Fluxheim 1.6.26

Fluxheim 1.6.26 Release Notes

Fluxheim 1.6.26 continues the Pingora-exit route/policy parity work. After
1.6.25 added the native HTTP/1 route proxy for ordinary proxy routes, this
release adds native route redirect actions so redirect-only routes can be
represented and tested without falling back to Pingora's ProxyHttp callback
surface. It also moves route-level response header overlays onto the native
route proxy for the already-supported native response paths.

Changed

• Add native HTTP/1 route redirect actions to NativeHttp1RouteProxyRoute.
• Support {uri}, {path}, and {query} expansion for native route redirects.
• Enforce route-level max_request_body_bytes in the native HTTP/1 route
  proxy before forwarding matched requests.
• Apply route-level native response header overlays for native route proxy
  responses, including set, append, unset, HSTS, CSP, frame-options,
  content-type-options, and referrer-policy shortcuts.
• Allow native route proxy construction from redirect-only route config without
  requiring a dummy upstream proxy.
• Update release metadata, RPM metadata, and container tag documentation for
  v1.6.26.

Security

• Validate native redirect locations before writing the response.
• Reject unsafe redirect expansions containing control characters, whitespace,
  braces, backslashes, non-HTTP(S) schemes, or ambiguous double-slash request
  paths.
• Reject expanded native redirect Location URL paths containing dot segments
  or double slashes, including {query} path-position traversal attempts.
• Reject redirect templates that would place {path} or {uri} immediately
  after a literal slash in the URL path, preventing predictable // expansion.
• Exclude route proxy configs shadowed by route redirects from native proxy
  cutover candidate accounting.
• Return 413 Payload Too Large for native route-proxy requests that exceed a
  matched route-specific body limit.
• Keep regex routes, request-header mutation, response-header rewrites, access
  policy, and richer proxy integrations on the compatibility path until their
  native execution has dedicated parity tests.

Compatibility Boundary

• Normal proxy profiles still compile the Pingora compatibility runtime in this
  release. The native route proxy now covers exact/prefix/fallback proxy routes
  plus route redirects, route request-body limits, and route response header
  overlays. Request header mutation, response-header rewrites, access and
  compression policy, plus rich proxy integrations remain targeted for the next
  1.6.x slices.

Checksums And Signatures

• Commit: f724b2a5ab9b44bc285034ca771d7802882ccc6c
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • 725835efb7f5e54621ce7fdab5c372c7f43992161f492ff60dc33c08c07eb9a9 fluxheim-1.6.26.tar.gz
  • 3f8c2fdc8fe14b2903db3a64bcb0eb1c3bd936123009e17f88b752e0bf7ffff0 fluxheim-1.6.26.zip
• Binary checksums:
  • x86_64:
    • 5d198f6ac31cb770b72931e84859ea69968ab1623f1954e931bd1d2490117cbd fluxheim-1.6.26-full-x86_64-linux.tar.gz
    • cd61e645d591c6d0212f6a1417cb234c427900e65d9800667a62d7ae0a8a74d0 fluxheim-1.6.26-cache-x86_64-linux.tar.gz
    • 0f95b597d797160d3e791dcf62d938c1a10c62d129c26d06cdb5885ea9319d59 fluxheim-1.6.26-proxy-x86_64-linux.tar.gz
    • d45e47579dbb6463f87ad459c76a09cef3a77eec3870f6db5bd86360e34a8792 fluxheim-1.6.26-php-x86_64-linux.tar.gz
    • 598172ce4c7fd3e2aa35853001dfc3fb640fc9a1029790bf59f40fea93dc2842 fluxheim-1.6.26-load-balancer-x86_64-linux.tar.gz
    • e7042765fa67bb9558b5504a70700862c183d369a1846df9872d9f3bf1259827 fluxheim-1.6.26-config-tester-x86_64-linux.tar.gz
  • aarch64:
    • 6dfaffacc0aab854427ffa93fe9bdf7726c311edc247f25a4b105b5dbae7a147 fluxheim-1.6.26-full-aarch64-linux.tar.gz
    • 55bb486e85ba3aee4b760ac923f8e52e8109142a048882434fc3a1eb58b24f08 fluxheim-1.6.26-cache-aarch64-linux.tar.gz
    • 356b3d122ced75114e34d217709cda717fcd849d199ae4fc05169a82d1e04b68 fluxheim-1.6.26-proxy-aarch64-linux.tar.gz
    • 97f4d79240fad8c18f53b6b163b76d82c8765123af4a1563144bff0558c461b6 fluxheim-1.6.26-php-aarch64-linux.tar.gz
    • b42fafa2c51e2449d5146fd782dfe93d0a6c88790b4decf1a1346ba751d4c083 fluxheim-1.6.26-load-balancer-aarch64-linux.tar.gz
    • 8368ce7e386bee5c8167abe4ecc32278a83690f8dc1ced76c3b63ed8b16d61e0 fluxheim-1.6.26-config-tester-aarch64-linux.tar.gz
  • macos:
    • c84ae24d0f509ba9619d7073c17333a31578ca43c89308ccdbb77ed82a948975 fluxheim-1.6.26-dev-aarch64-macos.tar.gz
• SBOM checksums:
  • c1b0982cebb0075673c83192a2357b03e758ce5b5faff54026e1f6be28b5ea3b fluxheim.spdx.json
  • e926c0ac20010086f34b7887a24d93237de57cc06d125ff58ae6e1ed63a36c0c fluxheim.cyclonedx.json
• Reproducible build:
  • f48fda519e009905679bb0da95abc6f313df910dd96ce3107810f7f75173d19a x86_64
  • d6c95abeed38abd46a1c8ddc39019d90c3ce6dea49037444123c471ad39979c5 aarch64
  • 845cefc4900519f151d41571fd22f876d22876b1ef486b9df5261c52a17ab2b1 macos
• Full Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:53dfe0cb1679db292a0b893ae87ea219ac267f153c66b4ea5454bc8ccbe02f5e
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:a11ecd249158a6a664468e1b41fffaa7d47a99006ad7690f7691d530e61f4400
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:41451b85a678ea43872eb3b2bc280213dd1901c0cd4b64729b4c5b95bb98a107
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:b65cd91d2836bc5c3bb9d172a1f69666128969c01dec74ec605718ab0dcfceab
• Cache Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:6bab87396f37afe5e2c928a09d8c28d0c3dc53fc026e809f4936603025928449
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:47a41b7a24baf3e6adb6d8b66d2cb7da8e3cad19381957f1cf04059157a8f625
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:9803a05eb7a0f569134148f846a695024d38632f6139e310ade6bdd251c0eac6
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:0559a6155f1f785b19017b22d1e02a9ea386fcbb1fb0fb529af43a86f7208ce4
• Proxy Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:65308264c3f789d5c33bab1e8077e86c979272402069521784682a9de193c2e1
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:242c6f51b0b06778d8e5beef0218898d78e53d55baff7f9a8e4c7b7f4082271c
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:0f9d3e2f465d62ec2a96abae7f2384657323eca1152760f8eb10ed25a94ac216
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:2a453761dc11deed67e812dbd77fb452c47fcad600caad1323ce1720241774f7
• PHP Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:6ded7df854352be2d9464529318edbced2bb4cffb3ffa60272c32684429a87f4
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:92e1d60c4cce01ec75f04bc0d5767564d92fe8edcefacce8baa41bebcb1547db
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:455021c1cbfacb2fefcccfae727eb3e2574e762198db4f963000a1abf439f43f
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:c82a6bfcb67c9f16c107d7ab0f3dda5695acc87502a2e166f532a4feeec497d0
• Load Balancer Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:896cceee3748f1b5ad5c6825a49f083ef666b3f4f187fbe322a8a09e69920caa
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:08cf1405adf9f0f8bdedcb4e43c1f481f58bc919adeda8e466f631747c33d162
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:238d8ec09bebba676e81ce2051ea93e9b4f503d73b085a2306004bbf33986314
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:6d3ba123d8c81c1c70bdf4d7af8fb51d2805ed2ca79564a4343f0de4d6a2a637
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4