Skip to content

Commit 49f4f7d

Browse files
committed
Prepare Fluxheim 1.1.0 release
1 parent bb6d660 commit 49f4f7d

49 files changed

Lines changed: 6971 additions & 262 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/ci.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,7 @@ jobs:
5454
run: |
5555
scripts/validate-features.sh default
5656
scripts/validate-features.sh profile-core
57+
scripts/validate-features.sh profile-core,acme-client
5758
scripts/validate-features.sh profile-load-balancer
5859
scripts/validate-features.sh profile-privacy
5960
if scripts/validate-features.sh profile-privacy,metrics; then
@@ -75,6 +76,7 @@ jobs:
7576
- name: Validate panic policy on feature profiles
7677
run: |
7778
cargo clippy --no-default-features --features proxy,tls-rustls,acme --all-targets -- -D warnings
79+
cargo clippy --no-default-features --features proxy,tls-rustls,acme-client --all-targets -- -D warnings
7880
cargo clippy --no-default-features --features proxy,web,tls-rustls,privacy-mode --all-targets -- -D warnings
7981
cargo clippy --no-default-features --features web --all-targets -- -D warnings
8082
@@ -98,6 +100,7 @@ jobs:
98100
cargo test --no-default-features --features cache
99101
cargo test --no-default-features --features web
100102
cargo test --no-default-features --features profile-core
103+
cargo check --no-default-features --features profile-core,acme-client
101104
cargo check --no-default-features --features profile-static-site
102105
cargo check --no-default-features --features profile-reverse-proxy
103106
cargo check --no-default-features --features profile-cache-server
@@ -106,6 +109,7 @@ jobs:
106109
cargo check --no-default-features --features profile-privacy
107110
cargo test --no-default-features --features proxy,metrics
108111
cargo test --no-default-features --features proxy,tls-rustls,acme
112+
cargo test --no-default-features --features proxy,tls-rustls,acme-client
109113
cargo test --no-default-features --features proxy,web,tls-rustls,privacy-mode
110114
cargo check --no-default-features --features proxy,tls-rustls
111115
@@ -114,6 +118,10 @@ jobs:
114118
cargo run --quiet -- --check-config --config examples/fluxheim.toml
115119
cargo run --quiet -- --check-config --config examples/admin.toml
116120
cargo run --quiet -- --check-config --config examples/vhosts.toml
121+
cargo run --quiet -- --check-config --config examples/acme-http-01.toml
122+
cargo run --quiet -- --check-config --config examples/acme-actalis.toml
123+
cargo run --quiet -- --check-config --config examples/tls-modern.toml
124+
cargo run --quiet -- --check-config --config examples/tls-intermediate.toml
117125
cargo run --quiet -- --check-config --config examples/privacy.toml
118126
cargo run --quiet -- --check-config --config examples/container/fluxheim.toml
119127
cargo run --quiet -- --check-config --config examples/conf.d

.github/workflows/images.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ on:
1010
features:
1111
description: Fluxheim Cargo feature set.
1212
required: true
13-
default: default
13+
default: profile-core,acme-client
1414
config:
1515
description: Config file copied into /etc/fluxheim/fluxheim.toml.
1616
required: true
@@ -127,7 +127,7 @@ jobs:
127127
platforms: ${{ inputs.platforms || 'linux/amd64' }}
128128
push: true
129129
build-args: |
130-
FLUXHEIM_FEATURES=${{ inputs.features || 'default' }}
130+
FLUXHEIM_FEATURES=${{ inputs.features || 'profile-core,acme-client' }}
131131
FLUXHEIM_CONFIG=${{ inputs.config || 'packaging/default/fluxheim.toml' }}
132132
FLUXHEIM_RUNTIME_UID=${{ inputs.runtime_uid || '65532' }}
133133
FLUXHEIM_RUNTIME_GID=${{ inputs.runtime_gid || '65532' }}

CHANGELOG.md

Lines changed: 51 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,55 @@ behavior when the change improves security or project direction.
99

1010
## Unreleased
1111

12+
## 1.1.0 - TLS Policy And Certificate Operations
13+
14+
Released: pending
15+
16+
### Added
17+
18+
- ACME-managed vhost certificate sources now derive safe on-disk certificate
19+
paths and can satisfy the TLS listener fallback certificate requirement when
20+
configured on `server.default_vhost`.
21+
- HTTP-01 challenge requests for ACME-managed vhosts can be served locally from
22+
the managed ACME storage directory when `tls.acme.challenge = "http-01"`.
23+
- TLS-ALPN-01 challenge certificates can now be generated and served by the
24+
rustls downstream listener when `tls.acme.challenge = "tls-alpn-01"`.
25+
- ACME EAB secret sources can now be loaded through a bounded, redacted,
26+
zeroized helper for the runtime issuer client.
27+
- ACME-managed certificate files can now be installed through a guarded helper
28+
that validates PEM shape, writes temporary files, rejects symlinked targets,
29+
and preserves previous files on validation or staging failures.
30+
- ACME HTTP-01 challenge files can now be installed and removed through the
31+
managed challenge store with token/value validation and symlink checks.
32+
- ACME account credentials are now stored under safe issuer-derived paths with
33+
bounded JSON loading, owner-only writes on Unix, and symlink rejection.
34+
- `acme-client` adds live `instant-acme` account bootstrap plus HTTP-01 and
35+
rustls TLS-ALPN-01 order/finalize support behind an explicit feature gate.
36+
- Google Trust Services production and staging are now built-in ACME issuers,
37+
with separate default EAB environment variables for each environment.
38+
- Managed ACME certificate expiry is now observed from bounded, symlink-safe PEM
39+
reads so Fluxheim can distinguish missing, due, and not-yet-due certificates.
40+
- `fluxheim acme-renew` runs due-only renewal once, while
41+
`fluxheim acme-renew --all` forces every configured ACME vhost.
42+
- Builds with `acme-client` now register a background ACME renewal service for
43+
configured ACME vhosts. It renews missing or due certificates on the
44+
configured check interval and refreshes reloadable downstream SNI certificate
45+
objects after successful renewal.
46+
- Downstream TLS listeners now have explicit policy config for named profiles,
47+
minimum protocol version, ALPN selection, curve preferences, and cipher suite
48+
allow-lists. `modern` now means TLS 1.3-only, while the default
49+
`intermediate` profile preserves the 1.0 TLS 1.2+ / HTTP/1.1+HTTP/2
50+
compatibility baseline with explicit AEAD ECDHE cipher policy.
51+
- Response HSTS can now be configured as structured policy with `max_age_secs`,
52+
`include_subdomains`, and `preload` instead of requiring a raw header string.
53+
54+
### Changed
55+
56+
- `1.1.0` is now scoped as TLS policy and ACME certificate operations so normal
57+
production deployments can avoid external certificate copy scripts.
58+
- Advanced provider-specific and zero-downtime certificate automation moved to
59+
a later certificate milestone.
60+
1261
## 1.0.0 - Gateway Foundation
1362

1463
Released: 2026-05-08
@@ -104,8 +153,8 @@ Released: 2026-05-06
104153
`latest-alpine`.
105154
- Roadmap now tracks a future declarative redirect and rewrite engine with
106155
match-action routing, loop detection, and safe URL handling.
107-
- Release ladder now focuses `1.1` on TLS policy hardening before operational
108-
and load-balancing modules graduate.
156+
- Release ladder now focuses `1.1` on TLS policy and ACME certificate
157+
operations before operational and load-balancing modules graduate.
109158
- Process runtime paths now default to `/run/fluxheim` instead of predictable
110159
files directly under `/tmp`.
111160
- Examples now prefer `upstreams = [...]`; the single `upstream` field remains

0 commit comments

Comments
 (0)