Skip to content

Fluxheim 1.6.5

Choose a tag to compare

View all tags
@eldryoth eldryoth released this 16 Jun 09:29
· 282 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.6.5
This tag was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.
9136a93
This commit was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.

Fluxheim 1.6.5 Release Notes

Fluxheim 1.6.5 continues the Pingora-exit line with the first dedicated
header-policy crate boundary. Runtime behavior is intended to remain unchanged:
the root proxy module still applies Pingora request/response headers, while
pure header rewrite and forwarded-client-IP helpers now live in
fluxheim-headers.

Changed

  • Added the internal fluxheim-headers crate for header-policy helpers that do
    not need Pingora session or header types.
  • Moved response Location, Refresh, and Set-Cookie rewrite algorithms
    into fluxheim-headers.
  • Moved spoofable client-IP header constants, default server header policy,
    trusted X-Forwarded-For client-IP restoration, and Forwarded header value
    construction into fluxheim-headers.
  • Kept the root headers module as the Pingora request/response adapter for
    now, so proxy runtime behavior and public configuration stay unchanged.
  • Moved stream downstream PROXY protocol v1/v2 byte parsers and size constants
    into fluxheim-protocol. The stream crate now keeps only trusted-peer
    checks, timed reads, and runtime error conversion around those pure parsers.
  • Added a release-gated Pingora HTTP/error boundary policy that blocks new
    direct pingora::http, pingora::Error, and pingora::ErrorType usage
    outside documented adapter files.
  • Moved upstream hop-by-hop request header policy calculation into
    fluxheim-headers; the root headers module now only applies the resulting
    plan to Pingora request headers.
  • Moved repeated-header value joining for traffic-mirror forwarding into
    fluxheim-headers; the mirror module still owns request access and
    background I/O.
  • Moved repeated-header value joining for auth subrequest forwarding into the
    same fluxheim-headers helper, including the cookie-specific separator rule.
  • Made the new fluxheim-headers privacy-sensitive client-IP helpers,
    including X-Forwarded-For IP parsing, obey the workspace privacy-mode
    feature at the crate boundary.
  • Hardened PROXY-protocol trusted-source parsing by rejecting CIDR prefixes
    wider than the address family allows.
  • Aligned access-policy and header-forwarding X-Forwarded-For parsing so both
    skip malformed hops and continue walking the trusted chain.
  • Broadened the Pingora boundary policy gate to track all direct pingora::
    namespace use through documented adapter exceptions.

Validation

  • Added direct fluxheim-headers unit coverage for header-prefix rewrites,
    refresh URL rewrites, cookie Domain/Path rewrites, forwarded-header parsing,
    trusted client-IP restoration, and Forwarded header construction.
  • Added direct fluxheim-protocol unit coverage for downstream PROXY protocol
    v1/v2 parsing while preserving the existing stream crate parser tests through
    the new boundary.
  • Preserved the existing root proxy header-policy tests across the new crate
    boundary.
  • Added scripts/validate-pingora-boundary-policy.sh and
    docs/pingora-http-error-boundary-exceptions.tsv to keep the remaining
    Pingora HTTP/error bridge surface explicit during the 1.6.x removal line.
  • Added direct fluxheim-headers unit coverage for hop-by-hop request header
    policy extraction and chunked body framing preservation.
  • Added direct fluxheim-headers unit coverage for repeated-header forwarding
    value joining.
  • Added PROXY-protocol parser coverage for invalid IPv4/IPv6 CIDR prefix
    lengths.

Checksums And Signatures

  • Commit: 9136a93ec9507c9b7314e16d17920889bf9ea423
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • dcb8058382b5f28bc04a6457a4c9defea20ee79526ae6af7eef7416511aa446b fluxheim-1.6.5.tar.gz
    • 4d1067e6852bc8a7144e874644d7dd4215fdb899ece2a376ee276ab807dc2ee5 fluxheim-1.6.5.zip
  • Binary checksums:
    • x86_64:
      • 3e1606826d2ea56db5a9da83fa73bab2543c8956fd3b8ec7696979d61aff5b76 fluxheim-1.6.5-full-x86_64-linux.tar.gz
      • 1a8b3271bb5a1fbde8efd5dad217f37d4d16469e13b2d213447ebab94f0e222d fluxheim-1.6.5-cache-x86_64-linux.tar.gz
      • 1b4b4de66bebab0cc4c6c60a12dc1cfe820cd6a8db15b89340c1d7bbd7ce05e1 fluxheim-1.6.5-proxy-x86_64-linux.tar.gz
      • a688c36c227b3c5b53878d1a55e89aadad3493f2f143d235ca7a785f30761963 fluxheim-1.6.5-php-x86_64-linux.tar.gz
      • 9ce76167658e80d1074c7bc77bb83cb29e66767650b4900e6339bcff47fe8e77 fluxheim-1.6.5-load-balancer-x86_64-linux.tar.gz
      • cc2e29c6096fc07fb446cdd132a8fdd7ef716a43566afef63efe7b6847752d4d fluxheim-1.6.5-config-tester-x86_64-linux.tar.gz
    • aarch64:
      • 0f1bacccf43751dff7cd582c9a269ddc8ac07b16b46a11bfc4d42abeec17e795 fluxheim-1.6.5-full-aarch64-linux.tar.gz
      • 0f92a0132b66e210beea35807c710dc6b30b10a0ebb1277d1e5873b5a385d5d4 fluxheim-1.6.5-cache-aarch64-linux.tar.gz
      • a259fda8f86901f31480c1f73922a13a6864c442425e8ddcf19f99a5274e76ab fluxheim-1.6.5-proxy-aarch64-linux.tar.gz
      • 87e1ea8c634c062c35ee26ba84e7648b67bbf3bd395c4d8886a66a329d9be75c fluxheim-1.6.5-php-aarch64-linux.tar.gz
      • c8b1a699baaf9aaa5873acf4a9efdf4eeb00016bc207914eb8248489a1093e58 fluxheim-1.6.5-load-balancer-aarch64-linux.tar.gz
      • 48b57f3cb2d35d92e61d70d7cdcc4f6f6158d4b8260dff4eedf8ffe40eec44be fluxheim-1.6.5-config-tester-aarch64-linux.tar.gz
    • macos:
      • 840a8e4a99702884dd7ba5bcf9d6325e79548d42e2091d52c2a67926a16daeec fluxheim-1.6.5-dev-aarch64-macos.tar.gz
  • SBOM checksums:
    • d304281b1b3baea61a5dcfcf61b880f5f9f4c5b45f8d5638364a6a0b151f5174 fluxheim.spdx.json
    • 1e6ffe36d96727dadc25f6841bad3ddb065aa34542e830cefd71845d262043e2 fluxheim.cyclonedx.json
  • Reproducible build:
    • 65810cd135db2489a55976ede5a6b480a2847ade5865310846134f5344c9c5a7 x86_64
    • 641096fd8d4b88db4c022e4813f2f88d5f0f6fb3e1bc772b4b435d7411791e3b aarch64
    • 5ff028ca238a8e4621f041c68d199a8dff27063666186b133996ebfcc462683c macos
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:a3ebfc44b54103658b4ca6d80d389a0caac8e45536c10e4d593d5f4c1313049b
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0862bcba4842cfde4b82898ff580f3e416c2c12a9ad102e0bdf0aae0a313b333
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:7af2537ba9641f61bcfa5ba33c793c64fdaddd73d9a56aab41b4d6c4a814029e
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:40bf7d29ff6402743f1248ee3140310dab63699e5bf5990f613b996c6639339c
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:8f4af776093a973e28021f5f6ed139c52178a7a942fdb988057c97a04e641db8
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:61cd505d1a268b38a141166a925bc13e04a736be5cbab9f034e7eee8cfd914e4
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:3569ddaae32381ca5dab0a644e490d3bdfe77120bf740f803fe1a211e6415ec5
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:358b8be4d7a075a539fc4500c78a9420d52b80a137b423861dc43eef6fae3ded
  • Proxy Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:19078e5c1862e132608afc7d9b8ba77c1875fb3e4a0bb18b323a3ea63c5b476a
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:450847338873b2b641a28925b5cbe63c66fbfad8a7649b4cb5c14e32f6da4aee
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:536b1b6fc0752299cdd0896027be2810c97ac00f6bf1f589c20df690f5b71179
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:127cafcd30811de55c66362c2d6b4e7bd9736934c96ec1c3928b3ec0c711bea6
  • PHP Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:8af62cabf7843b032f997a719accacf0e33dbef246bdd364635ee4e5ffde2886
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:ecaada8770b0b7160f4681409890caec2ef64b61486706600bf71a1c16e21301
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:19f21623b5f9024c5fad9e0d7475aee7e484dcca640223acb5e07066fe230e6d
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:5358f087388b9e969df725c38d2dd1a1d46db70b2c969054f411044f91b0194d
  • Load Balancer Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:8de1e0177d0026ce49ea823d1758a9dc93e6dbd45a724fd2d00e9ab0b9a3d5e2
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:5730bdc13c247f911339a939060718ec0c9e9cca6b6ef91e25b991dd6847fc59
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:41737bc26b3e6fb3d66a77aed29fbebf30d70f9b6a5408d328ee353b0b52511f
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:64259ded007b81fbe8c61861d4630dda09974befe742c09ba440319b33a82735
  • Tag signature:
    • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Assets 16
Loading
0 Join discussion