Skip to content

Commit 7f0f897

Browse files
committed
Harden runtime admission and persistent cache
1 parent cae9781 commit 7f0f897

47 files changed

Lines changed: 1301 additions & 394 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/ci.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -23,15 +23,15 @@ jobs:
2323

2424
steps:
2525
- name: Checkout repository
26-
uses: actions/checkout@v7.0.0
26+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2727

2828
- name: Install Rust toolchain
2929
run: rustup show
3030

3131
- name: Install security tools
3232
run: |
33-
cargo install --locked cargo-deny
34-
cargo install --locked cargo-audit
33+
cargo install --locked cargo-deny --version 0.20.2
34+
cargo install --locked cargo-audit --version 0.22.2
3535
3636
- name: Install SBOM tool
3737
run: cargo install --locked cargo-sbom --version 0.10.0
@@ -232,7 +232,7 @@ jobs:
232232

233233
steps:
234234
- name: Checkout repository
235-
uses: actions/checkout@v7.0.0
235+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
236236

237237
- name: Install Rust toolchain
238238
run: rustup show

.github/workflows/images.yml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -120,35 +120,35 @@ jobs:
120120
121121
- name: Checkout repository
122122
if: ${{ steps.profile.outputs.build == 'true' }}
123-
uses: actions/checkout@v7.0.0
123+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
124124

125125
- name: Set up QEMU
126126
if: ${{ steps.profile.outputs.build == 'true' }}
127-
uses: docker/setup-qemu-action@v4.2.0
127+
uses: docker/setup-qemu-action@96fe6ef7f33517b61c61be40b68a1882f3264fb8 # v4.2.0
128128

129129
- name: Set up Buildx
130130
if: ${{ steps.profile.outputs.build == 'true' }}
131-
uses: docker/setup-buildx-action@v4.2.0
131+
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
132132

133133
- name: Log in to GitHub Container Registry
134134
if: ${{ steps.profile.outputs.build == 'true' }}
135-
uses: docker/login-action@v4.4.0
135+
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
136136
with:
137137
registry: ghcr.io
138138
username: ${{ github.actor }}
139139
password: ${{ secrets.GITHUB_TOKEN }}
140140

141141
- name: Log in to Docker Hub
142142
if: ${{ steps.profile.outputs.build == 'true' && env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
143-
uses: docker/login-action@v4.4.0
143+
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
144144
with:
145145
registry: docker.io
146146
username: ${{ env.DOCKERHUB_USERNAME }}
147147
password: ${{ env.DOCKERHUB_TOKEN }}
148148

149149
- name: Log in to Quay
150150
if: ${{ steps.profile.outputs.build == 'true' && env.QUAY_USERNAME != '' && env.QUAY_TOKEN != '' }}
151-
uses: docker/login-action@v4.4.0
151+
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
152152
with:
153153
registry: quay.io
154154
username: ${{ env.QUAY_USERNAME }}
@@ -301,7 +301,7 @@ jobs:
301301
302302
- name: Build and publish image
303303
if: ${{ steps.profile.outputs.build == 'true' }}
304-
uses: docker/build-push-action@v7.3.0
304+
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
305305
with:
306306
context: .
307307
file: containers/Containerfile.${{ matrix.variant }}
@@ -337,14 +337,14 @@ jobs:
337337

338338
steps:
339339
- name: Checkout repository
340-
uses: actions/checkout@v7.0.0
340+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
341341

342342
- name: Set up Buildx
343-
uses: docker/setup-buildx-action@v4.2.0
343+
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
344344

345345
- name: Log in to Quay
346346
if: ${{ env.QUAY_USERNAME != '' && env.QUAY_TOKEN != '' }}
347-
uses: docker/login-action@v4.4.0
347+
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
348348
with:
349349
registry: quay.io
350350
username: ${{ env.QUAY_USERNAME }}
@@ -366,7 +366,7 @@ jobs:
366366
367367
- name: Build and publish dev-wolfi
368368
if: ${{ env.QUAY_USERNAME != '' && env.QUAY_TOKEN != '' }}
369-
uses: docker/build-push-action@v7.3.0
369+
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
370370
with:
371371
context: .
372372
file: containers/Containerfile.wolfi

CHANGELOG.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,22 @@ behavior when the change improves security or project direction.
4343
- Restrict `proxy-wasm-preview` manifests to `access-decision` and prevent the
4444
server from binding `fluxheim_policy_v1` phase capabilities into preview
4545
namespaces.
46+
- Enforce strict host routing in native HTTP/1 and HTTP/2, returning `400` for
47+
missing/invalid identity and `421` for unknown hosts.
48+
- Acquire bounded Wasm admission before blocking-work submission, honor
49+
`queue_limit`, and replace per-invocation watchdog threads with one epoch
50+
process-wide epoch ticker.
51+
- Add bounded pre-submission external-auth admission and preserve valid
52+
operator access during global invalid-credential throttling.
53+
- Bound persistent cache index/metadata parsing and keep decoded local cache
54+
encryption keys in `sanitization::SecretBytes<32>`.
55+
- Pin publishing actions, security-tool installs, and container base images to
56+
immutable reviewed versions and digests.
57+
58+
### Fixed
59+
60+
- Replace storage-bin request-path full-index rewrites and map-scanning LRU
61+
selection with a coalescing persistence worker and ordered eviction index.
4662

4763
## 1.7.6 - 2026-07-09
4864

Cargo.lock

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Containerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
ARG RUST_IMAGE=docker.io/library/rust:1.97.0-bookworm
2-
ARG RUNTIME_IMAGE=docker.io/library/debian:bookworm-slim
1+
ARG RUST_IMAGE=docker.io/library/rust:1.97.0-bookworm@sha256:7d0723df719e7f213b69dc7c8c595985c3f4b060cfbee4f7bc0e347a86fe3b6a
2+
ARG RUNTIME_IMAGE=docker.io/library/debian:bookworm-slim@sha256:60eac759739651111db372c07be67863818726f754804b8707c90979bda511df
33
ARG FLUXHEIM_CONFIG=packaging/container/fluxheim.toml
44

55
FROM ${RUST_IMAGE} AS builder

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ Fluxheim is licensed under the European Union Public Licence 1.2.
7373
| --- | --- | --- |
7474
| Proxy cache || Vhost and route-scoped cache policies. |
7575
| Memory cache || Bounded in-memory cache tier. |
76-
| Disk cache || Filesystem and storage-bin disk backends. |
76+
| Disk cache || Filesystem and storage-bin disk backends with ordered eviction and coalesced durable index writes. |
7777
| Tiered cache || Memory plus disk storage plans. |
7878
| Encrypted disk cache || Optional local-key and OpenBao transit encryption paths. |
7979
| Static-file cache || Optional local static-file caching. |
@@ -107,7 +107,7 @@ Fluxheim is licensed under the European Union Public Licence 1.2.
107107
| HTTP/2 origins || Upstream HTTP version controls and bounded HTTP/2 settings. |
108108
| gRPC pass-through || Route-scoped HTTP/2 gRPC policy; no transcoding. |
109109
| WebSocket / HTTP upgrade || `1.4.1`; explicit `proxy.websocket = true` on HTTP/1.1 upstream routes. |
110-
| External auth subrequests || `1.4.1`; `[proxy.auth_request]` with bounded header/body forwarding. |
110+
| External auth subrequests || `1.4.1`; `[proxy.auth_request]` with bounded header/body forwarding and pre-submission in-flight admission. |
111111
| Traffic mirroring || `1.4.1`; `traffic-mirror` feature with safe bodyless shadow requests. |
112112
| TCP stream proxying || Optional `stream-proxy` feature with Fluxheim-owned L4 TCP listener/data-path and upstream TLS connector boundaries, source IP/CIDR allow/deny policy, hostname-upstream DNS-rebinding guards, weighted upstream selection, drain/backup policy, bounded idle/lifetime/byte/connect controls, route-local PROXY protocol receive/send, and stream upstream TLS/mTLS controls. |
113113
| UDP/GSLB beta boundary | Limited | `1.5.16`; separate `[udp]` config namespace and `udp-proxy` feature gate with beta DNS-style request/response forwarding, bounded response waits, oversized-response drops, drop-log rate limiting, and syslog one-way forwarding. Public DNS reflector hardening, QUIC pass-through, game proxying, production UDP support, and generic UDP/GSLB platform behavior are not included yet. |

containers/Containerfile.alpine

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
ARG RUST_IMAGE=docker.io/library/rust:1.97.0-alpine3.23
2-
ARG RUNTIME_IMAGE=docker.io/library/alpine:3.23
1+
ARG RUST_IMAGE=docker.io/library/rust:1.97.0-alpine3.23@sha256:ca0daf101eef0c8cd1e49dfc137154a220efb8c458c85a3eacacc7dfd5d9e04c
2+
ARG RUNTIME_IMAGE=docker.io/library/alpine:3.23@sha256:fd791d74b68913cbb027c6546007b3f0d3bc45125f797758156952bc2d6daf40
33
ARG FLUXHEIM_CONFIG=packaging/container/fluxheim.toml
44

55
FROM ${RUST_IMAGE} AS builder

containers/Containerfile.debian

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
ARG RUST_IMAGE=docker.io/library/rust:1.97.0-bookworm
2-
ARG RUNTIME_IMAGE=docker.io/library/debian:trixie-slim
1+
ARG RUST_IMAGE=docker.io/library/rust:1.97.0-bookworm@sha256:7d0723df719e7f213b69dc7c8c595985c3f4b060cfbee4f7bc0e347a86fe3b6a
2+
ARG RUNTIME_IMAGE=docker.io/library/debian:trixie-slim@sha256:28de0877c2189802884ccd20f15ee41c203573bd87bb6b883f5f46362d24c5c2
33
ARG FLUXHEIM_CONFIG=packaging/container/fluxheim.toml
44

55
FROM ${RUST_IMAGE} AS builder

containers/Containerfile.suse-micro

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
ARG RUST_IMAGE=docker.io/library/rust:1.97.0-alpine3.23
2-
ARG RUNTIME_IMAGE=registry.suse.com/suse/sl-micro/6.2/base-os-container:latest
1+
ARG RUST_IMAGE=docker.io/library/rust:1.97.0-alpine3.23@sha256:ca0daf101eef0c8cd1e49dfc137154a220efb8c458c85a3eacacc7dfd5d9e04c
2+
ARG RUNTIME_IMAGE=registry.suse.com/suse/sl-micro/6.2/base-os-container:latest@sha256:37a4d254c68e5ad6b923063def06eb2b0a6d8878dce0142b27869c0cee235539
33
ARG FLUXHEIM_CONFIG=packaging/container/fluxheim.toml
44

55
FROM ${RUST_IMAGE} AS builder

containers/Containerfile.wolfi

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
ARG RUST_IMAGE=docker.io/library/rust:1.97.0-alpine3.23
2-
ARG RUNTIME_IMAGE=cgr.dev/chainguard/wolfi-base:latest
1+
ARG RUST_IMAGE=docker.io/library/rust:1.97.0-alpine3.23@sha256:ca0daf101eef0c8cd1e49dfc137154a220efb8c458c85a3eacacc7dfd5d9e04c
2+
ARG RUNTIME_IMAGE=cgr.dev/chainguard/wolfi-base:latest@sha256:02dab76bd852a70556b5b2002195c8a5fdab77d323c433bf6642aab080489795
33
ARG FLUXHEIM_CONFIG=packaging/container/fluxheim.toml
44

55
FROM ${RUST_IMAGE} AS builder

0 commit comments

Comments
 (0)