Fluxheim 1.6.14

Fluxheim 1.6.14 Release Notes

Fluxheim 1.6.14 continues the Pingora-exit line by adding native rustls and
OpenSSL upstream TLS support to the staged HTTP/1.1 proxy path. The production
default still keeps Pingora as the compatibility fallback for unsupported
policy combinations, but simple HTTPS upstream candidates can now be
represented and tested through Fluxheim-owned connector code.

Added

• Added fluxheim-server native HTTP/1 upstream TLS connectors for rustls and
  OpenSSL profiles, including explicit SNI, route-local CA bundle loading,
  optional upstream client certificate/key loading, certificate verification
  controls, and bounded no-follow PEM file reads.
• Added explicit rustls crypto-provider installation in the native upstream TLS
  connector so standalone fluxheim-server tests and future crate consumers do
  not panic when both rustls provider crates are present in the dependency
  graph.
• Added a real native HTTP/1 proxy test that generates a test CA and
  localhost SAN leaf certificate, starts a TLS upstream, verifies through the
  configured CA bundle, and forwards a request through the native proxy.
• Added real native upstream TLS hostname-policy tests proving the default
  path rejects SAN mismatches, upstream_alternative_cn verifies against the
  configured alternate name, and upstream_verify_hostname = false disables
  only hostname verification while keeping CA verification active.
• Added a real native upstream mTLS test that starts an origin requiring a
  client certificate and verifies the configured upstream client cert/key path
  works through rustls and OpenSSL builds. The same fixture now also verifies
  that an mTLS-only origin fails closed when the native proxy is not configured
  with upstream client certificate material.
• Added ordered static upstream failover for the staged native HTTP/1 proxy
  path. Safe methods (GET, HEAD, OPTIONS, TRACE) can try the next
  configured static upstream after an upstream error; unsafe methods are not
  replayed.

Changed

• Changed the native HTTP/1 upstream connection pool to store Fluxheim-owned
  boxed IO streams instead of raw TcpStreams. This keeps one retry/reuse path
  for plain TCP and TLS upstream connections.
• Wired the root rustls and OpenSSL feature aliases into fluxheim-server so
  the native upstream TLS path is built in the same TLS profiles operators
  already use.
• Allowed plain static proxy.upstreams lists to become native HTTP/1
  candidates when no advanced load-balancer policy is configured. Weighted,
  priority, locality, alias, tag, backup, drain, disabled, dynamic-discovery,
  and DNS-discovery policy still fail closed to the compatibility path.
• Restricted stale pooled-connection retries in the native HTTP/1 upstream
  client to safe methods only, matching the static failover replay policy.

Security

• Native HTTPS upstream conversion now fails closed when any configured static
  upstream is IP-addressed with certificate verification enabled and no explicit
  upstream_sni, matching the validated config contract and avoiding silent
  hostname-verification downgrades.
• The native HTTP/1 proxy builder now mirrors the config loader's upstream TLS
  material checks so crate-level callers cannot silently ignore a CA bundle,
  one-sided client certificate/key material, or inconsistent
  upstream_verify_cert / upstream_verify_hostname settings.
• OpenSSL-only native HTTP/1 server-plan tests now assert the same TLS policy
  failure reason as rustls builds instead of treating OpenSSL as an unsupported
  TLS backend.
• The native OpenSSL upstream TLS connector now enforces TLS 1.2 or newer and
  uses explicit AEAD-only TLS 1.2 / TLS 1.3 cipher suite allowlists instead of
  relying on system OpenSSL defaults.
• Native upstream TLS certificate/key loading now canonicalizes the existing
  parent directory before inspecting and opening the final file, keeping the
  final O_NOFOLLOW symlink protection while making the filesystem trust
  boundary explicit for CodeQL.
• TLS key, certificate, and CA files loaded by the native path are bounded to
  1 MiB, must be regular files, and are opened with O_NOFOLLOW on audited Unix
  platforms. The native file reader now has direct tests for oversized-file
  rejection and final-symlink rejection.

Compatibility

• Existing Pingora compatibility behavior remains available for unsupported
  policy combinations, HTTP/2 upstreams, dynamic discovery, advanced
  load-balancer policy, upstream PROXY protocol, and websocket upgrades.

Checksums And Signatures

• Commit: aa1828411c6fec54b42cb704cb16b359e5f669eb
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • 9471caaa352ba55d0d8c1b97c4197c22fe2bc0c6466428b3044dd474e967c002 fluxheim-1.6.14.tar.gz
  • 08dbdccf9868821d6a235db29dae7d9f19fe7e1c6c788b562941212b3eb06fd4 fluxheim-1.6.14.zip
• Binary checksums:
  • x86_64:
    • 21aad0e666e42b180c430788dcbe55fe3c41adaed6239b82179c5e3fd48c1538 fluxheim-1.6.14-full-x86_64-linux.tar.gz
    • 4e94cdac082ecf3afa8af39b22d3e6b3a565a4217610981eb59a0d481cd92c4a fluxheim-1.6.14-cache-x86_64-linux.tar.gz
    • 0b9d795828608aca0c9a17c2fa81ef63e5e72cf8361d925845ff8407960d625e fluxheim-1.6.14-proxy-x86_64-linux.tar.gz
    • 2c6e8a01e1e6194b37c6f6582e9adfe594f12900d3c9b97cc4b2d68d6b300d9b fluxheim-1.6.14-php-x86_64-linux.tar.gz
    • c465edbcdc9c0b38fdf26b90f2ebe28817c468d4cf9c68554726826718dba3a4 fluxheim-1.6.14-load-balancer-x86_64-linux.tar.gz
    • 365a381c79105451bb79c95a5fce836bf729ee8aa7063eec68946eac7c64cb03 fluxheim-1.6.14-config-tester-x86_64-linux.tar.gz
  • aarch64:
    • aac0ba1dd72a03247d0849e2e6525d083ec470c058d2bff9eb91c71b22a515c6 fluxheim-1.6.14-full-aarch64-linux.tar.gz
    • e53d3d7518182cb5ec4e9ca56dd35b02a9f4c4d37121069082cee45f4e91a3d9 fluxheim-1.6.14-cache-aarch64-linux.tar.gz
    • ee31acaceb3a9c6bf6c69dca44ea741ef82654b6756de791076c736bfb5bf833 fluxheim-1.6.14-proxy-aarch64-linux.tar.gz
    • 90e0c53a002e5a776c8452c0988408fbbb6ea1e0a6e172b59779e4a3333bd3d0 fluxheim-1.6.14-php-aarch64-linux.tar.gz
    • 9be51ca35a66eaf4e450109b4df41fa5cc1fdad3be949769afc28fa200d92dcc fluxheim-1.6.14-load-balancer-aarch64-linux.tar.gz
    • 7a6aaa42a772efbd9b7668d145c162e64b7b7744a2437ddefef7cd81b5644922 fluxheim-1.6.14-config-tester-aarch64-linux.tar.gz
  • macos:
    • 033b204288afd5e573c471fb7aa8210abbccbb125b57a426563bd57605eb76be fluxheim-1.6.14-dev-aarch64-macos.tar.gz
• SBOM checksums:
  • 4038d6afb485713ed3af01c7312362f3b48f0cc18e51946231d2929e965ee2d6 fluxheim.spdx.json
  • a20a15a485e1e5ada907fc9f217a88404a1f823affbc0fffee8082c62d849f6b fluxheim.cyclonedx.json
• Reproducible build:
  • 2abd49c6bdc7df37c8f737f2928bc050aeed11c3d9baf1eb2135bf4b9c825d5f x86_64
  • 7f814d43731212ec11856b4f70992d619221d623655860c21711532e37e756b3 aarch64
  • 0454e41e5e74fca1ed4cb246fdff08aa666b6b2f97874b0e92ec30dcfd9b3a3f macos
• Full Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:7c34756b85587af4fc820b38239eaaa975bde34b224ea5a2cb549984b5eb1d75
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:a003f46f48f1fb24c4690808e2daf189391032b3791bb0ec2122fa59fc1d3253
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:723b60cd05ad0b2ca8568f2671d57123f326403272fcd2f2f869e26db9b50e38
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:0993466a3ef6a2037c8da134bfabf57db33bbb3d6fc9691deebcb2b4e45df0b9
• Cache Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:05efdf01af8ad9fb5a558b6b5f442cca366aad33c8adbcc5ec888bbe1df7eb1c
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:8a89a8e9d06aa724f518306ead14d3e7f29c0204fd52e7ef7cbf320a30c892d8
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:37606cb7b9cdfb1e4d9dedbd014e3c4077edaf85dff297f1fd4e1f35ddd85da6
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:9d5e270f91c77e13fe481a9076ec014e7c08baff4896e20b8758b05f2f596fa1
• Proxy Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:21e05a8526b311f483ffbef9c2704d5af98c4d928c7684f29d97a9e9b901f888
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:9fd28e0a7122b93f192d70fbc722c5907c9f093b664101bdac2d46412440a687
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:6b49ce11e8709a6854387139944dd7c16e54d97517b11e073800a4d29aabbb9a
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:15c1d781a7b4149968647e030a2a3c3e0d0ef31b225a9b9b14402c210c4d60d7
• PHP Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:2c85eb12d83e23c8d440b4251a539bae39a1c76e8142d9ae4eef3cf733f2685d
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:251efe8c91ca2b044fd56386aaf69e52e5aaf44561ce69ded726a3452654e802
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:ad0be8a3ef9d50c05dcb184aadcbace32a5268cf0151de0af876d7f2e0f5e31f
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:ba31b33a92c912d85b89bcb98b043ed2c3b9a1908f08a81a5111994a0b09c380
• Load Balancer Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:2b4cd5c8e28c26759fc954f830a5be0a47dace1d5ce5a404e5336b9e2fe0bd88
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:1c9082deb60829ce7910f71fb0bbd9515876c0ef90cf3569beb83661b2e1c3cf
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:256ca78483913ada05c6be747e1a4c0cf7b0a7f518f087d429b7adfe028d2360
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:c035222f6e0c58039699a28ade439ec472cb173aebd12b2cbc19359e4246c463
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4