Skip to content

Fluxheim 1.6.31

Choose a tag to compare

View all tags
@eldryoth eldryoth released this 25 Jun 06:24
· 110 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.6.31
This tag was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.
1f66742
This commit was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.

Fluxheim 1.6.31 Release Notes

Fluxheim 1.6.31 starts the cache/PHP native-integration slice of the Pingora
exit work.

Important:
Binary/package assets were not attached to this release before publishing. Because Fluxheim uses immutable GitHub releases, they cannot be added afterward. Please use the source archive, container images, or the next release.

Highlights

  • Native HTTP/1 proxy planning now reports cache policy and PHP-FPM gaps with
    explicit blocker reasons instead of folding them into the generic HTTP policy
    bucket.
  • Direct native route-proxy construction now fails closed for vhost/route cache
    and PHP-FPM policies until those adapters are implemented, so callers cannot
    bypass the planner and silently drop policy.
  • Image/static cache request eligibility and cache-key construction now live in
    the Pingora-independent fluxheim-cache crate. The root compatibility module
    only wraps those shared keys into Pingora cache keys while that runtime path
    remains.
  • NativeHttp1Request now implements the fluxheim-cache request-view trait,
    allowing the native proxy to reuse cache bypass, revalidation, range, and
    slice policy helpers without a Pingora request header.
  • PHP-FPM response parsing now lives in the Pingora-independent
    fluxheim-php-fpm crate and returns plain status/header/body parts. The root
    proxy path only converts those parts into the current runtime response type.
  • PHP FastCGI parameter value validation and request-header-to-param-name
    mapping now live in fluxheim-php-fpm, giving the native and compatibility
    paths one shared policy for bounded, control-free PHP params.
  • PHP SERVER_NAME fallback selection now also lives in fluxheim-php-fpm,
    keeping host/fallback sanitization shared by native and compatibility paths.
  • PHP FastCGI request-header param translation, resolved HTTP_HOST insertion,
    CONTENT_TYPE value selection, and runtime custom-param filtering now live
    in fluxheim-php-fpm; the current proxy path only applies those generated
    pairs to fastcgi_client::Params.
  • PHP split-container path mapping for SCRIPT_FILENAME and safe
    PATH_TRANSLATED generation now lives in fluxheim-php-fpm, keeping dot
    segment, hidden path, backslash, and control-byte rejection shared.
  • PHP request-path to SCRIPT_NAME/PATH_INFO parsing, allowed-extension
    matching, and deny-prefix checks now live in fluxheim-php-fpm; the proxy
    still owns static-file lookup and final execution decisions.
  • PHP static-file to script-name mapping and slashless directory-index redirect
    decisions now live in fluxheim-php-fpm, sharing root confinement, hidden
    path rejection, and extension checks across native and compatibility paths.
  • PHP static-offload target validation now lives in fluxheim-php-fpm,
    including X-Accel-Redirect control-byte rejection, X-Sendfile fpm_root
    mapping, and PHP-script offload blocking.
  • PHP X-Accel-Expires TTL parsing and restrictive origin cache-policy detection
    now live in fluxheim-php-fpm, giving native PHP response handling the same
    cache safety rules as the compatibility path.
  • PHP response-header stripping policy now lives in fluxheim-php-fpm,
    including hop-by-hop headers, Connection tokens, configured hidden headers,
    and static-offload internal headers.
  • PHP custom error-page/status interception decisions now live in
    fluxheim-php-fpm, keeping native and compatibility response handling on one
    status policy.
  • Shared PHP response/request policy now pre-reserves bounded CONTENT_TYPE
    joins, rejects extensionless static-offload files, ignores invalid
    Connection header tokens before response stripping, and asserts ASCII-only
    parser invariants.
  • PHP CONTENT_TYPE joining now caps and validates during accumulation instead
    of building an oversized intermediate string before rejecting it.
  • Pure local-static cache keys now use the explicit fluxheim-static-v1;
    prefix, matching the static-cache namespace used by the compatibility cache
    wrapper and making raw key inspection unambiguous.
  • Native route-level static web now supports the memory-only
    cache.local_static adapter, reusing shared cache admission, bypass,
    revalidation, TTL, status-header, and file-identity key policy.
  • Native vhost-level static web now supports the same memory-only
    cache.local_static adapter and still falls through to the vhost proxy
    fallback when a static file is not found.
  • Native static-web memory cache accounting now includes conservative per-entry
    overhead, cache-key bytes, reason bytes, and response-header bytes before
    admission, preventing small cached objects from undercounting memory use.
  • Native static-web memory cache insertion now samples Instant::now() once
    for stored/expiry time and avoids running the prune pass inside the initial
    insert lock; pruning also avoids full-table vector allocation and sorting.
  • Unsupported native cache shapes still fail closed with explicit cache-policy
    blockers: vhost cache, proxy/image cache, disk cache, and non-static route
    cache remain compatibility-runtime work until their adapters are implemented.
  • Native HTTP/1 cutover planning now recognizes the supported static-web
    memory local-static cache adapter, so those routes no longer make an
    otherwise native-ready vhost fallback proxy look unsupported.
  • PHP request-body replay/spooling and bounded FastCGI stdout/stderr response
    collection now live in fluxheim-php-fpm; the root crate keeps only a thin
    compatibility adapter for the current PHP runtime.
  • PHP-FPM keep-alive pool ownership now lives in fluxheim-php-fpm behind a
    small metrics callback boundary, so connection reuse, stale idle pruning,
    pool labels, and bounded response collection are owned by the PHP crate.
  • Native HTTP/1 upstreams now support configured PROXY protocol v1/v2 send
    through proxy.upstream_proxy_protocol, using Fluxheim-owned frame builders
    and writing the header before upstream TLS or HTTP bytes.
  • Native upstream PROXY protocol remains connection-scoped: HTTP/1 origin
    pooling is disabled for those upstreams, and native HTTP/2 upstream
    combinations fail closed until multiplexed per-request identity can be
    represented safely.
  • Native requests now carry both the direct listener peer/local address and the
    trusted-forwarded effective client address, so upstream PROXY protocol uses
    the same client identity as native ACL/rate-limit/header policy.
  • When that native effective client identity comes from forwarded headers,
    upstream PROXY protocol sends source port 0, the documented unknown-port
    value, because forwarded headers do not include the original client port.
  • Native HTTP/1 now has a host router that builds one native route proxy per
    configured vhost and dispatches exact and wildcard Host matches with the same
    default-vhost fallback behavior as the compatibility runtime.
  • A native runtime manifest now refuses blocked plans and exports the
    Fluxheim-owned service/listener/background-task graph for blocker-free plans,
    giving the final runner replacement a tested orchestration contract without
    changing production execution yet.
  • Native runtime launch-plan validation now rejects duplicate TCP or duplicate
    UDP listener bind intents before reporting the native adapter as the target,
    while still allowing TCP and UDP listeners to share the same address.
  • Native runtime launch-plan errors now appear in the cutover evidence report,
    so concrete runner-contract failures are visible even when the high-level
    blocker summary is otherwise ready.
  • The native runtime cutover evidence report now includes downstream HTTP/1
    and HTTP/2 launch-policy rows, giving final-runner hardening values a stable
    diffable contract.
  • NativeHttp1Request now implements the load-balancer request-view trait
    behind the fluxheim-server/load-balancer feature, preparing native
    persistence and hash selection to consume native request metadata without a
    Pingora request adapter.
  • SelectedUpstream now exposes stable address and authority accessors, giving
    native callers a public bridge from Fluxheim-owned load-balancer selection to
    upstream connection setup without reaching into backend internals.
  • Selected-upstream metadata now also has public accessors for aliases,
    persistence outcomes, managed affinity cookies, reporters, and permit
    presence, completing the native routing metadata bridge.
  • The metrics service now has a concrete native HTTP handler around the
    existing Prometheus response generator, giving the future native runner a
    direct handler for metrics HTTP.
  • Root native HTTP/1 proxy construction now applies root response-header policy
    and root compression config before cutover planning marks a root proxy as
    native-ready.
  • The native host router can now serve root-only proxy configs without
    [[vhosts]], so the future native runner can instantiate the same root
    proxy shape that the planner reports as native-ready.
  • Root static web can now be instantiated by the native host router without
    [[vhosts]], including the supported local-static memory cache mode. Root
    disk/rich cache modes remain explicit native cache blockers.
  • The native cutover planner now reports vhost fallback-only static-web, cache,
    and PHP-FPM blockers even when the vhost has no configured upstream proxy,
    matching the native host-router construction path.
  • The native cutover planner now also reports route fallback-only static-web,
    cache, and PHP-FPM candidates when a route has no upstream proxy, making
    route-level native blockers visible instead of folding them into the parent
    vhost or fallback proxy summary.
  • Native rate-limit delay mode now acquires vhost/route concurrency permits
    before sleeping, so delayed requests still count against configured
    concurrency budgets instead of occupying listener tasks outside those limits.
  • Native rate-limit table pruning is now bounded and incremental per shard,
    replacing whole-shard HashMap::retain sweeps in the request hot path with a
    small prune queue scan when a shard is full.
  • Native rate-limit sharding now hashes the full IPv4/IPv6 client address
    instead of using only the final address byte, reducing attacker-controlled
    hot-shard concentration when many trusted forwarded identities are present.
  • Native rate-limit shard selection now uses a per-process random FNV seed and
    routes indeterminate-client buckets through that seeded hash path instead of
    pinning them to shard zero.
  • Native rate-limit token refill and expiry pruning now use saturating
    Instant arithmetic, avoiding panic surfaces if a bucket timestamp is ever
    observed ahead of the current sample.
  • Native static-web filesystem path resolution now rejects residual
    percent-encoding after the initial decode pass, avoiding ambiguous
    double-encoded traversal forms on fallback static serving.
  • The native metrics handler can now require a bearer token and compares that
    token with sanitization constant-time equality. The current compatibility
    metrics listener still relies on listener binding and network ACLs until the
    final native runner cutover wires token configuration into service creation.
  • Documentation now states that native rate-limit delay mode intentionally
    holds vhost/route concurrency permits while sleeping, keeping delayed tasks
    inside the configured concurrency budget instead of allowing unbounded
    sleepers outside the cap.
  • Updated sanitization to 1.2.2 and base64-ng to 1.2.3 across the root,
    server, TLS, and load-balancer crates.
  • The remaining normal-profile Pingora dependency exception target is now
    aligned with the roadmap: 1.6.31 is the cache/PHP adapter release, and 1.6.32
    remains the final Pingora-free proof release.

Test Notes

  • Added server-plan tests for root cache, vhost cache, route cache, vhost
    PHP-FPM, and route PHP-FPM native cutover blockers.
  • Added route-proxy builder tests proving vhost/route cache and PHP-FPM
    policies are rejected directly until native adapters own those paths.
  • Added a live native HTTP/1 proxy test proving safe-method failover skips
    duplicate weighted upstream slots before trying the next unique backend.
  • Added live native static-web route and fallback tests for double-encoded
    traversal rejection.
  • Added native metrics handler tests for bearer-token rejection and acceptance.
  • Added standalone fluxheim-cache tests for cache-key construction,
    namespace/query/host normalization, and local-static file identity.
  • Added native HTTP/1 tests proving cache request policy helpers work through
    NativeHttp1Request for origin-form and absolute-form targets, duplicate
    headers, and range-policy rejection.
  • Added standalone fluxheim-php-fpm tests for plain PHP response parsing,
    unsafe header rejection, and response/header size limits, then re-ran the
    existing root parser compatibility tests with php-fpm enabled.
  • Added standalone fluxheim-php-fpm tests for FastCGI param value bounds,
    control-byte rejection, and deterministic HTTP header param-name mapping.
  • Added standalone and compatibility tests for PHP SERVER_NAME fallback
    behavior when the request host is unsafe.
  • Added standalone fluxheim-php-fpm tests for duplicate request-header
    joining, Proxy header blocking, joined-value caps, safe HTTP_HOST
    insertion, content-type selection, and runtime custom-param filtering.
  • Added standalone fluxheim-php-fpm tests for split-container script
    filename mapping and unsafe PATH_INFO rejection, plus the existing root
    compatibility test for PHP fpm_root mapping.
  • Added standalone fluxheim-php-fpm tests for direct script detection,
    front-controller fallback, PATH_INFO split mode, unsafe segment rejection,
    allowed-extension matching, and deny-prefix matching.
  • Added standalone fluxheim-php-fpm tests for static file script-name mapping
    and directory-index redirect decisions, plus existing root compatibility
    coverage for slashless PHP directory indexes.
  • Added standalone fluxheim-php-fpm tests for PHP static-offload path policy,
    plus root compatibility coverage for X-Accel-Redirect and X-Sendfile
    handling.
  • Added standalone fluxheim-php-fpm tests for X-Accel-Expires TTL parsing and
    restrictive origin cache-policy detection, plus existing root compatibility
    coverage for absolute-epoch parsing.
  • Added standalone fluxheim-php-fpm tests for PHP response-header strip lists
    and internal static-offload header names, plus existing root compatibility
    coverage for hidden response headers.
  • Added standalone fluxheim-php-fpm tests for PHP error-page/status
    interception decisions, plus existing root compatibility coverage for PHP
    custom error pages.
  • Extended PHP-FPM tests for extensionless static-offload rejection and invalid
    Connection token filtering.
  • Added PHP-FPM tests proving CONTENT_TYPE rejects control bytes and
    over-limit joined values without retaining the oversized joined result.
  • Updated standalone fluxheim-cache tests to assert the local-static key
    prefix is fluxheim-static-v1;.
  • Added live native route static-web tests proving the supported memory
    local-static cache returns MISS on the first request and HIT on a second
    request through the native listener.
  • Added live native vhost static-web tests proving memory local-static cache
    returns MISS/HIT through the native listener, plus cutover-plan coverage
    for the supported vhost static-cache shape.
  • Added native static-web memory-cache tests for conservative cache-entry
    weight accounting and expired/oldest-entry pruning behavior.
  • Added route-config tests proving static-web routes accept the supported
    memory local-static cache adapter.
  • Added native planning coverage proving static-web memory local-static cache
    routes do not block native HTTP/1 proxy cutover candidates.
  • Added standalone fluxheim-php-fpm tests for in-memory request-body replay,
    secure spool-file replay/cleanup, and combined FastCGI stdout/stderr response
    size accounting, while keeping root PHP compatibility tests green.
  • Added standalone and root compatibility tests proving PHP-FPM keep-alive pool
    labels remain stable after the pool move.
  • Added native upstream-client tests proving PROXY protocol v1 and v2 bytes are
    written before HTTP request bytes, plus a live native proxy listener test
    proving listener destination metadata reaches the upstream PROXY line.
  • Added native proxy config tests proving HTTP/1 upstream PROXY protocol is
    accepted, origin pooling is disabled for it, and HTTP/2 upstream
    combinations fail closed.
  • Added live native host-router tests proving exact Host dispatch, wildcard
    longest-suffix matching, unknown/missing Host fallback, and default-vhost
    config validation.
  • Added native runtime manifest tests proving blocked plans return explicit
    blockers and blocker-free multi-service plans expose proxy, admin, metrics,
    stream, UDP, ops-socket, and listener bindings.
  • Added native metrics-handler tests proving the Prometheus text response is
    served through the NativeHttp1Handler boundary and a live native HTTP/1
    listener.
  • Added native metrics-handler tests proving only GET/HEAD /metrics is
    served, with HEAD returning the Prometheus content length without a body.
  • Added native root-proxy tests proving root response headers are stripped,
    set, and appended through the root config constructor, plus planner coverage
    for non-default root response headers.
  • Added native host-router tests proving root-only proxy configs are served
    without vhosts and truly empty configs still fail closed.
  • Added root static-web native host-router coverage plus planner tests proving
    supported root local-static memory cache is native-ready and unsupported root
    disk cache still fails closed as a cache blocker. The root static-web
    host-router test also proves the native memory cache returns MISS then
    HIT through a live listener.
  • Added native cutover planner tests for vhost fallback-only static web,
    unsupported static-web disk cache, and PHP-FPM so policy blockers remain
    visible without an upstream proxy candidate.
  • Added a live native admin listener test proving the authenticated health
    endpoint is served correctly through the native HTTP/1 listener.
  • Startup now logs a native runtime manifest preview for blocker-free plans,
    showing the Fluxheim-owned service/listener/background-task graph while the
    compatibility runtime remains active.
  • The native runtime cutover evidence report now includes manifest service and
    background-task rows, so CI archives the exact native service graph that the
    final runner will consume.
  • Added launch-plan validation tests proving duplicate TCP listener binds keep
    the native target adapter disabled, while TCP and UDP listeners on the same
    address remain valid because they use distinct kernel transports.
  • Added cutover-report coverage for native launch-plan error rows, including
    duplicate listener binds.
  • Added native launch-policy TSV coverage for representative HTTP/1 and HTTP/2
    hardening values.
  • Added feature-gated native request-view tests proving URI keys, repeated
    header values, and Cookie headers are exposed to fluxheim-load-balancer.
  • Added a feature-gated native server test proving NativeHttp1Request drives
    real load-balancer header-hash selection through the shared request-view
    boundary.
  • Updated load-balancer selection tests to exercise the new public
    selected-upstream metadata accessors.
  • Re-ran targeted tests for native HTTP/1 client encoding, load-balancer
    persistence constant-time comparisons, and TLS secret handling after the
    dependency refresh.
  • Re-ran the native runtime cutover evidence gate and the Pingora dependency
    policy gate against the 1.6.31 planning state.

Checksums And Signatures

  • Commit: 1f6674226276f9b0fb3b93014e4dc3ca70bc5fe2
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • fc10ee235442aea29169502d5a4825bc1c661af965a70fbcef1f96838e416116 fluxheim-1.6.31.tar.gz
    • 49296c83a2e3bd9fb8697a0d7a04ae5517f25c9f3e6fb0aa57d72b9db69efe88 fluxheim-1.6.31.zip
  • SBOM checksums:
    • f5de6896deb2b2e3d2f3c93056043d772de9eda777c11a1f31618870cbcf1266 fluxheim.spdx.json
    • e4ed4493265b5e856fd03b862297fe4f906d8c6264ffb233752a44ddcdd1ab79 fluxheim.cyclonedx.json
  • Reproducible build:
    • 86fc14f50f855c463031ecf929eb4fbc8d4f4246dd5f47b72e475a890d18fcae x86_64
    • 2a8bea99a3feb90b55d014bb54da0eadd3594bb484820f1d38a94b121483298b aarch64
    • a9f4f26267421bd2e57465304d40afcad1264ac897d4bc399b094c13df78a978 macos
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1ec3aadab1b78e41c8a230e1cb3530258115bc0579fb36a5849f082287a9f586
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:b8651a28c479556fab821a6075820b1477909e5351113244c154e5ee399b6aa4
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:6bd1e1e6e859e2247767851c5ffed7d641fa454fb1810f9bf8f56136c192f201
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:0d1d7772559cb2a0eaf010298caa3d1b5afae22ff545e21c499f15bb1fa78a0e
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:aa453a5e71e3a96a83651fce55b415f7e6a687cdc60dfdc4a1b692d5c828636b
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:a7fc2343e453e9bac4c8d661c5f7148966b3e63cccab89e407fb2ed1ce105556
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:1a0b7c8917c2846e5d0ba8a8189733e32227583062de19c471b94e9a58cb17fd
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:834278d586b132513098bc7d554e0fe2ab7777917b58d0c1b3750e64ade03e3f
  • Proxy Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:bedb716c4ecd24e3b5005e8b9d91e524e6568ae315c614b1705040a8bb724528
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:c85bb998fbe482b15d185ad8a98d0c15bf6b6ccbc9a3726dbb1485e1415402d6
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:33eead14bbdbf974e84b32e971f7b4b521c6fdc3ebf12412037726b95e063460
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:41805cd513ba86d0280951aa83a60c8fa47ee8deddc0b3734e0bac0f7593ebd5
  • PHP Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:3c15aaf653aba6500ecd0f9391ea200f42c607f82d265fee86b6e2ec6f4b3904
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:266937674f3db5cc496edd44691d52b317cacd5ab1da880fdee1b336bcd1c5ff
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:0bd6ecad9b3573198d3eed0160b1a30414e71e1ed0c482b5c6edaa019cb26fff
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:0e8e6c49a76bcba621b506821beb98b77bd53ca00c9de0f48399676457ae4b3b
  • Load Balancer Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:364d0c47c25c0414114e0c318a4ed5ceca7f76d3b239b383a7ef9847feb9b8d7
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:868c8334674088c6025748111384f51f785660181b04b67c55670b200b60009d
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:55dc9cea996393654206d4e654556fcd4168460d1613bf9ed97954d39e27edf0
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:b10b2e97e48578b3609302078df9224fd32835e45fbfcfde191734541a5dc1bd
  • Tag signature:
    • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Assets 3
Loading
0 Join discussion