Skip to content

Fluxheim 1.6.29

Choose a tag to compare

View all tags
@eldryoth eldryoth released this 23 Jun 16:36
· 83 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.6.29
This tag was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.
12e744d
This commit was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.

Fluxheim 1.6.29 Release Notes

Fluxheim 1.6.29 continues the Pingora-exit work by moving inherited
compression, header-policy behavior, and safe forwarded-header ownership into
the native HTTP/1 proxy path.

Highlights

  • Native HTTP/1 plain proxy responses can now use inherited global/vhost
    compression policy when gzip, brotli, or zstd support is compiled.
  • Native HTTP/1 route proxy responses now inherit global/vhost compression
    when a route does not override compression locally.
  • Native route proxy construction now merges root/vhost header policy with the
    route overlay before building native request and response header policies.
  • Root and vhost header mutation policy no longer blocks native HTTP/1 proxy
    cutover when it only uses supported header set/remove/append behavior.
  • Native HTTP/1 proxy handling now owns the safe forwarded-client-IP header
    modes: X-Forwarded-For = off, X-Forwarded-For = replace, X-Real-IP,
    X-Forwarded-Host, X-Forwarded-Proto, and RFC Forwarded.
  • Native HTTP/1 route proxy handling now owns trusted-chain
    X-Forwarded-For = append for routes and programmatic builders, preserving
    inbound chains only when the direct peer matches configured trusted sources.
  • Native HTTP/1 route proxy handling now owns regex route matching and
    path-only rewrite_template capture expansion, including exact route,
    longest-prefix route, first-regex route, and fallback precedence.
  • Native HTTP/1 route proxy handling now owns IP/CIDR allow/deny access policy
    at both vhost and route scope, using trusted X-Forwarded-For client
    restoration when configured trusted sources identify the direct peer.
  • Native HTTP/1 route proxy handling now owns vhost and route concurrency
    limits, including immediate rejection and bounded queued waits.
  • Native HTTP/1 route proxy handling now owns vhost and route local rate
    limits, including token-bucket rejection and delay-mode admission.
  • Native HTTP/1 proxy responses now carry configured downstream write timeout,
    total response timeout, and minimum send-rate policy.
  • Native HTTP/1 upstream establishment now honors
    proxy.upstream_total_connection_timeout_secs across DNS, TCP connect, and
    optional TLS handshake setup.
  • Native HTTP/1 upstream socket creation now honors
    proxy.upstream_tcp_recv_buffer_bytes, proxy.upstream_dscp, and the
    upstream TCP keepalive triple before connecting. On targets with
    TCP_USER_TIMEOUT, it also honors proxy.upstream_tcp_user_timeout_ms.
  • Native HTTP/1 request-body parsing now honors
    proxy.downstream_read_timeout_secs selected by the matched proxy before
    forwarding to upstreams.
  • Native HTTP/1 requests now carry typed optional TLS client identity and Geo
    context fields. Rustls and OpenSSL listener tests prove downstream TLS
    request context is populated with negotiated protocol, cipher, and peer
    certificate fingerprint where available.
  • Native route-proxy access evaluation now enforces client-certificate
    fingerprint and Geo country/ASN rules when typed request context is present,
    so cert/Geo policy no longer blocks the native HTTP/1 cutover inventory.
  • Managed local ACME HTTP-01 challenge serving now has a native route action.
    Live route-proxy tests prove direct and alias vhost challenge ownership, safe
    token-file loading, GET/HEAD handling, and 405 Allow: GET, HEAD behavior.
  • Native ACME HTTP-01 challenge file loading now runs on Tokio's blocking pool
    instead of blocking the async worker thread.
  • Native HTTP/1 proxy handling now supports safe-method traffic mirroring when
    the traffic-mirror feature is compiled, including recursion protection,
    sampling, forwarded-header selection, mirror response caps, and per-target
    in-flight limits.
  • Native HTTP/1 proxy handling now supports proxy.auth_request when the
    auth-request server feature is compiled, including trusted context header
    synthesis, bounded blocking subrequests, response-header allowlisting, and
    deny-before-forwarding behavior.
  • Native HTTP/1 route proxy handling now honors route-scoped
    [vhosts.routes.grpc] validation, rejecting non-POST requests, duplicate
    Content-Type headers, and non-gRPC content types before forwarding.
  • The compatibility proxy's gRPC route Content-Type gate now matches the
    native gate by rejecting duplicate Content-Type headers and accepting
    case-insensitive gRPC media types.
  • Root and vhost compression no longer blocks native HTTP/1 proxy cutover when
    a matching compression backend feature is compiled.
  • Native route-proxy construction now mirrors the compatibility route order for
    vhost synthetic routes: explicit ACME HTTP-01 upstream challenge routes,
    configured routes, then vhost redirect fallback routes.
  • Vhost redirects and explicit ACME HTTP-01 upstream challenge routes no longer
    block the native cutover inventory when their generated route policies are
    otherwise native-safe.
  • Live native listener tests now prove plain-proxy gzip compression, inherited
    route gzip compression, inherited request-header mutation, inherited
    response-header mutation, and standard response security headers.

Security Notes

  • Inherited native compression keeps the same guarded behavior as route-level
    compression: bounded input/output size, negotiated Accept-Encoding, safe
    method/status checks, and privacy-sensitive header exclusions.
  • Native compression strips origin ETag and Content-Length, appends
    Vary: accept-encoding, and lets native response framing compute the final
    compressed length.
  • Native route request headers are removed or overwritten before the upstream
    request is sent, matching the compatibility-path policy order for the
    supported mutation subset.
  • The low-level native upstream writer no longer hardcodes client-IP forwarding;
    proxy/header policy now owns X-Forwarded-For so privacy-mode and ordinary
    builds share one explicit policy boundary.
  • Native route request-header overlay builders now start from the same secure
    forwarded-header baseline as config-driven policy, so omitted overlay fields
    still strip spoofable inbound client-IP headers and synthesize owned
    forwarding context.
  • Future trusted-chain append handling reads the inbound X-Forwarded-For chain
    after any configured spoofable-header stripping, so strip-plus-append degrades
    to the direct peer address instead of preserving attacker-supplied hops.
  • Native route tests prove ACME challenge paths are selected before a vhost
    redirect fallback, preserving the HTTP-01 exception ordering used by the
    compatibility path for explicit upstream challenge forwarding.
  • Native cutover now rejects route request-header overlays that set
    enabled = false, because disabling the request header policy would also
    disable forwarded-client-IP sanitation on that native route.
  • Native vhost fallback proxy traffic now receives the merged root/vhost header
    policy, so requests that miss named routes still strip spoofable
    client-IP headers and synthesize owned forwarding context.
  • Privacy-mode native route request headers are stripped after all configured
    request-header mutations, preventing operator set or append rules from
    reintroducing spoofable forwarded-client-IP fields.
  • Programmatic native route constructors now start with the same safe default
    request-header policy used by config-built routes, instead of a no-op policy.
  • Native trusted append uses the same effective-client-IP restoration helper as
    the compatibility path, so untrusted direct peers cannot preserve spoofed
    inbound forwarding chains.
  • Native regex rewrite templates percent-encode bounded capture values and
    reject rewritten paths that would traverse or introduce unsafe forwarding
    paths before any upstream connection is opened.
  • Native regex rewrite captures now encode slash characters and fail closed
    under the native safe-forward-path policy, so regex captures cannot introduce
    path hierarchy that was not present in the static rewrite template.
  • Native access policy denies before redirects, static-web actions, or upstream
    proxying run, so rejected requests cannot be transformed into downstream
    effects first.
  • Native vhost access policy uses the same trusted forwarded-chain restoration
    helper as forwarded-header synthesis, so allow/deny decisions see the
    effective client IP only when the direct peer is trusted.
  • Native route access policy also checks a percent-decoded policy path, matching
    the compatibility path's encoded-route bypass hardening for access decisions.
  • Native concurrency limits are enforced before rewrite, local static,
    redirect, or upstream proxy actions run; permits are held until the native
    response is produced.
  • Native rate limits are enforced before rewrite, local static, redirect, or
    upstream proxy actions run; excess requests are rejected before the native
    upstream path is reached, and delay-mode sleeps run before concurrency permit
    acquisition so delayed requests cannot exhaust configured concurrency budgets.
  • Native trusted-proxy client restoration joins duplicate inbound
    X-Forwarded-For headers before ACL and rate-limit identity decisions.
  • Malformed X-Forwarded-For trusted-proxy chains now fail closed on both the
    native header crate path and the compatibility proxy path, falling back to
    the direct peer address instead of skipping poisoned hops.
  • Native rate-limit table eviction sweeps are bounded so a full bucket table
    cannot trigger repeated full-table scans on every new identity.
  • Native rate-limit tables are now sharded so stale-entry pruning only blocks
    one shard of identities at a time.
  • Native proxy config now accepts response-side downstream policy and per-proxy
    downstream request-read timeout policy on the native path.
  • Native proxy config now accepts total upstream connection timeout while
    keeping TCP Fast Open as an explicit native transport blocker.
  • The configuration reference now documents that
    proxy.upstream_tcp_fast_open remains compatibility-runtime only during the
    1.6 native preview until a safe native socket path has parity tests.
  • Native proxy config and live loopback tests now prove receive-buffer and DSCP
    socket options plus TCP keepalive and supported TCP user-timeout are accepted
    and still connect through the native proxy path.
  • Native listener tests now prove plain HTTP requests leave TLS client identity
    and Geo context unset by default.
  • Native route tests now prove client-certificate fingerprint and Geo
    country/ASN policies reject requests before upstream forwarding when the
    typed request context does not satisfy the configured policy.
  • Native HTTP/1 proxy tests now prove traffic mirroring reaches a local mirror
    endpoint without changing the origin response.
  • Native HTTP/1 proxy tests now prove auth-request allow responses can inject
    configured upstream headers and auth-request deny responses stop before any
    upstream connection is made.
  • Native cutover-plan tests now prove proxy.auth_request and safe-method
    traffic mirroring are native-ready only when their matching server feature
    gates are compiled.
  • Native traffic mirroring now honors only Fluxheim's signed internal mirror
    marker for loop prevention, so client-supplied X-Fluxheim-Mirror headers
    cannot suppress the configured mirror feed.
  • Native proxy forwarding now strips inbound X-Fluxheim-Mirror and
    X-Fluxheim-Mirror-Signature headers before forwarding to the origin.
  • Native traffic-mirror marker signatures are now compared through
    sanitization::ct::ConstantTimeEq; this release also updates
    sanitization to 1.2.1 and rustls to 0.23.41.
  • Native auth-request 2xx response bodies that are read only for the configured
    size cap are now zeroized before release, and allowlisted auth response
    headers use zeroizing temporary storage before being copied into the upstream
    request.
  • Native proxy tests now prove a slow request body times out before any
    upstream connection is attempted when proxy.downstream_read_timeout_secs
    is selected.
  • Native proxy and cutover-plan tests now prove upstream HTTP/2 and H2 tuning
    knobs remain explicit native blockers for the dedicated 1.6.30 upstream H2
    connection-manager slice.
  • Native route tests now prove gRPC policy rejects non-gRPC requests, rejects
    duplicate Content-Type, emits gRPC status metadata on local rejections, and
    forwards valid case-insensitive application/grpc* requests.
  • Compatibility-path gRPC policy tests now prove duplicate Content-Type
    headers are rejected and case-insensitive application/grpc* media types are
    accepted.
  • Native HTTP/1 now sends 408 Request Timeout before closing connections that
    exceed the selected request-body timeout.
  • Native route proxy timeout selection no longer lets redirect or static-web
    routes inherit a fallback proxy's longer request-body timeout.
  • Native DSCP fallback compilation now covers targets without Tokio IPv6
    traffic-class support, and the receive-buffer conversion rejects an
    impossible oversized value with a dedicated diagnostic instead of silently
    ignoring it.
  • Config validation and native regex route compilation now apply the same
    explicit NFA and DFA cache limits.
  • Privacy-mode native route proxy handling now strips spoofable
    X-Forwarded-Host and X-Forwarded-Proto headers along with client-IP
    forwarding headers.
  • Native trusted-source CIDR matching now rejects directly constructed invalid
    prefix lengths without relying on implicit shift arithmetic.
  • Programmatic request-header policy defaults now match TOML deserialization for
    X-Real-IP, avoiding divergent native route behavior between config-built and
    builder-created routes.
  • Privacy-mode native proxy builds strip spoofable inbound client-IP headers and
    do not compile the non-privacy forwarded-header synthesis helpers.
  • Native route responses now apply inherited standard security headers such as
    X-Content-Type-Options, X-Frame-Options, Referrer-Policy, CSP, and HSTS
    where configured.
  • The configuration reference now warns that disabling inbound forwarded-header
    stripping while also disabling owned X-Forwarded-Host or
    X-Forwarded-Proto synthesis permits client-supplied values for those
    headers to reach upstreams.

Compatibility

This release does not remove Pingora from normal builds yet. The remaining
compatibility blockers are upstream TCP Fast Open, cache lookup/fill/stale
behavior, PHP-FPM routing, dynamic discovery, health-aware load balancing,
persistence, priority/backup/drain state, hash-based load-balancer selection,
and upstream HTTP/2 connection-manager parity.

Checksums And Signatures

  • Commit: 12e744dcc613283b914ddf15016c844c0127fc1d
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • df2b7127fbf7c4acb94beb217b7be4b9692dee451ed676f369fb8e5279b9d5cb fluxheim-1.6.29.tar.gz
    • f391b24a757b3ce6e5d7ee7f9e045a41143afe0c135ae97635bba86cc363fd96 fluxheim-1.6.29.zip
  • Binary checksums:
    • x86_64:
      • c4b3c15dce49308e99d1fc029220d6b6a5a8fe7f70dd915321ede59870e66705 fluxheim-1.6.29-full-x86_64-linux.tar.gz
      • bde328b3d53a7a2dbb3ea936806614300f5ab01c14ea6f0cfeac9203f942f67a fluxheim-1.6.29-cache-x86_64-linux.tar.gz
      • 2f58ccf8a987b1bf6f7f8e52ee7d108b2763ae3fd25e32b344ac4aeec53d0a11 fluxheim-1.6.29-proxy-x86_64-linux.tar.gz
      • d6a8758fd551adf9e11330c155c37cc0cee29721b766bcc2284c954e89a8828e fluxheim-1.6.29-php-x86_64-linux.tar.gz
      • 521bc13f0e67660c6141047a35df87e40975ac8a76f831c3059d4207aa550365 fluxheim-1.6.29-load-balancer-x86_64-linux.tar.gz
      • 9c9f216c22c24beba07ea07b3766826314ef865d066ffac48043d1c451ae868c fluxheim-1.6.29-config-tester-x86_64-linux.tar.gz
    • aarch64:
      • 8d21f3b870a7f9f3e95b0d8bf411edbfcf888c9603c2ba5d27f81df4c6e4f1fb fluxheim-1.6.29-full-aarch64-linux.tar.gz
      • 771f13eb1024ba24e1c544e08e0dfab45f06d1daf76decaf8b7864685b9aa089 fluxheim-1.6.29-cache-aarch64-linux.tar.gz
      • a13c0c47bc6c25db7f924734f7ee0d26acf607bec8dcd92b08d7a0675917251d fluxheim-1.6.29-proxy-aarch64-linux.tar.gz
      • bbbce4e20fbc6cefb0f998e4bea3e8c1863a4435dba7544695cf54bf8116349c fluxheim-1.6.29-php-aarch64-linux.tar.gz
      • fac2e61e31af7fbd07298c1ae39b24348392f6a4a0bb3c74f4527a71b32f1549 fluxheim-1.6.29-load-balancer-aarch64-linux.tar.gz
      • ea0b8d503dd4e2f18251ebc1df289b3bccd87913e0ce244aecba4b20e6f1f2a6 fluxheim-1.6.29-config-tester-aarch64-linux.tar.gz
    • macos:
      • d01985f36055b963bd74c23186cf1326f3c05ce743d73816ff7a78c1d67e4ec5 fluxheim-1.6.29-dev-aarch64-macos.tar.gz
  • SBOM checksums:
    • 52b76ee2f29f2ce5793b80d7661ced54f3baeaa23f6e2e88a80c1d543726513c fluxheim.spdx.json
    • 88cb3053840d5e5fb9ed04ff5ab04dac772b0b0cc97a031f2d70efc82d775cea fluxheim.cyclonedx.json
  • Reproducible build:
    • 17706cd45a8b56a5e09912b4f3693c2ebfbd6c3b89dad1cd020335ea87cc364f x86_64
    • 214a5936aa479bd2ba02cbcf418d7090d300f9e55a9bfdedaf2c533f6f2fd94b aarch64
    • addc01ed52c2f06d633cd9c388eb7310d0554378b73a7f5c39f217e1081abcb5 macos
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:c738544766ef230b5903ae6f6ff8a681ef41c4c7265d2ef5d4e040db5a73cd37
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0b57b7eb15dbf665c479f6fe59486f3df1f0d775b9fa95eef9b90976cabe4bfa
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:4b3c32e8f23f09dc13c2c8896b77c5c148f693262f0ba14020576294327a51ab
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:0bd031a9b4e506a7a9b3b25bb00685972f8c8cf8bc6ce7b1a22f5fa3a53500ad
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:3cc3b5f4566b2305cf31cd029f730778d08b0cb6fa91f7b627d9bf6a196513db
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0c959efa96e3b96c4caf5220f1d37e94497fc711bad19b3328e3e15b81e2102e
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:1e7cc497a950939ea83d143f16269cc31ef885ff7ea09a6ca80de16a0a99a114
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:24993e1db066b6106c5a84899e72ce478a5b6db895cd503c739915368899953f
  • Proxy Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1237664d117fca833f632ab570e550eb889fde0efb0b7490928536a4c62f6637
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:8385c021798df0800500f02ab3193de815cc4ff7ba902756c3860af58c69b0a3
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:258a4253bdd56ab2289825751be24686ca70777e1807e3d391b414290688311a
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:1a1f703e4985d05cf06b2689a86d4e3d06daebcdf6811d2866f81b8f76ecca3c
  • PHP Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:23283e8b6b0e7acf19e7c7de473566cb4293a90531fc6352deebb15d8c26e623
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0cb5e7cd7b1c3acebd0f6b335ae7c2c068b1f65823969ba5104d87441876d38c
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:7b5dd755d40d5bf5db9a462d72c2c50dc7c8183ef45fb3eea4f75a9833427796
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:3fa15264f731120fd1492630b2e754a8ce989104a5a831dac98869fb148ec208
  • Load Balancer Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:3f220ef6735bf274ee854597a5a7334072fee0d04b2cf8d82f173a47e8aa0bd1
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:963deaf685655ec9bffa7eccd8e18aecde085e2fccf3a4160cd3c2389266f3ef
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:ae85e8d9498bcf33ccdc2f9a64f474851293265fdea7bc464b192f3b637f28b3
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:1aa2ca8f9d7cfa3c7f3e17a6ec12126df429e20141b8f70dd3fa20daca7728ad
  • Tag signature:
    • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Assets 16
Loading
0 Join discussion