499f1efda4ae16dba70fa26fbc49a6483dbddf fluxheim-1.6.10-proxy-x86_64-linux.tar.gz
    • 3f5ea2786732469d026a17ede9a01d8e90b1f6b953d44bc211e290f1d8424819 fluxheim-1.6.10-php-x86_64-linux.tar.gz
    • f1fd74b77c5b99905d4080db2c342ba1e375a818644e7f52f4c68aac14d305fe fluxheim-1.6.10-load-balancer-x86_64-linux.tar.gz
    • 0b724ae10085f5ebfc987a0134d04a6fe3090dcd1e0f9d8b687a53af68aa60b1 fluxheim-1.6.10-config-tester-x86_64-linux.tar.gz
  • aarch64:
    • a22849c0831436be217b5938137868380c927dddd48cf27851cf9d51bf5a801e fluxheim-1.6.10-full-aarch64-linux.tar.gz
    • 6a56d2950904aca2ca8824a435365438fa12d25577ed94b10a6fbe845b03781b fluxheim-1.6.10-cache-aarch64-linux.tar.gz
    • b6e1ca726d6b0ced5aa0401d51ca2f77bb6a296ea35ee63ed854890a27338280 fluxheim-1.6.10-proxy-aarch64-linux.tar.gz
    • 4a9299eaecd4ba93b71e72fecab704a651eeb577133a90590dd4e5ca912040c5 fluxheim-1.6.10-php-aarch64-linux.tar.gz
    • 1a527b5958a1bf7c57c524306399c7d6fdd82a06f22a39afc42fb315dca6cc7e fluxheim-1.6.10-load-balancer-aarch64-linux.tar.gz
    • 4ac5914d0f54588440d58555c3f5d26072782437c56001a3b485e6a21566a34b fluxheim-1.6.10-config-tester-aarch64-linux.tar.gz
  • macos:
    • b02404f7a5560ee2803326ad514b448bf26c44885fb5d6840333b96fe45fabdf fluxheim-1.6.10-dev-aarch64-macos.tar.gz
• SBOM checksums:
  • 9a440adb83715b47dc1a558c27b95e365b2f55f5ab61c52dba34b868d211dd1c fluxheim.spdx.json
  • a7ac2a69515b1838f7e46b6a197256fdb8fd5fc4687981e4cbf3b473fd220940 fluxheim.cyclonedx.json
• Reproducible build:
  • 67f6bee2784163cb31e3ca35a9e97e8ee14ac973471ca572e98f801d857ab811 x86_64
  • 59b648690d65be424a72d9cf2b9915edec0ee40e30a71365ac20aa7d4710f65a aarch64
  • 17b3d692a521b18e9a571178a7f20063b5449897263877baa9bfc51696100667 macos
• Full Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:22485001785ee3e06c543bad66e401a5ba57be75efd282565a61cff391fc1684
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:65ac731568a1a54008a29162d888fcfa61e00d581e2a98a47708414298321858
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:66df57915f55e866adb5565b0d5b15642506c96481f5632f85c49fa412d34adc
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:b7b4fa1932ff4f8fdf250f5e08241bfe5cb8def9e13fa2e48fa61b6734c21415
• Cache Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:34502ce424ed9e16c30f266e0e1eadd99789ff347f6059b73d1609b6f7f0e133
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:4bebd345c17c29bf635cfe9a37120b278d6a378f2a38b7c620a33d787d964a63
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:1de89c089462b8ee695b1ee9fe0b6c16b7a71e55a1d163100f829aa4e9809b05
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:59ce8392a76d015b632c0055e4505a95f866d7337a157bf03ba14c1c7a3fef78
• Proxy Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:3758c5a629d41ea587d7d00c4c6ae3c683256b8bb41e5f1b3c15b1ce1e01831a
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:077e37080a5c2171e0ba37146135949fff56f5c2f1bc654cc9b59231ea74f7bc
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:670bbe6a72a5eb01d80f8525639ee2be60d3cb7d884ee6b4d4fca141415373da
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:d6454edcddb57d6ed5f804a11f0dedbc71e16e463c020125af82381bcfbf7aff
• PHP Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:6f65f36b8dba7913b6cf042c63808a529b4c29e089a0c0bd3dfebfb77756f558
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:8994c802c2c80cf006bf80f3fe810615033e5a6b62bddfd031a9e0071db5e65e
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:21e8cd089d8356ca9b31e9880afa9348b1fc75a39a04b7d989ebf0adaa4c6b89
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:5a9cec597b17ca5e254ef475c876864ced71c025a386d27e7a9c1142f1d6379b
• Load Balancer Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1ba8120683bddf313a74966853bd5199bc2df3af30fea5eb200fc22a0c985afe
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0af4eed032a2334af9b7c7f4fda1b6493ea7c212343cc4deed17fc8a535c895a
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:88be52ed1b39f0637eefb01fe8410afa9000390b58a78468274fb2b13e0051e2
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:14436e6be8540ea218b72cdb6d2c4368c93574d7fcf89378a079e83ba2106284
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4