Skip to content

Fluxheim 1.6.6

Choose a tag to compare

View all tags
@eldryoth eldryoth released this 16 Jun 12:51
· 279 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.6.6
This tag was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.
aa51615
This commit was signed with the committer’s verified signature.
eldryoth
SSH Key Fingerprint: EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Verified
Learn about vigilant mode.

Fluxheim 1.6.6 Release Notes

Fluxheim 1.6.6 continues the 1.6 Pingora-exit line by extracting downstream TLS listener planning and TLS provider policy into a focused fluxheim-tls workspace crate.

Changed

  • Added fluxheim-tls as the owner for downstream TLS listener plans, SNI certificate selection, wildcard matching, ALPN/cipher policy helpers, and rustls/OpenSSL provider/FIPS checks.
  • Updated the runtime TLS listener adapter to consume fluxheim-tls plans while the current Pingora listener path remains the compatibility adapter for this release.
  • Reduced duplicated SNI/certificate-selection logic in the root TLS module by delegating the selector to fluxheim-tls.
  • Updated the Pingora dependency policy to keep pingora-rustls until the native server/listener cutover, since 1.6.6 extracts planning but does not yet replace the active listener adapter.

Security And Hardening

  • Fixed fluxheim-tls feature gates so default and OpenSSL-only builds no longer try to re-export rustls-only policy/provider helpers.
  • Hardened downstream SNI certificate lookup to fall back to the default certificate instead of indexing directly if a future selector refactor violates the internal index invariant.
  • Moved PROXY protocol v2 signature validation into the public parser instead of relying on every caller to perform the precondition.
  • Rejected non-canonical trusted PROXY protocol CIDR entries with host bits set, keeping trusted-source configuration explicit.
  • Documented that fluxheim-tls must remain Pingora-free in the boundary-policy exceptions file.

Verification

  • cargo test -p fluxheim-tls --features acme,tls-rustls
  • RUSTFLAGS='-D warnings' cargo check --workspace
  • Focused runtime TLS tests for ACME ALPN and SNI certificate reload behavior.
  • scripts/stable_release_gate.sh release

Checksums And Signatures

  • Commit: aa51615db54061e6d8a050a448a98246595c5ecb
  • Local gate: GitHub CI green before tag; local release metadata checks passed
  • CodeQL/code scanning: no open release-blocking alerts before tag
  • Source archive checksums:
    • 41fcdf7e4302a5078713487107b821fea653e8e6e5646b9b4a179f6cf4b367aa fluxheim-1.6.6.tar.gz
    • ebb0315eea6cca88afa94bc9435fd1e7ac181efc4bf53ff8b35d59264d012b7b fluxheim-1.6.6.zip
  • Binary checksums:
    • x86_64:
      • ce6837d6d59bf85da8b740717dcebad03413ce37b53ac58af207ba7e270dfe75 fluxheim-1.6.6-full-x86_64-linux.tar.gz
      • 6b4383ad817cd4bafe5bd5a0eeffb9bbe4a3db74c9482bdee823224c33e1746c fluxheim-1.6.6-cache-x86_64-linux.tar.gz
      • 14a5d7bff4e7385ab90e72e087945440bb3fc1d955e307f50edb5658ff9c85b7 fluxheim-1.6.6-proxy-x86_64-linux.tar.gz
      • 4ad7a569267390fc541a59007317cddfd2c48ab8fefe051a4d297a0a19f772d1 fluxheim-1.6.6-php-x86_64-linux.tar.gz
      • ca2765022df761b1e92adc11743a4e49c6407c1666c21e98ccd7ae1b8cebfb5d fluxheim-1.6.6-load-balancer-x86_64-linux.tar.gz
      • 8abe1228edb5b77db9355749340cb46826fb1143215f97367b227ddfd7716bc1 fluxheim-1.6.6-config-tester-x86_64-linux.tar.gz
    • aarch64:
      • 55795f90839aabbe98d55536955d2f9a4777c38833d8fb7d1a3da1a5d5ce1722 fluxheim-1.6.6-full-aarch64-linux.tar.gz
      • 52e824725436dfddf3734e0e03240cdb4c86acfc7f1f696bf761f05343573e8d fluxheim-1.6.6-cache-aarch64-linux.tar.gz
      • cdc06bbcc2a0fa78632cd465586c6bf1d682c6de1d6e0cc2f85a34f725eb745d fluxheim-1.6.6-proxy-aarch64-linux.tar.gz
      • 117a18b53e7004527ee82d02e9f7c8c52794d77da2367bf16fe61f7058bbab1c fluxheim-1.6.6-php-aarch64-linux.tar.gz
      • 5e1e56c333d7c69232bb23c80a1b220c8992b75bc748e4bffb73716cc10dc13c fluxheim-1.6.6-load-balancer-aarch64-linux.tar.gz
      • 895773fc059d16fb556fdb37267ff1aff5192d807543ddb3fca779810ef60ab6 fluxheim-1.6.6-config-tester-aarch64-linux.tar.gz
    • macos:
      • 9473523ce1bfa54db4e1112ecc29cef946ec75c90fe376816fea077117dd4355 fluxheim-1.6.6-dev-aarch64-macos.tar.gz
  • SBOM checksums:
    • b07e767eeb05439162193f49d90eb28e9daef695ef66aed6abc8f28ece342ac1 fluxheim.spdx.json
    • df5fafccc59f3be511516190fe0554179be58c97d7d78c799c8976d9d188a31e fluxheim.cyclonedx.json
  • Reproducible build:
    • 40ad9ee2b780b251cdd6dc953af8f7236417366d6a35bbd1fdc136743185fb01 x86_64
    • 3d4b3477fe42e0d56437b60897c57a28d4d6d6358865f9087a0ce796f7774c30 aarch64
    • 65e25143cbfeec1424da3d89da156b0ea60c4a8d0cc00fc26bb1d8f31dc7102c macos
  • Full Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:47c1fc43b220cefd81f4ef8a8aa1499258ff1ce512cca5ee7fb93bd63cce7c5a
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:39c625edbb03654a554f51b5c38bee89e5c3e79c21a1d33bd0f7ebc4cc7e1b0d
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:7958ed70a82a32ca65972d3424bf73444b2b4fa01e94c69cf8a3cdd93ece2d1f
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:343943d003147574f22fa080077f8f1f20f79bf8cec8046eb42d7641875f1f67
  • Cache Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:78770da4d32b638451ab40ac6466c13fdee867a7fa98155f43d56b327c8e9eb2
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0e36dbe8f265431b39340b25b247916ff70a62ca3bda14c31d018e7e546e041d
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:444bfe9662c25aad6cd7ec195db7962080bd04b8f7ca702a1febb867c9832672
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:987543ad7a626882056e2ffe11f28d69f776b28f5a56dd0ccc7eba998650b876
  • Proxy Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:3b5926cc6f4409a2b6a146145835b74ce3e740c425d0f840200fe32f5546c312
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:4bc5cd4f05a79039d467c389919af8afaddefdf9a057665496ebbe8c257b52d3
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:a4cdd162c6aa6398f60bd8b55a8cebb8504bb61c86119a935c469b2c6360aecf
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:69be4f8b8beea5f0f9cb8b131ac9fdb21b81fdb383c2d971c2f624e76cf4618e
  • PHP Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:2fe79b02eee600deb76d38c389278991bbe428ceab725515b6627ec16b249655
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:237f61ab4c9bf5c383c31d93ed30ed145578fa5c2ce18e9e9fb655e9472f0b98
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:23bdc2d65400acad3cbc00e348eb09464a9197170ee1f83126248fd96ae09e81
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:e34b30fc61d5fe3c6398e67a00a062373528ff20f7a416cb29660fb8b26d215d
  • Load Balancer Build Container digests:
    • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:0ad3f611f3aff253407f972fa4ac8381ce5f350d6ea60170c13a2d5e670b57e6
    • Alpine: ghcr.io/valkyoth/fluxheim@sha256:aab8f322fe5d9cb4ef53afe764690019a5199f97dafd5c400434687e09f9a5ff
    • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:0518538f180edf42986e4dc6fa45320ad3229f95da62eac256d569872f06b76d
    • Debian: ghcr.io/valkyoth/fluxheim@sha256:561e5dac1594c9260577b5a20b024a1d5ecbcdfaf7aadc34f79a87db0ed9196a
  • Tag signature:
    • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Assets 16
Loading
0 Join discussion