Skip to content

Commit b2b3861

Browse files
committed
Prepare 1.4.6 stream proxy release
1 parent c3eb227 commit b2b3861

16 files changed

Lines changed: 449 additions & 58 deletions

.cargo/audit.toml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,13 @@ ignore = [
88
# moves to prometheus >=0.14 or otherwise drops vulnerable protobuf 2.x.
99
# Next scheduled manual review before 2026-08-01.
1010
"RUSTSEC-2024-0437",
11+
# Transitive through pingora-core and pingora-load-balancing via derivative
12+
# 2.2.0. The crate is unmaintained and used as a compile-time derive macro
13+
# dependency, not on Fluxheim's runtime request path.
14+
# REVIEW: scripts/validate-release-metadata.sh fails if derivative leaves
15+
# Cargo.lock while this suppression exists. Remove this when Pingora drops
16+
# derivative. Next scheduled manual review before 2026-11-01.
17+
"RUSTSEC-2024-0388",
1118
]
1219

1320
[database]

CHANGELOG.md

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,11 +7,19 @@ Fluxheim follows semantic versioning once `1.0.0` is released. Before `1.0.0`,
77
minor versions may still change configuration shape, feature names, and runtime
88
behavior when the change improves security or project direction.
99

10-
## 1.4.6-dev - Unreleased
10+
## 1.4.6 - 2026-05-30
1111

1212
### Changed
1313

14-
- Start the TCP stream proxy foundation development release.
14+
- Release the TCP stream proxy foundation.
15+
- Add route-local downstream PROXY protocol receive for TCP stream routes with
16+
mandatory route-local `trusted_proxies`; HTTP `server.proxy_protocol` no
17+
longer applies to stream listeners.
18+
- Rename stream `idle_timeout_secs` to `max_connection_secs` to reflect the
19+
wall-clock connection lifetime cap, and add optional
20+
`max_connection_bytes` per-direction byte caps.
21+
- Track the transitive `RUSTSEC-2024-0388` `derivative` advisory with an
22+
explicit review deadline while Pingora still pulls the unmaintained crate.
1523

1624
## 1.4.5 - 2026-05-29
1725

Cargo.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[package]
22
name = "fluxheim"
3-
version = "1.4.6-dev"
3+
version = "1.4.6"
44
edition = "2024"
55
rust-version = "1.96"
66
license = "EUPL-1.2"

README.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ origin controls, gRPC pass-through policy, proxy-operations migration blockers,
3737
the `1.4.2` proxy module split, the `1.4.3` config module split, and Apple
3838
Silicon macOS Level 1 developer support. `1.4.5` adds bounded GeoIP/Geo-Context
3939
policy with local MMDB support for MaxMind GeoIP2/GeoLite2 and CIRCL Geo Open
40-
datasets. The current `1.4.6-dev` line starts the TCP stream proxy foundation.
40+
datasets. The current `1.4.6` line adds the TCP stream proxy foundation.
4141

4242
Fluxheim is licensed under the European Union Public Licence 1.2.
4343

@@ -97,7 +97,7 @@ Fluxheim is licensed under the European Union Public Licence 1.2.
9797
| WebSocket / HTTP upgrade || `1.4.1`; explicit `proxy.websocket = true` on HTTP/1.1 upstream routes. |
9898
| External auth subrequests || `1.4.1`; `[proxy.auth_request]` with bounded header/body forwarding. |
9999
| Traffic mirroring || `1.4.1`; `traffic-mirror` feature with safe bodyless shadow requests. |
100-
| TCP stream proxying || `1.4.6-dev`; optional `stream-proxy` feature with raw L4 TCP listeners, round-robin upstream selection, bounded connection/idle/connect controls, and upstream PROXY protocol send. |
100+
| TCP stream proxying || `1.4.6`; optional `stream-proxy` feature with raw L4 TCP listeners, round-robin upstream selection, bounded lifetime/byte/connect controls, and route-local PROXY protocol receive/send. |
101101

102102
### Operations And Packaging
103103

@@ -234,7 +234,7 @@ Individual module features:
234234
| `web` | Yes | Static file resolver and static response handling. Runtime serving currently uses `proxy` sessions. |
235235
| `cache` | Yes | Cache module compiled in; runtime cache remains disabled until configured. |
236236
| `load-balancer` | No | Pingora load-balancing module and health checks. |
237-
| `stream-proxy` | No | Raw L4 TCP stream proxy service with separate stream semantics. Depends on the shared proxy runtime in `1.4.6-dev`. |
237+
| `stream-proxy` | No | Raw L4 TCP stream proxy service with separate stream semantics. Depends on the shared proxy runtime in `1.4.6`. |
238238
| `metrics` | No | Prometheus metrics listener. |
239239
| `acme` | No | ACME planning/renewal support. Requires TLS config and should be paired with one TLS backend for serving. |
240240
| `acme-client` | No | Live ACME account/order HTTP client and background renewal service for HTTP-01 and rustls TLS-ALPN-01 certificate issuance and renewal. |

SECURITY.md

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,8 @@ supply-chain changes. Review them before merging dependency updates.
4040

4141
Reviewed advisory exceptions are allowed only when there is no compatible
4242
upgrade and the affected API is not reachable in Fluxheim. Each exception must
43-
be listed in both `deny.toml` and `.cargo/audit.toml`, with a removal condition.
43+
be listed in the tool that reports it (`deny.toml` or `.cargo/audit.toml`), with
44+
a removal condition.
4445

4546
Current reviewed dependency warnings:
4647

@@ -51,8 +52,14 @@ Current reviewed dependency warnings:
5152
exception remains present.
5253
- `RUSTSEC-2025-0069` for `daemonize 0.5.0`: warning-only unmaintained
5354
transitive through Pingora. Recheck on every Pingora upgrade.
54-
- `RUSTSEC-2024-0388` for `derivative 2.2.0`: warning-only unmaintained
55-
transitive through Pingora. Recheck on every Pingora upgrade.
55+
- `RUSTSEC-2024-0388` for `derivative 2.2.0`: transitive through Pingora's
56+
dependency stack. It is an unmaintained compile-time derive macro dependency,
57+
not a Fluxheim runtime request parser. Remove the exception when Pingora no
58+
longer pulls `derivative`. The release metadata gate also fails after the
59+
scheduled manual review date `2026-11-01` while the exception remains
60+
present. This warning is tracked in `.cargo/audit.toml`; cargo-deny currently
61+
rejects the ignore as unused because it does not classify the advisory for
62+
this graph.
5663
- `RUSTSEC-2025-0134` for `rustls-pemfile 2.2.0`: warning-only unmaintained
5764
transitive through Pingora's Rustls stack and `rustls-native-certs`.
5865
Fluxheim no longer depends on it directly and uses

docs/config-reference.md

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -161,21 +161,29 @@ name = "postgres"
161161
listen = ["127.0.0.1:15432"]
162162
upstreams = ["10.0.0.11:5432", "10.0.0.12:5432"]
163163
connect_timeout_secs = 5
164-
idle_timeout_secs = 300
164+
max_connection_secs = 300
165+
max_connection_bytes = 1073741824
165166
max_connections = 1024
167+
downstream_proxy_protocol = "off" # "off", "v1", or "v2"
168+
trusted_proxies = []
166169
upstream_proxy_protocol = "off" # "off", "v1", or "v2"
167170
```
168171

169172
- `listen` entries are `ip:port` TCP listeners. Each listener may appear on
170173
only one stream route.
171174
- Configure either `upstream = "host:port"` or `upstreams = ["host:port", ...]`.
172-
Multiple upstreams use round-robin selection in the initial `1.4.6-dev`
175+
Multiple upstreams use round-robin selection in the initial `1.4.6`
173176
foundation.
174177
- `connect_timeout_secs` bounds DNS/connect setup and defaults to `5`.
175-
- `idle_timeout_secs` bounds the bidirectional copy window and defaults to
176-
`300`.
178+
- `max_connection_secs` bounds total accepted stream lifetime and defaults to
179+
`300`. It is a wall-clock lifetime cap, not a per-read idle timer.
180+
- `max_connection_bytes` is optional and caps copied bytes per direction for a
181+
single stream connection.
177182
- `max_connections = 0` means unlimited for that stream route. Non-zero values
178183
cap concurrent accepted connections before connecting upstream.
184+
- `downstream_proxy_protocol` enables PROXY protocol receive for this stream
185+
route only. It defaults to `off` and requires route-local `trusted_proxies`.
186+
The HTTP `server.proxy_protocol` setting does not apply to stream listeners.
179187
- `upstream_proxy_protocol` writes a HAProxy PROXY protocol header to the
180188
selected upstream before forwarding stream bytes. Use it only when the
181189
upstream explicitly expects PROXY protocol.

docs/features.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ before Cargo starts compiling Pingora.
4444
| `compression-gzip` | No | gzip response compression for eligible known-length responses. |
4545
| `compression-zstd` | No | Zstandard response compression for eligible known-length responses. |
4646
| `geoip` | No | Local MMDB Geo-Context lookup for MaxMind GeoIP2/GeoLite2 and CIRCL Geo Open datasets, exposed to bounded access policy and structured logs. |
47-
| `stream-proxy` | No | Raw L4 TCP stream proxy service with separate stream routes, bounded connection/timeouts, and optional upstream PROXY protocol send. Depends on the shared proxy runtime in `1.4.6-dev`. |
47+
| `stream-proxy` | No | Raw L4 TCP stream proxy service with separate stream routes, bounded connection lifetime/byte caps, and route-local PROXY protocol receive/send. Depends on the shared proxy runtime in `1.4.6`. |
4848
| `privacy-mode` | No | Zero-retention static/proxy build profile. |
4949
| `tls` | No | Internal marker for TLS-aware code; select a concrete backend for serving. |
5050

docs/versioning-plan.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1435,11 +1435,11 @@ Release shape:
14351435
- port/listener-based stream routing to one or more upstreams, reusing the
14361436
load-balancer selection and health primitives only where they are transport
14371437
neutral and do not pull HTTP policy into stream routes;
1438-
- bidirectional Tokio byte copy with half-close handling, idle/connect
1439-
timeout controls, per-direction byte accounting, max connection limits, and
1440-
graceful drain behavior;
1441-
- upstream PROXY protocol send where configured, and listener-side PROXY
1442-
protocol receive only behind trusted peer rules;
1438+
- bidirectional Tokio byte copy with half-close handling, connect timeout,
1439+
max connection lifetime, per-direction byte caps/accounting, max connection
1440+
limits, and graceful drain behavior;
1441+
- upstream PROXY protocol send where configured, and route-local
1442+
listener-side PROXY protocol receive only behind trusted peer rules;
14431443
- upstream TLS and upstream mTLS are allowed only if they reuse the same safe
14441444
certificate/key loading model as HTTP upstream TLS without expanding the
14451445
stop line; otherwise keep them for a later stream hardening release;

examples/stream-tcp.toml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@ name = "postgres"
99
listen = ["127.0.0.1:15432"]
1010
upstreams = ["10.0.0.11:5432", "10.0.0.12:5432"]
1111
connect_timeout_secs = 5
12-
idle_timeout_secs = 300
12+
max_connection_secs = 300
13+
max_connection_bytes = 1073741824
1314
max_connections = 1024
15+
downstream_proxy_protocol = "off"
16+
trusted_proxies = []
1417
upstream_proxy_protocol = "off"

0 commit comments

Comments
 (0)