Fluxheim 1.6.27

Fluxheim 1.6.27 Release Notes

Fluxheim 1.6.27 continues the Pingora-exit work by moving route-level static
web serving onto the native HTTP/1 route adapter.

Highlights

• Native HTTP/1 route static-web adapter backed by the fluxheim-web crate.
• Native static file responses support ETags, conditional requests, byte
  ranges, HEAD, cache-control metadata, and directory listings.
• Route-level native request-header mutation overlays now apply before matched
  proxy routes are forwarded upstream.
• Multiple configured static upstreams now round-robin successful native HTTP/1
  proxy requests, with safe-method failover still available when an upstream
  fails.
• Static proxy.upstream_weights now drive native weighted round-robin without
  requiring the compatibility load-balancer runtime.
• Route-level response rewrite rules for Location, Refresh, and
  Set-Cookie now execute in the native route proxy through the shared
  fluxheim-headers rewrite helpers.
• The server crate now depends directly on fluxheim-web for pure web response
  planning instead of using the root compatibility adapter.
• Static-web, header policy, response rewrite, and weighted-upstream route
  tests run through real local native HTTP/1 listeners.

Security Notes

• Native static-web path resolution rejects decoded dot segments, NUL bytes,
  backslashes, denied dotfiles, and symlink escapes.
• Static response body reads use rooted component-by-component openat with
  no-symlink opens for every directory component and the final file, closing the
  symlink-swap window between metadata checks and body reads.
• Native route static-web handling now rejects methods other than GET and
  HEAD with 405 Method Not Allowed, even when the route method list matches
  all methods.
• Native redirect Location path validation now reuses the bounded multi-pass
  forward-path safety check, rejecting single- and double-encoded dot-segment
  or slash expansions from {query}, {path}, or {uri} templates.
• Buffered native static responses are capped at 64 MiB until the final native
  streaming body path is completed.
• Forwarded-client-IP shortcut ownership remains a compatibility-path blocker;
  only explicit request-header unset/set/append mutations are marked native
  ready in this release.
• Advanced load-balancer behavior such as health state, persistence, dynamic
  discovery, priority groups, backup/drain state, and hash-based selection
  remains on the compatibility path; this release moves static upstream
  round-robin and static weights native.

Compatibility

The remaining rich proxy integrations, including cache lookup/fill/stale
handling, PHP-FPM routing, auth-request, traffic mirror, compression, and
advanced load-balancer policy selection, remain on the compatibility path until
their native parity tests land.

Checksums And Signatures

• Commit: 6917ff1df159f9027bf4167d964fe71d83351e8a
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • ff330941135a9b5ef889950642a6001589f1b01c33a3802563cf569b0e693ef4 fluxheim-1.6.27.tar.gz
  • 8c8dcd450629bd7586ffce927fe9dfd213dc0f9c8d0c47a3ebbdfde9063f957e fluxheim-1.6.27.zip
• Binary checksums:
  • x86_64:
    • 6161f2b95aba634b3db04c16afce1e1fe1f086a5eb11976f851c818062075736 fluxheim-1.6.27-full-x86_64-linux.tar.gz
    • 1f12b8392bd3178969bd7b4defd96ff6d61275f5955b09969bdacad278bb5406 fluxheim-1.6.27-cache-x86_64-linux.tar.gz
    • ab44adf7e98aec95ae403d6213d750a1b1fa0e1dc062ee3eaf97a3a95f49c231 fluxheim-1.6.27-proxy-x86_64-linux.tar.gz
    • 6f88d520b08b0bf9f977bc1606ddae8ba4f5fa31acd701f5dc7a7ebfdc24a61b fluxheim-1.6.27-php-x86_64-linux.tar.gz
    • 9908a97cd49d03d106e506119f162325f77f540687e373a9fef2ea466acec332 fluxheim-1.6.27-load-balancer-x86_64-linux.tar.gz
    • 30037b2c48d7ad0bd2687c3144a7fcf28917e41212a40dbd6494bf3b81638618 fluxheim-1.6.27-config-tester-x86_64-linux.tar.gz
  • aarch64:
    • ecdcbb9e823a8d64b6e9ce09842b6d0b9d1046ef3b00b22ecab2006123d3f45d fluxheim-1.6.27-full-aarch64-linux.tar.gz
    • cbee31629389118ac213b4f81099f6b808735070cdbf6d9188b52b54444f063a fluxheim-1.6.27-cache-aarch64-linux.tar.gz
    • bf33281e9bd99014b5b9731c9c18bb66a9cb7f33ffb22b823bee580aebef6446 fluxheim-1.6.27-proxy-aarch64-linux.tar.gz
    • 46fc94cfea4c2117a73733f5991fb9aa8e8a9aec9df737d25703488eda6d464b fluxheim-1.6.27-php-aarch64-linux.tar.gz
    • be9ed9ca1235d7d65895bd3c6d0b319f61437b63d4c5a11a9df7f1c93a7b21e3 fluxheim-1.6.27-load-balancer-aarch64-linux.tar.gz
    • a719345dc628086ead7ebc81642e6d8191a85bda4bab87b8fc691d17be16c65d fluxheim-1.6.27-config-tester-aarch64-linux.tar.gz
  • macos:
    • abe7498a50c81b483f602083c3f20d4506d866d924b7320e46da68a9e3d112be fluxheim-1.6.27-dev-aarch64-macos.tar.gz
• SBOM checksums:
  • 731adbe62c5b71a1920e26cd5cf5e40298ed9782984d479ef3aa0d56a16d2558 fluxheim.spdx.json
  • 7878aebf2cb07f6e26b6122cd359fbfc4c7f6f7d5dff51658d401b203cad970c fluxheim.cyclonedx.json
• Reproducible build:
  • 716109c2f165ebc59a45b22d1a05e8bb6067dd321c81bdca2324372a30426e34 x86_64
  • da136da5566b507d49c20823969eaaf69def76676f55b1135f805bf1002ee9a9 aarch64
  • [MANUAL_SHA256] macos
• Full Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1d48b175362115366d5ccc6570ecfe64b5201db9e7e1ca318fb7657eb3546a80
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:d5fb378dfc98c61bd91a3774dd4fb147e7ffde45bfb6e9dbe2ba5a65c4a1bb70
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:8bc8d8f0a0422c431a5139af0849e13e326069e98b4eefb8d0657e2f1703a072
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:79ee208abbc7ee19024961a8b78592c35eaa04b4507410fe7a980eff036f4afc
• Cache Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:57d4330b37033ef2e64827605fe787149862e78b39fb9d21f83075321ce6337b
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:1556263cb1f9adbcdc27eea0e2b01f3755ef4e2c40adb977f4b30a67a77c4293
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:7b8c460236f2477a291e1611a5c5a3ad6762be9dd7962f7f767afe8463e548ee
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:7c3e44859c2927a089d2ec3650f94609733e79fa4f3e8f2902b9b1988c2f75a9
• Proxy Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1136b58490f0d19c7c4e2df43e4321a6143faca6fcc40af07e0305e3fd3bcfe8
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:1be4eeafadc3b92af1180c889926d7db02f9964b6756cd95a8989009dcd966cc
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:0d9a5eac48c86c1674072ed8e54690a228e78ac1e149a2ebbef362da0c6c97ca
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:168ebcba486fc6535b8404ffb791b6aea7824d515e3de429c1d4adc3d0d9aa0b
• PHP Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:880f63a16a06246b5e16310ff75731bf0ae823865f196f7b3926b8d415c457b2
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:2a69dba2424677d2247d244360cd94094e74f9ecc9ab9f6949fcf597f5f4081d
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:0fbe3d2fea08c743ab30fd2633efcc265c98ad04b7a69ac44e19880ca27e114f
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:20348dcbec1d843ea8827d0d92a1e339825c76e3a0c2fb24628d259303413cc9
• Load Balancer Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:627b87ccdb632810586ae30886a124ca7609df3406ff5b68022c216b99643dc5
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:808556780483d234ed68230bffca60dff396f6e3651d334c8f6c725112cf5a29
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:4568f0c3502cc80f8a5f2c736febcfe3f9f28321971577b0b328f693d9b5a4a1
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:80b9e4ced513b89d5a84eccda6406a647dcc6080f44b64effc9d77af0086f340
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4