Releases: valkyoth/fluxheim
Release list
Fluxheim 1.7.12
Fluxheim 1.7.12 Release Notes
Fluxheim 1.7.12 adds standards-based response metadata generated from native
runtime outcomes and final response bytes. It also adds reproducible,
CI-only proof environments for both FIPS-capable TLS backend profiles.
All new response metadata remains opt-in. Existing configurations and response
headers are unchanged unless an operator enables the new metadata policy.
Snapshot Lifecycle Proof and Hardening
- Add a dedicated real-binary smoke that captures a running baseline through
the authenticated admin API, publishes and live-applies a candidate config,
verifies changed serving behavior, performs a live rollback, runs snapshot
integrity doctor, and proves the rolled-back current pointer survives restart. - Serialize snapshot candidates behind one clone-shared admission lock, bounding
concurrent near-limit serialization buffers without creating store state for
rejected oversized candidates. - Create snapshot directories as
0700at the operating-system creation call,
closing the permissive-umask interval before any follow-up mode enforcement. - Build a complete replacement host router before atomically swapping it into
the native listener. Snapshot-safe reload and rollback now affect real data
plane requests while each in-flight HTTP/1 or HTTP/2 request retains one
router generation across all handler phases. - Reject live router replacement while background load-balancer health or
discovery services are active, avoiding a router/service state split; use a
zero-downtime process upgrade for those deployments.
Standards-Based Response Metadata
- Add RFC 9211
Cache-Statusderived from actual cache results, including hit,
URI miss/store, stale forwarding, revalidation, expiry, and bypass outcomes. - Add RFC 9209
Proxy-Statusfor Fluxheim-generated proxy failures using only
standardized low-cardinality error tokens. - Require a bounded Structured Fields token as the public Fluxheim deployment
identifier when either status field is enabled. - Do not expose cache keys, internal storage tiers, policy reasons, backend
addresses, DNS names, certificate details, or raw error strings. - Preserve existing origin status members and append Fluxheim's member, making
multi-proxy status chains visible only when the operator explicitly opts in.
Example:
[headers.response.metadata]
identifier = "edge-gateway"
cache_status = true
proxy_status = true
content_digest = true
repr_digest = trueThe metadata policy inherits through global, vhost, and route response-header
configuration. Every field defaults to disabled.
Response Digests
- Add RFC 9530 SHA-256
Content-Digestover final HTTP message content. - Add
Repr-Digestonly when Fluxheim holds a complete selected
representation: a completeGETresponse with status200, no range, and a
body consistent with its declared content length. - Compute digest fields after Fluxheim compression so they describe the bytes
actually delivered to the client. - Suppress
Repr-DigestforHEAD,206,304, and other incomplete
representation paths instead of guessing an unseen full representation. - Cover bodyless
HEADand304content as empty message content and cover a
206response's returned range withContent-Digest. - Remove origin digest fields when Fluxheim compression changes the body and
digest generation is disabled, preventing stale integrity metadata. - Apply digest metadata once after Wasm response-header hooks, and share one
SHA-256 computation when both digest fields describe the same bytes. - Compute immutable cache-body digests once when objects are stored and reuse
them for memory and disk hits. New disk metadata is versioned and existing
v1 and v2 cache objects remain readable. - Invalidate a precomputed cache digest whenever compression replaces the body,
then hash the final encoded bytes before emission.
The native response model remains bounded and buffered. Digest generation
hashes the final response buffer without another body copy; unbuffered digest
trailers are not part of this release.
Wasm Loader Hardening
- Require SHA-256 pins at the final public manifest and loader boundary for
access-decision, route-decision, and cache-store phases, matching the
existing configuration invariant. - Remove detached Wasmtime compilation workers. Compilation is synchronous,
limited to two process-wide startup/reload slots, and releases its permit
before an over-deadline result is returned. - Add
max_compiled_artifact_bytes, defaulting to 32 MiB and capped at 256
MiB, and reject compiled modules above that ceiling before registry
admission. - Document
compile_timeout_msaccurately as an in-process result deadline,
not native compiler preemption; hard cancellation requires future
process-isolated compilation and execution. - Open plugin files with no-follow/reparse-point semantics during validation,
retain that exact regular-file handle, and read module bytes from it without
reopening the pathname. This closes final-file replacement races on Windows,
ReFS, Unix, and macOS without identity inference or unsafe code.
Downstream TLS Hardening
- Add optional
tls.client_auth.crl_pathsupport to rustls and OpenSSL with an
8 MiB input bound, a 1-to-64 PEM CRL bundle limit, strict full-chain
revocation, and expired-CRL rejection. Root/intermediate/client regression
handshakes prove hierarchical mTLS succeeds only when every required issuer
CRL is present. - Require a CRL bundle when required client authentication is combined with a
FIPS/ISO-required compliance mode; ordinary client auth retains explicit
opt-in revocation behavior. - Stage OpenSSL CRLs from the exact bounded bytes already admitted by Fluxheim,
preventing an OpenSSL pathname reopen from bypassing input admission. - Index one-label wildcard SNI certificates by normalized suffix, replacing an
attacker-triggerable linear scan with expected constant-time lookup. - Build complete, policy-equivalent OpenSSL contexts for every SNI certificate
and atomically switch contexts during ClientHello processing. Certificate/key
mismatches now reject reload before the active context store is replaced. - Parse OpenSSL client-auth policy once per SNI store generation, share admitted
CA objects across contexts, reject projected active-plus-reload policy input
above 128 MiB, and divide a 4096-entry session cache budget across contexts. - Serialize OpenSSL SNI reload construction and attach generation leases to
selected SSL connections. A reload that would create a third live generation
now marks the oldest generation for drain; native OpenSSL HTTP/1, HTTP/2, and
takeover streams use per-connection wake registrations so every retained
connection closes before a bounded automatic retry. Reloads still fail closed
if the generation cannot drain within 10 seconds. The connection lease uses
one process-global OpenSSL ex-data index, preventing index growth when
certificate stores are reconstructed in-process. Every attachment is read
back immediately, and Fluxheim terminates if OpenSSL cannot preserve the
lease.
Shared Cache Policy Hardening
- Always bypass shared-cache lookup and storage for requests carrying
AuthorizationorProxy-Authorization. - Parse response
Cache-Controlas a strict quoted-string-aware policy,
prioritizes-maxageovermax-age, and reject malformed or conflicting
security/freshness directives instead of falling back to configured TTLs. - Parse response
Cache-Controlwithout a directive vector and reject more
than 16 KiB or 128 directives cumulatively. - Remove unused compatibility helpers that could collapse malformed freshness
into an absent policy or split quoted extension values at commas. - Preserve the first received
Agelist member when calculating peer-fill
remaining freshness. - Persist mandatory-revalidation state with native disk-cache metadata and
prohibit stale reuse formust-revalidate,proxy-revalidate, and
s-maxage; v1 and v2 metadata remain readable and derive the restriction
from stored response headers. - Require one consistent satisfied
Content-RangeandContent-Lengthbefore
range admission, reject impossible totals and duplicate metadata, and make
zero-sized public slice planning return no slices instead of dividing by
zero. - Reject percent-decoded forward-path segments that are not canonical UTF-8 or
contain encoded Unicode control characters, preventing disagreement with
permissive upstream decoders. - Detect symlinks in every existing configured web-path prefix even when a
later child is absent, and deny non-UTF-8 dotfile components by their OS path
representation. - Bound storage-bin manifests to 4 KiB and use no-follow, nonblocking regular
file reads so oversized or special persistent files fail closed at startup.
Native Buffer and Cache-Encryption Hardening
- Add
server.limits.max_buffered_request_body_bytes, defaulting to1GiB, as
one weighted process-wide admission budget shared by HTTP/1 and HTTP/2.
Fluxheim reserves validatedContent-Lengthvalues in 64 KiB units and grows
unknown-length HTTP/1 chunked and HTTP/2 reservations before each buffer
extension. Public native-server handlers without an explicit policy share a
mandatory 1 GiB process budget, and pinned HTTP/1 handlers provide the
effective request budget. Exhaustion returns a bounded503with retry
guidance. - Move content-length bodies out of the reusable HTTP/1 parser buffer without
constructing a second full-body copy, release oversized connection-buffer
capacity before keep-alive, and clear full body and chunk-decoder
allocations throughsanitization.
...
Fluxheim 1.7.11
Fluxheim 1.7.11 Release Notes
Fluxheim 1.7.11 delivers the zero-downtime process-upgrade slice after the
stable 1.7 Wasm policy milestones. It combines bounded native drain, strict
listener inheritance, readiness-gated handoff, and tested native and Podman
deployment patterns.
The release also completes the native HTTP/1 parser audit and tightens critical
background-service ownership without changing operator configuration defaults.
Added
- Track accepted native HTTP, HTTPS, HTTP/2, and Unix-listener connections so
shutdown stops new accepts while established connections drain. - Apply
server.process.grace_period_secondsand
server.process.graceful_shutdown_timeout_secondsin the native runtime. - Add live regressions for keep-alive drain behavior and bounded shutdown.
- Add a real-binary
SIGTERMsmoke to the maintained native HTTP/1 gate and
human test launcher. - Document the native binary, systemd socket-activation, and Podman blue/green
handoff boundaries before exposing upgrade automation. - Adopt public HTTP/HTTPS TCP listeners from the standard systemd FD-3
protocol, requiring a matchingLISTEN_PID, bounded descriptor count, and
exact one-for-one launch-plan address match. - Add unit coverage for malformed activation metadata and real-socket adoption,
plus a real-binary smoke that serves through an inherited listener and proves
malformed activation fails closed. - Report systemd readiness only after native listener/background-service startup
completes, fail startup if a configured notification socket is unreachable,
and report bounded-drain status after a shutdown signal. - Exercise an old and new Fluxheim process on one parent-owned listener. The
maintained smoke proves a bad replacement leaves old serving, green readiness
precedes drain, established old traffic completes, and new requests have no
connection-refusal window. - Ship an optional RPM/systemd socket unit for the packaged port-80 listener.
It remains disabled by default so existing direct-binding deployments do not
change behavior during package installation. - Add a real rootless-Podman blue/green smoke. It verifies that direct published
ports cannot be atomically replaced, then proves the supported stable-front
pattern with failed-green rollback and old keep-alive drain. - Wait for every configured background service to reach its explicit ready
point before systemd receivesREADY=1; a service that exits first makes the
replacement fail closed and leaves the old generation serving. - Reject inherited descriptors that are not listening TCP sockets, including a
live regression using a connected stream bound to the expected address. - Defer public/admin accept loops until background readiness succeeds, and add
a live late-failure replacement test proving the old generation serves every
request while the replacement aborts. - Explicitly abort outstanding listener and background tasks at the drain
timeout instead of relying on whole-process teardown. - Remove
listenfdfrom socket activation and receive descriptors through a
focused Fluxheim crate with environment clearing disabled, preserving memory
safety for multithreaded and embedded runtimes. - Claim inherited systemd descriptors exactly once per process and own the
complete set before validating any item. Concurrent calls and retries fail
before touching FD 3, while validation failures close the complete set.
Fixed
- Use one validated HTTP/1 authority for routing, authorization, forwarding,
and cache partitioning. Conflicting absolute-form authority andHost,
malformed ports/IPv6/host syntax, non-HTTP absolute targets, and malformed
absolute URIs now fail before request dispatch. - Reject every HTTP/1.0
Transfer-Encodingmessage before evaluating
keep-alive. Chunked decoding now bounds encoded bytes, line length, extension
bytes, and chunk count, validates extension grammar, streams decoded data into
caller-owned output, and preserves identical parser results across every
fragmented-read boundary, including a split terminal CRLF at the line limit. - Return only a semantically validated public HTTP/1 request-head type. Host and
authority agreement, request-target grammar, body framing, and persistence
are resolved before callers can inspect or route a request. - Enforce the RFC 3986 ASCII path/query grammar and reject malformed raw or
percent-encoded target characters before routing. - Reject origin response status codes outside
100..=599, oversized PROXY v1
lines, and PROXY v2 payloads that exceed policy or differ from the declared
frame length. - Prevent construction of unvalidated protocol headers, share one bounded
Connectionoption parser with hop-by-hop filtering, and add dedicated fuzz
targets for HTTP/1 request/response heads, request targets, chunk bodies, and
PROXY v1/v2 frames. - Route HTTP/2 requests exclusively by
:authority; suppliedHostfields are
replaced and requests without authority fail closed. - Remove all fixed and
Connection-nominated hop-by-hop origin response
headers before delivery or cache admission, and reject malformed options. - Read through at most eight HTTP/1 informational origin responses to the final
response, reject generic status 101, and reject transfer-coding chains that
Fluxheim cannot decode completely. - Prevent oversized embedded HTTP/1 connection limits from reaching Tokio's
panicking semaphore constructor. - Accept only ownership-checked critical task handles in the runtime watchdog.
Attempted noncritical registration returns the original live handle instead
of dropping it and cancelling cache, metrics, certificate, or maintenance
services. - Stop accepting caller-controlled executable and temporary-root paths in the
zero-downtime and Podman blue/green smoke helpers. Their executable and
secure workspace locations are now derived from fixed repository paths and
Python-managed mode-0700temporary directories, resolving the associated
CodeQL command/path alerts. - Poll the final SWR disk-cache assertion for a bounded interval so the smoke
observes the supported asynchronous memory-publish/disk-persistence order
without masking a disk-store failure.
Build And Packaging
- Pin the source, container build images, and RPM build prerequisite to the
Rust 1.97 toolchain line. - Include the disabled-by-default
fluxheim.socketsystemd unit in the RPM
payload alongside the documented activation workflow. - Update the interactive RPM build menu to Fedora 44 and openSUSE Leap 16.0,
removing the end-of-life openSUSE Leap 15 target.
Checksums And Signatures
- Commit:
84540314dc9a7e5cf8612794a522e8b14fccddeb - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
b545fb74282dfb88c92975cfe440595e0594f257168cc123b095f02cc47966ea fluxheim-1.7.11.tar.gz4e9c5c3b40cb5206c60db4e751d12aa791883a7374158f4a625b8e1b7524e456 fluxheim-1.7.11.zip
- Binary checksums:
- x86_64:
2c8113a62cde403c7273109498a11bdca33071d4399a1834c4890ac59aa1b7d8 fluxheim-1.7.11-full-x86_64-linux.tar.gz2edb19f1de60d34a15246c220d17e89279c362ae1a93159d6de6e737612731d6 fluxheim-1.7.11-cache-x86_64-linux.tar.gz117ea4b893780341a2901317226872de7a818eb4e6526db713598115eb4bbd06 fluxheim-1.7.11-proxy-x86_64-linux.tar.gz271d3023e53eb9315a8b1d969ab8f699187214541dfb38b0467e1e3687828586 fluxheim-1.7.11-php-x86_64-linux.tar.gz922b084081c3cab14b88a997d205d7bbb874d6971adec091aa900c3f2d137cab fluxheim-1.7.11-load-balancer-x86_64-linux.tar.gz08e1c9feabab948dcfd1d1e78257e2d3f3f01e4b635c9cfae7f8f37542adf95d fluxheim-1.7.11-config-tester-x86_64-linux.tar.gz
- aarch64:
5539770bbb5ebc019d4449f93162b31a91b867f8708ee2c083138aa5da5f8016 fluxheim-1.7.11-full-aarch64-linux.tar.gz8e50c4e449660e90c883e33dcb881f0e6698c34d2efea360f83c6d3cedadd16e fluxheim-1.7.11-cache-aarch64-linux.tar.gz37dbd18c69539f3d40a23531d35a17e7114f094c370b06d3a9bcc750239c42e3 fluxheim-1.7.11-proxy-aarch64-linux.tar.gz63b5dab23d90d8016f447ce10ccf8796c0054b9ebd027574887d7eeaed2341ac fluxheim-1.7.11-php-aarch64-linux.tar.gz59d093cf525342a2760eec862122acba06b0586c6882dbc76178c053cec1f545 fluxheim-1.7.11-load-balancer-aarch64-linux.tar.gz89ec881a295f9d540fdd25793cc72b46a840122bd0e7fd071ee69dfc44e2a1a1 fluxheim-1.7.11-config-tester-aarch64-linux.tar.gz
- macos:
a0eafba22b32b6b52ea11e92b024d47917ccbc521ab4485ca024843fb7da5979 fluxheim-1.7.11-dev-aarch64-macos.tar.gz
- x86_64:
- SBOM checksums:
3cc60d910662e8a0b27e7983018f4142be8885c5d351a0ceefee8f9d3e61f808 fluxheim.spdx.jsond5b2602ac67a5a22aea165a83eaa6d1795816bd470153a803081e7fd8e5f4005 fluxheim.cyclonedx.json
- Reproducible build:
67b7a6d2181d3a70eaf2ec57633be0b68b3d3590c7d111b51c9d131de5db25b5x86_6404b411f414e3b483d098105f55297975e8b64b49be6d4580afe6e18d93b1e7edaarch64c7ad1341dfc352983cda3dc7c8248333feff61cb2a389a7a76f48721b1d88d53macos
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:1341df75e492bb96f7a6fdb55efe5f9666ca12362a53827c83dc61f5150221ec - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:268353ea6d3690c566df0996da011e6f4dad8ca326e10e46142965d666fc58ed - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:9be2dde57c30e1c82921f60ed63a2740870e4124c50e29edff0036f646be7e65 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:17c86052db91cf7ed1d195c30b2bc2ac8593e0a4852b8243cf85ac817d653f90
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:2d2b58d42008ebd651acf9fb5b922d46fb1cdf186f3e5ebd48fd848e8c0b3a43 - Alpine: `ghcr.io/valkyoth/fluxheim@sha256:1...
- Wolfi:
Fluxheim 1.7.10
Fluxheim 1.7.10 Release Notes
Fluxheim 1.7.10 is the stabilization and release-gate hardening release for
the 1.7 WebAssembly policy line. It turns the documented migration examples
into explicit operator-selectable and release-gated acceptance evidence while
keeping the typed policy ABI constrained.
Added
- Expose focused
scripts/test_starter.pyentries for F5 iRules-style,
nginx Lua/OpenResty-style, HAProxy Lua/SPOE-style, and VCL-like Wasm policy
examples. - Keep focused and aggregate Wasm policy checks on one implementation path,
and validate that the deep release gate requires the complete Wasm smoke. - Audit every guest-controlled symbolic ID decoder for total, panic-free
behavior over arbitrary integer inputs. - Make the in-process native host-callback contract explicit: finite symbolic
operations only, with blocking I/O and third-party callback code requiring a
future killable subprocess boundary. - Add opt-in response-hardening profiles and typed modern browser policy fields
without changing the default response behavior. - Add validated request-aware CORS, local preflight handling, correct dynamic
Vary, and live listener evidence that preflights do not reach the origin. - Add bounded
Retry-Afterguidance to generated capacity-limit responses.
Compatibility Boundary
- Fluxheim provides bounded capability mappings, not source-syntax or runtime
compatibility with iRules, Lua/OpenResty, SPOE, or VCL. - New host capabilities that require blocking I/O or third-party native
callback code remain out of process until a killable, bounded IPC runner is
designed and proven.
Fixed
- Strip the historical
Proxy-Connectionhop-by-hop header on native HTTP/1
and HTTP/2 upstream paths through one shared header policy. - Strip Envoy, original-forwarding, Azure, Fly, proxy-user, and forwarded client
certificate identity headers before trusted replacements are generated. - Treat the first
Set-Cookiesegment only as the cookie name/value pair, so
cookies namedDomainorPathare not mistaken for attributes. - Preserve closing quotes and trailing syntax while rewriting quoted exact-
originRefreshURLs. - Enforce CORS method allowlists on actual responses and serialize bounded
Reporting-Endpoints dictionaries with strict keys and HTTPS collectors.
Security
- Strip the distinct spoofable
Client-IPidentity header, including in
privacy-mode request sanitization. - Reject repeated, embedded, and unbalanced quotes plus bracketed IPv4 in
trustedX-Forwarded-Forchains instead of normalizing malformed hops. - Make
Forwardedconstruction fallible, use a typed HTTP/HTTPS protocol, and
reject invalid host values before producing an upstream header. - Add a compile-gated fuzz target for trusted forwarding parsing,
Forwarded
construction, hop-by-hop policy,Refresh, andSet-Cookierewrites.
Checksums And Signatures
- Commit:
e86a4ecc1c6dd7c2bf62f3920a643b5a44bfe06a - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
bd1e69759083bd082591821ee57934299f0878fff94686f2e2d8eff7862d3918 fluxheim-1.7.10.tar.gz7b32171a101fc105a6a1b2bcf05092177d28f66071df35e314ceefa2c5bf05f7 fluxheim-1.7.10.zip
- Binary checksums:
- x86_64:
d0da284b57d77d5699de4e25505e92db2ef9025e665fbd764b48d56fcbcc21cf fluxheim-1.7.10-full-x86_64-linux.tar.gz48186cc930922680fdc58d47aaf08e1a026d947181f50387bc15f4f72198cf86 fluxheim-1.7.10-cache-x86_64-linux.tar.gz337698ab3d79665ff4175daf0f223862a327ceaa95e02178a522ea80ca813e1f fluxheim-1.7.10-proxy-x86_64-linux.tar.gz52e330a6572e42178c642cf17908e68736924e141dd03565fe94c0f5dfe2661b fluxheim-1.7.10-php-x86_64-linux.tar.gzeb35faa2a586f0a859f1e2a963b39ccbc44918df5f674778916b3151933cfa4d fluxheim-1.7.10-load-balancer-x86_64-linux.tar.gz52eed70769d9c488d1f9829bc1d9ffb6b166a0019eecafc5f0bfc23a12e5466e fluxheim-1.7.10-config-tester-x86_64-linux.tar.gz
- aarch64:
06ee8c79689245c5ad07a383c34c4287332d20ae8141ed39641951bc45166b21 fluxheim-1.7.10-full-aarch64-linux.tar.gzc6f94884f34e978a426fb6be2efc5f2955188b636bf3e9e47df7ffefc6d8880b fluxheim-1.7.10-cache-aarch64-linux.tar.gzca6d9121ff08c02812aef7a6bd21548136f92720820592c3527a9c8024789532 fluxheim-1.7.10-proxy-aarch64-linux.tar.gz99862e52782702013cb9fee2932cda053b74e3b6cc913b540d26f87274f2f8de fluxheim-1.7.10-php-aarch64-linux.tar.gza1623f4dea00de896b618c55e2573c209a36595df21848db174521e05dd6d8f8 fluxheim-1.7.10-load-balancer-aarch64-linux.tar.gz87b9490f8c86e1252d8653fac3c14c9f754b27154346f0b49dabd133417c1a54 fluxheim-1.7.10-config-tester-aarch64-linux.tar.gz
- macos:
b4ee10f598e76cf4ac8676aa3e8fcc0069bfb2924b4b42dcd270202c3c0afa34 fluxheim-1.7.10-dev-aarch64-macos.tar.gz
- x86_64:
- SBOM checksums:
0d01222bde0b5964cfab329e8be3e142c15678a1071d04e59a9b52e2795ac256 fluxheim.spdx.jsond8c81f48767bf2c1180bb388f88fdd1676f3931212d138d081dc0428348782e7 fluxheim.cyclonedx.json
- Reproducible build:
373492627f919df004bb21708edcfec192a156fbb056a45375c1d1b640d7889ex86_648520afc5b115ca34c56580b77700110a0b517c35946aeb929996091b5c1587a8aarch64ec027dec96121d999bb838c336abf953e8d21c3cbee5a129cec2b87d9c910826macos
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:38d2ca30f3a9dd2fa3a2a684807303f3890d6f7972e995841b0a59409185a820 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:bf07f44ff76f2ec694a10cc076fa67ece4d1ccd134c9fb2db63871495c6d08ad - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:35a6df827d93638e09110b61f15cdc7aa277bc65db513fbffefce94625b5f993 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:136d8df87a78a080aba7bc801e9b933ef330bebf9a0856dcdcf3dfd9e890d75c
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:20a8c0ebe8cb728b45a8282bf9008849b463d26620d92bb8b25ab167acdcf927 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:1aeb39c1199095c122673331bb1e8386eca541d628cde2396722695fcdbb88b8 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:60ac6b9771453199ccb0812b652b2fa5b35e18beebf8e814dc41dddac3991ea5 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:64f896f74790f6e57a2e9767ac144fa9a4f7d7e4a88489d6ae10fa162c7a44a3
- Wolfi:
- Proxy Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:4122f60b2218ee317187cf7806d2555c297453d0f6ea793d11f8d6049fd03ae5 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:8a99ab8fe7e6e5050ae1564b544f338fadae0d6e48308beb764654781db197b6 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:50b58a2f4ab9a5d6d7191721fe9c5cb1a1941187f9f020ba80219758381723c8 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:34dce0b19c44edf46ef8479dcf7b4271ddf69f6c320b092a1e5581e31e2c0b02
- Wolfi:
- PHP Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:415abd0c52cffa04ec5d54cb782868446659cc2002ca82384edb487c19352e3d - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:20b807219c4c1216046e24aacf45bf8fc919feb39cb3c60fa8e4f987ef7f79ac - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:93a96b5750c8e766146df11079011e51e12733c9994cd77e4ecf37d1801ee255 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:21404682e73d54a2d43e0884816ba638bdef0d40a01495be4ef6a43a64cb41fd
- Wolfi:
- Load Balancer Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:634c2b5d8864f175c953be96eca213ed5e2ed633c7949958f8648428814c3ec6 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:480ee28b1fa4366826f38ef8047a5cea7199a89fdcb262e43e6b157a9a2a4cd9 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:0c11ff2d5299db0eed231cd7306e0090872b42bf2e5d4f02cb00ff89fb3241be - Debian:
ghcr.io/valkyoth/fluxheim@sha256:7b13d51089f533acff532e1e25f16f25e8262fcb8c40c8251634a9e246fc0207
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Fluxheim 1.7.9
Fluxheim 1.7.9 Release Notes
Fluxheim 1.7.9 is the documentation and runnable-example parity release for
operators translating common F5 iRules, nginx Lua/OpenResty, HAProxy Lua/SPOE,
and VCL-style policy jobs into Fluxheim's typed WebAssembly policy ABI. It
provides capability mappings, not syntax or runtime compatibility with those
products.
Added
- Add a checked-in F5 iRules-style route access policy and complete config
fixture using Fluxheim's typed access-decision ABI. - Add real listener coverage proving public requests reach origin, attached
admin requests are denied before origin dispatch, and plugin traps fail
closed. - Add
scripts/smoke_wasm_policy_examples.shtoscripts/test_starter.pyand
the opt-in Wasm release gate. - Add a checked-in nginx Lua/OpenResty-style header policy and complete config
fixture. Live coverage proves the allow-listed origin request mutation,
client response mutation, upstream-header removal, and fail-closed rejection
of unknown mutation IDs. - Add a checked-in HAProxy Lua/SPOE-style route policy and complete config
fixture. Live coverage proves symbolic canary/mirror selection, unavailable
branch rejection, selected-route policy enforcement, native load balancing,
and managed-cookie persistence without exposing backend addresses. - Promote the existing cache lookup/store WAT pair to the validated VCL-like
parity example. The live smoke now proves pass, MISS/HIT, bounded variants,
image-only TTL/tag/header metadata, expiry, tag purge, non-image isolation,
and fail-closed invalid mutations. - Add a deterministic policy builder that emits deployable
.wasmfiles and
SHA256SUMSundertarget/wasm-policy-examples/. - Add one complete Wasm smoke shared by
scripts/test_starter.pyand the
opt-in stable/deep release gate, fixing the launcher's previous multi-script
command wiring. - Add a standalone binary smoke using generated modules, exact digest pins, a
private plugin root, file-based configuration, two local origins, and real
HTTP traffic through every migration family.
Fixed
- Stop attempting to initialize the native disk-cache backend for memory-only
cache policies, avoiding an incorrect missing-path error at startup.
Security
-
ACME certificate installation now retains the exact trusted storage-boundary
descriptor and reconciles every managed descendant to the selected UID/GID
through descriptor-relative, no-symlink traversal. Restart repairs
intermediate0700 root:rootdirectories left by an interrupted root-run
handoff, while outside-boundary targets fail before mutation. Linux also
enforcesopenat2(RESOLVE_NO_XDEV)and other Unix platforms reject device-ID
changes before ownership mutation, preventing reconciliation through nested
mount points. The bind-mount regression is explicitly ignored in
ordinary Rust runs and executed by CI and the deep release gate through a
dedicated smoke using root-mapped user and private mount namespaces, without
a privileged container. Hosts that disable user namespaces use a
digest-pinned, network-isolated, read-only container with every capability
dropped except the mount operation's requiredSYS_ADMINcapability. The
regression requires the preciseEXDEVresult from LinuxRESOLVE_NO_XDEV
using the namespace's mapped identity, so a later ownership error cannot
produce a false pass. -
Managed ACME account generation now creates P-256 material in zeroizing
RustCrypto secret/document types before importing it into Ring and retaining
the durable copy insanitization::SecretVec, removing the transient
non-zeroizing Ring PKCS#8 document. -
Open private snapshot files with platform no-follow semantics before
validating type and permissions from the opened descriptor. This removes a
check-then-open race while retaining fail-closed symlink handling. -
Use the snapshot store's atomic writer and descriptor-based permission
changes for corruption fixtures, keeping negative security tests realistic
without normalizing raw path mutation patterns. -
Use one no-follow parent-directory descriptor for Unix snapshot publication,
with descriptor-relative temporary creation, create-new linking, replacement,
cleanup, metadata checks, and directory synchronization. This prevents
parent replacement from redirecting an in-progress atomic write.
Compatibility Boundary
- The migration examples use Fluxheim's typed, bounded policy ABI; they do not
execute iRules, Lua, SPOE, or VCL source directly. - Every example remains bounded by configured symbolic IDs and denies arbitrary
filesystem, network, secret, request-body, and cache-object access.
Checksums And Signatures
- Commit:
e519f61f7bf0df139933cc2831f6917be040d8d5 - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
1dfdbb19535b18aecc50e37afe7fd33509a2b4734b1d5468b0368afb08254eef fluxheim-1.7.9.tar.gz16339d6794bf0a5d3832e2e509e2f61558c81fed36d34d20f64150b6af421354 fluxheim-1.7.9.zip
- Binary checksums:
- x86_64:
bfc1553d98cb019a5391f6d3f5234134c9e2040c76698acf73d1e430350a64bc fluxheim-1.7.9-full-x86_64-linux.tar.gz0940e0bb095182d56b1258e9ce55487dc07d2a94aae6c7ba89570c34cd270662 fluxheim-1.7.9-cache-x86_64-linux.tar.gz10ea8f355c3126c4bb0b9a660fd7677b449d14eb096e72114ee82c27b76ac5b5 fluxheim-1.7.9-proxy-x86_64-linux.tar.gz5369cde5b9077e42fcd0c676ff69b25167080e3735bce37e673790898a0c47f0 fluxheim-1.7.9-php-x86_64-linux.tar.gzcccf9f6106044546daa915f10af4f82abca579c9a3671826ae870afd05c1c018 fluxheim-1.7.9-load-balancer-x86_64-linux.tar.gze8cb7e5dcc1a8f07dd58e6b8eeb3b00ca56605aaf978eab892ebb2c4602d8716 fluxheim-1.7.9-config-tester-x86_64-linux.tar.gz
- aarch64:
8bf812c771ba17652830b51e52c45f7bee56471f83e2993a9f055d555bb0c997 fluxheim-1.7.9-full-aarch64-linux.tar.gzef4be1c37e1d3ac302666724fe4121d25ad1d41907571da17a1dfbae75e3f47f fluxheim-1.7.9-cache-aarch64-linux.tar.gz03c51decace5fbb84378505bf2683cb1b373a8bb3d1696ebcc0a33941f184751 fluxheim-1.7.9-proxy-aarch64-linux.tar.gzb0af61c8b40253a0c7b32f3bae5bcee179bda022e6852b95c5a331329bda9b5a fluxheim-1.7.9-php-aarch64-linux.tar.gz52bc13f5974fdd5019cf4fb34c04dbfe74725ec97a40351dfd45c5a5418e42a0 fluxheim-1.7.9-load-balancer-aarch64-linux.tar.gz33a4db9b8ceffc80e37636814886729c2ff3d6d28e6e30ec3013cba7bb211ad0 fluxheim-1.7.9-config-tester-aarch64-linux.tar.gz
- macos:
f04427e1ea8c72a8fcc6c86610e68c547c5d195f14e395ed052d5cc2155cecba fluxheim-1.7.9-dev-aarch64-macos.tar.gz
- x86_64:
- SBOM checksums:
e828a1b78d9e88504c63bdabd424d7d59662addf9c26f26fea38f63de46fdb06 fluxheim.spdx.jsonca9b4f5434af58bd1bbf26ae431ca890cdb0945207c579d77c04d1c963c9f37f fluxheim.cyclonedx.json
- Reproducible build:
5f162d370d7e838111e28e2521daa5d2172eb2ddd0adb73e354420f3a473a2fcx86_644ab04d472433f057f131451fe0e25c67e86795f69ab40b30dfeb1f71e11f7615aarch644fde8e05dd1d6afa822864e94de7d5b79a6deb14ee108c3edb7f752672bb66f1macos
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:04367b7d87273dd5cdbf55ad25b00733cbb1f8f044fe3c25a0159aa13c18a1f6 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:2df48353f7abc17f95595e27f12c585e51d4b46b65cc952a72da740e9025b9fb - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:a27c44c696061d9a663f0188c090b68c93369a375a0648d01788a454b2f1e9c0 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:64f8b7a68ca7a7e9a37f120ab6a4a03fc8aebc9e643340b8b949edc24b98433b
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:1abba7e7de90316daa6841e7e8227eb5938297b132dade100ac62eeb05f31376 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:af9b18de1435fffb0ba44b549d7ed11149d4abe3a097c0f53a56b7196ba3caaa - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:3404c189198cd886bc96f03b124abdc7c23e0a9d3cbd2685d2cd2bf4b6dc6bc5 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:33cf42f29b659ac85b1bf45164353aae5b6545eeed75d519b38349e4cbb7435b
- Wolfi:
- Proxy Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:073a6657ab2cf4565e42e53ac49535ad8d0b70a2866703f0604b7cd7427cd7e0 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:2b11fa9ada18406a3ebba7a92c06559a6186bf9404243bd5f5338faf59c0463e - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:6599273d86a47bbb31b2c44fc7120d1930ab10dc45fc6ee3b2c0312940401e99 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:a02062b5e8e7b8b2b99b61954ea96360e7e8ee7837f3b1e57011077d75c58f45
- Wolfi:
- PHP Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:2f9c2c2987720a3e0b1f664f167db6ac8d159bb1bcf8cfdf738e491116ce8b94 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:49c3db68bf39714740cdd58fc82439c1afefdbe64906390c80a5355d2b528216 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:16b99092b64111631933f7399bf186483cd5fb303e097fc75b46e79dd28ca523 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:303514a229d2fe90019749fff52d01142a046205380168b03a4c1ccf4c86c7c2
- Wolfi:
- Load Balancer Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:5225aea52c588afedb2b941470956b93e42f6795c4e39d8b3aaeb1c1d6d92aaa - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:0f8d2cf891e1701017c675c6ecf1f1d1ee3d6c9733763e44b3a2240e8a04f7ed - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:70495df79b2d183fd3f2c3ab68ccec1f6dafdbe4a3023cd18ffa9fef0dfe2055 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:3b6531548e9ef5c6807ceaa3cda3fda3c81bf96fa9a0e42a4ba209ceaf949cc2
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Fluxheim 1.7.8
Fluxheim 1.7.8 Release Notes
Fluxheim 1.7.8 starts the optional WASI Preview 1 capability boundary for
non-request-body policy plugins. This is a narrow access-decision preview, not
general-purpose WASI application hosting.
Added
- Propagate the
wasm-wasifeature through the root, config, server, and
fluxheim-wasmcrates. - Add the
wasi-previewABI and host-call namespace pair. - Add
[wasm.plugins.wasi]with independentclocksandrandomnessgrants,
both disabled by default. - Add
wasm.max_total_preview_concurrent_executions, defaulting to and capped
at32, for both WASI and proxy-ABI preview access hooks. - Add real WASI modules proving explicit randomness and clock grants work under
the normal Fluxheim sandbox. - Add live native HTTP/1 coverage proving a granted WASI policy continues into
normal route handling while an ungranted import fails closed before origin
dispatch. - Add a checked-in WASI randomness policy/config example and include it in the
standalone Wasm smoke. - Restore native-request GeoIP context lookup using the trusted-proxy-aware
client address for HTTP/1 and HTTP/2 policy evaluation. - Decode CIRCL Geo Open combined Country and ASN databases, including their
provider-specific string ASN field. - Add an opt-in, checksum-pinned CIRCL real-database smoke proving country and
ASN policy on static, direct-proxy, and load-balanced request paths.
Security
- Normalize IPv4-mapped and IPv4-compatible IPv6 DNS results before stream
rebinding checks, closing access to embedded loopback, private, link-local,
metadata, carrier-grade NAT, benchmark, and other reserved IPv4 addresses. - Keep both stream copy directions in persistent pinned futures and drive one
shared idle deadline from their latest successful transfer. Partial writes
can no longer be cancelled and silently discarded when reverse traffic wins
the dispatcher race. - Clear each successfully forwarded plaintext prefix and clear complete stream
copy buffers on drop throughsanitization. - Reject zero, oversized, or overflowing weighted-stream totals inside
StreamUpstreamSelector, preserving the config limits at the public runtime
construction boundary. - Make configuration snapshots transactional and recoverable with mutation-wide
private locking, explicit parent/generation history, create-new publication,
temporary/orphan cleanup, retryable rollback, persisted self-healing state,
redacted invalid-ID diagnostics, and typed clock errors. - Add optional HMAC-SHA-256 manifests backed by an external bounded key file.
Config and metadata are verified before rollback parsing; legacy stores are
reported as unverified rather than silently authenticated. - Persist an authenticated generation high-water mark and per-manifest
generation witnesses so pruning cannot reuse audit generations and freshness
scans remain bounded without rereading complete snapshot configurations. - Preserve authenticated manifests created before generation witnesses. A
fully verified all-legacy store with no generation counter bootstraps from
its highest generation, persists authenticated state first, migrates its
manifests, and publishes the next snapshot atmax + 1. Missing state still
fails closed for V2 and mixed stores. - Route snapshot SHA-256 and HMAC-SHA-256 through the selected Ring,
OpenSSL-FIPS, or AWS-LC-FIPS provider, returning provider failures to the
administrative caller instead of aborting the data plane. - Require owner-only snapshot state and integrity-key files, keep integrity
keys outside the snapshot store, and authenticate intentional pruning
boundaries. - Add resilient listing plus snapshot
show,diff,verify,doctor, and
protectedpruneoperations. Snapshot TOML remains plaintext and needs
encrypted storage or backups when confidentiality is required. - Enforce OpenSSL cipher allow-lists across protocol families. A policy with
only TLS 1.3 suites disables TLS 1.2, and a policy with only TLS 1.2 suites
disables TLS 1.3, preventing inherited acceptor defaults from negotiating an
unconfigured suite. Move to OpenSSL's Mozilla v5 acceptor baseline so the
legacy v4 template cannot suppress configured TLS 1.3 listeners. - Replace synchronous rustls TLS-ALPN challenge loading on ClientHello with a
bounded, atomically replaced in-memory SNI certificate table. Remote
handshakes perform lookup only and cannot trigger file parsing or loader
logging. - Limit certificate chains to 1 MiB and 16 certificates, private-key files to
64 KiB, and client-auth CA bundles to 8 MiB and 4096 certificates in both
downstream TLS providers. - Keep transient rustls private-key PEM and decoded DER bytes in
sanitization::SecretVecuntil provider parsing completes. Read key files
directly into protected storage so partial I/O and concurrent-growth errors
also wipe initialized key bytes. - Decode Rustls private-key PEM payloads through base64-ng's staged
constant-time-oriented decoder and report only the redacted decode-error
class, never an offending secret-adjacent byte or input index. - Disable default provider features for rustls and tokio-rustls. Normal Ring
builds no longer include AWS-LC; AWS-LC remains explicitly selected by the
rustls FIPS profile. - Keep
base64-ngout of default and OpenSSL-onlyfluxheim-tlsdependency
graphs; it is now activated only by the Rustls key-parsing boundary. - Validate each declared
wasi_snapshot_preview1import before instantiation.
Clock imports requireclocks = true;random_getrequires
randomness = true. - Keep environment, arguments, inherited stdio, filesystem, sockets/network,
polling, and process-exit imports unavailable in this preview, regardless of
capabilities granted for clocks or randomness. - Build a fresh WASI context per execution without inherited process state.
- Cap each granted
random_getcall at 4096 bytes so guest-selected host work
cannot request the full memory budget in one operation. - Restrict
wasi-previewtoaccess-decision, require explicit preview-ABI
allowance, require pinned module digests for that security phase, and retain
fail-closed composition. - Include WASI grants in compiled-module identity equality so differently
authorized modules cannot share an identity. - Isolate preview hooks from native policy hooks with separate process-wide
admission and 32-slot blocking-work pools, preventing preview saturation
from consuming nativefluxheim-policy-v1capacity. - Apply one absolute PHP-FPM request deadline to request transmission and full
FastCGI response collection, discarding timed-out pooled connections. - Open managed PHP-FPM executables without following symlinks, validate the
opened file and every ancestor for trusted ownership and modes, and execute
through the retained descriptor to close path-replacement races. - Run each managed PHP-FPM pool in a dedicated process group and terminate the
complete group on shutdown, failed status checks, and watchdog restarts. - Unlink request-body spool files immediately after secure creation while
retaining a descriptor for retry replay. Give every reader an independent
logical offset backed by bounded positional reads so overlapping readers
cannot corrupt each other's request body stream. - Hold PHP memory bodies and bounded spool-read buffers in
sanitization::SecretVec, clear consumed spool buffers immediately, and
clear full buffer capacity on cancellation, error, or drop. - Read each verified GeoIP database into an exact admitted-length buffer and
probe growth with a separate stack byte, preventing a one-byte in-place
append from triggering largeVeccapacity growth before rejection. - Validate public
GeoContextconstruction, canonicalize accepted two-letter
ASCII countries to uppercase, and reject ASN zero before policy consumers can
observe malformed security state. - Replace inherited managed PHP-FPM
PATHhandling with a fixed allowlisted
search path after clearing the child environment. - Render unavailable directory-listing timestamps as
-after checked epoch
and year-9999 bounds, preventing attacker-influenced file metadata from
reaching panic-prone timestamp formatters in release builds. - Replace unchecked
SafeRelativePathcomponent insertion with a validating
single-normal-component API so the public type preserves its traversal-safety
invariant for current and future static-serving callers. - Enforce crate-level hard ceilings for Wasm module, memory, table, fuel,
execution-timeout, and compile-timeout limits, with matching config rejection
and checkedInstantdeadline arithmetic. - Reject Wasm admission values above Tokio's semaphore capacity before
constructing a semaphore, and create compilation workers through the fallible
named thread builder instead of the panicking convenience API. - Check the absolute execution deadline before and after every synchronous host
callback so late callback results fail as timeouts. Keep blocking callbacks
prohibited until a killable subprocess runner exists. - Require in-process native Wasm callbacks to be panic-free and total for every
guest integer, and property-test all current guest-ID decoders over arbitrary
i32inputs. Keep panic-prone or third-party native callbacks behind the
future subprocess-isolation boundary.
Validation
cargo test --locked -p fluxheim-wasm --features wasi
cargo test --locked -p fluxheim-config --features wasm-wasi wasm_wasi
cargo test --locked -p fluxheim-server --features wasm-wasi native_wasm_wasi
cargo test --locked -p fluxheim-stream
cargo test --locked -p fluxheim-snapshot
cargo test --locked -p fluxheim-tls --no-default-features --features tls-rustls,acme
car...Fluxheim 1.7.7
Fluxheim 1.7.7 Release Notes
Fluxheim 1.7.7 adds the first opt-in wasm-proxy-abi compatibility preview
boundary. This release does not claim that existing arbitrary proxy-wasm
plugins run unchanged. It establishes the safe shape for that work: explicit
ABI and host-call namespace validation, feature-gated config acceptance, and
deterministic unsupported-call rejection.
Added
- Add
wasm-proxy-abifeature propagation through the root, config, server,
andfluxheim-wasmcrates. - Add
host_call_namespace = "proxy-wasm-preview"support for
[[wasm.plugins]]entries when paired withabi = "proxy-wasm-preview". - Add manifest validation that rejects mismatched ABI and host-call namespace
combinations. - Add native HTTP/1 proxy-ABI preview host-call stubs that reject unsupported
calls deterministically instead of silently binding to Fluxheim's native
policy namespace. - Reject module imports that are not explicitly bound for the selected
host-call namespace before Wasm instantiation, with a stable import-specific
error. - Add a live native HTTP/1 compatibility fixture using the canonical
proxy-wasmenv.proxy_log(i32, i32, i32) -> i32import and prove that the
unsupported call fails closed with503before the upstream is reached.
Security
proxy-wasm-previewhost calls remain disabled unless the binary is compiled
withwasm-proxy-abiand config explicitly setsallow_preview_abi = true.- Compiled WebAssembly module identities now include the host-call namespace,
so future compile-cache reuse cannot cross fromfluxheim-policy-v1to
proxy-wasm-preview. - Restrict proxy-ABI preview manifests to
access-decision, and independently
prevent native request-header, route, and cache host functions from being
linked into the preview namespace. - Enforce
[server.host_routing].strict = truefor native HTTP/1 Host and
HTTP/2 authority routing. Missing or invalid identity returns400; an
unknown host returns421instead of reaching the default tenant. - Acquire process, cache-vhost, plugin, and attachment Wasm admission before
spawn_blocking; honor boundedqueue_limitwaiters and replace per-request
watchdog threads with one process-wide shared epoch ticker. - Use Tokio semaphore admission in narrow-to-global order, preventing a
saturated plugin or attachment from reserving broader process capacity, and
cap active/queued Wasm budgets at256. - Select an installed GCC 13/12/11 compiler pair automatically for release-mode
rustls/AWS-LC FIPS validation when a rolling distribution's default compiler
is outside the supported range; explicit compiler selections remain
authoritative. - Bound external-auth work before blocking-pool submission with
max_in_flight = 64by default and a256process-wide ceiling shared by
all routes. Saturation fails closed with503. - Keep source-specific admin lockouts fail closed while allowing correctly
authenticated operators through a global invalid-attempt lockout. - Bound persistent storage-bin index files, entry/key counts, cache metadata,
header counts, and fallible allocations. Decoded local AES cache keys now
remain insanitization::SecretBytes<32>through key construction. - Pin third-party GitHub Actions to reviewed commit SHAs, pin
cargo-denyand
cargo-auditinstalls, and pin every container builder/runtime base image to
a reviewed digest. - Reject duplicate canonical storage-bin roots during native router
construction and verify persisted object identity before serving, preventing
cross-policy allocator corruption from becoming cache disclosure. - Record strict Host/authority routing rejections through the native metrics
bridge. - Inspect storage-bin objects only through the registered live cache and hold a
lifetime-exclusive lock file so separate Fluxheim processes cannot allocate
the same root concurrently. Standalone CLI inspection retains a bounded
filesystem-backend index rebuild because that backend has no shared allocator. - Keep generated managed PHP-FPM Unix socket names compact and reject a final
socket path that exceeds the platform address limit before spawning PHP-FPM. - Return explicit
431,414, or400responses for bounded request-head
parser failures instead of closing the HTTP/1 connection without a response. - Add one shared
256-slot request-driven blocking-work budget across Wasm,
external auth, traffic mirrors, disk-cache operations, and ACME challenge
reads. Explicitly cap Tokio's blocking pool at384, leaving128slots
outside request admission for operational work. - Acquire storage-bin ownership before any manifest or data-layout mutation,
preventing a losing process from modifying first-start metadata. - Document that storage-bin ownership uses advisory filesystem locking: use a
per-replica local/RWO volume by default, and require verified cross-node
flockbehavior plus orchestration-level single-writer enforcement before
using shared RWX storage in high-assurance deployments. - Partition blocking work by class under
224non-critical and256total
ceilings, reserve32critical slots, and return503rather than contacting
origin when disk-cache lookup admission is saturated and no stale memory
object is available. - Harden the GeoIP runtime boundary: cap fallback databases at eight before
allocation, admit aggregate descriptor sizes before reading/parsing, decode
bounded borrowed country strings, require trusted ownership and non-writable
modes for MMDB files and all parents, and reject files changed during loading. - Make reload classification fail closed through an explicit snapshot-safe
allowlist. Client-authentication, compliance, listener trust/limits, stream,
UDP, ACME, cache-purger, tracing, and other startup-owned changes now require
process replacement instead of being accepted as snapshot reloads. - Extend reload ownership into nested vhosts and routes: managed ACME target
identity/domain changes and managed PHP-FPM pool/process changes require
process replacement, while ordinary routing and request-time PHP policy stay
snapshot-safe. Exhaustive vhost, route, and PHP-FPM schema audits prevent new
nested fields from silently bypassing review. - Require config sources, split-config directories, and every existing ancestor
to have trusted ownership and non-writable group/other modes. Verify path and
descriptor identity and reject config files modified during bounded reads. - Restore the all-feature config security suite, including tracing/privacy and
dual-FIPS-backend feature combinations. - Bound Brotli, gzip, and Zstandard logical output before accepting excess
encoded bytes, transfer emitted codec buffers into response bytes without
copying, and permanently discard a codec after an output or allocation
failure. - Fail response compression closed for malformed
Accept-Encodingfields,
honor explicit coding rejection over wildcard acceptance, and suppress
compression for qualifiedCache-Control: private="..."responses. - Perform config ownership, permission, and symlink traversal checks through
no-followstatatmetadata inspection, and remove environment-derived
filesystem writes from storage-lease subprocess coverage.
Changed
- Update
base64-ngto 1.3.7,bytesto 1.12.1,regexto 1.13.0,
sanitizationto 1.2.4, and test-onlywatto 1.253.0. - Update the workspace MSRV, pinned toolchain, and container builders to Rust
1.97.0. - Exercise current MariaDB 12.3 LTS, PostgreSQL 18, and Valkey 9.1 container
lines in the database and health-check smoke defaults. - Restore the standalone cargo-fuzz workspace and remove its obsolete Pingora
dependency patch so the checked-in fuzz targets build against their current
owning crates again. The fuzz validation gate now compiles every target. - Replace storage-bin request-path full-index sorting, rewriting, and syncing
with one fallibly-created process-wide persistence worker. Maintain ordered
eviction state so selecting the oldest object no longer scans the complete
object map. - Add
fluxheim-base-images.txtto generated release evidence beside SPDX and
CycloneDX output so reviewed image digests are recorded for each build input. - Run filesystem-sensitive local release fixtures below private repository-owned
smoke roots, using a compact root for Unix-socket tests, so the suite exercises
the same full-ancestor trust policy enforced in production.
Operator Notes
- Existing
wasmconfigs usingfluxheim-policy-v1continue unchanged. - To test the preview namespace, build with
--features wasm-proxy-abi, set
allow_preview_abi = true, and declare both:
[wasm]
enabled = true
allow_preview_abi = true
[[wasm.plugins]]
name = "proxy_preview"
path = "/etc/fluxheim/plugins/proxy-preview.wasm"
abi = "proxy-wasm-preview"
host_call_namespace = "proxy-wasm-preview"
phases = ["access-decision"]- The preview namespace is intentionally narrow in this release. Unsupported
calls fail closed through the plugin fail mode.
Checksums And Signatures
- Commit:
f1c2497bca3fcfd9112d08ad65b3bc2aafb2e421 - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
5dbc0fd24140f2a81b52b46d63f09f70c3056c09fc1ec82cfcbd3860a0083f81 fluxheim-1.7.7.tar.gz40b33aea8811b6091c0fbe3e8e8368bc09843b59758a3c1bd6de2fc2defccbac fluxheim-1.7.7.zip
- Binary checksums:
- x86_64:
a03d30135990810b66cef61d3b401fe65063e5c8ed7d19304c15c9ec690eb35d fluxheim-1.7.7-full-x86_64-linux.tar.gz- `9775db4a60895845c436abb9104f9ed53d1d7e987eeaf68b0ba67d2ff2543959 fluxheim-1.7.7-cach...
- x86_64:
Fluxheim 1.7.6
Fluxheim 1.7.6 Release Notes
Fluxheim 1.7.6 starts the mature WebAssembly runtime hardening pass after the
initial live hook families landed in 1.7.1 through 1.7.5.
Wasm Runtime Hardening
- Compiled WebAssembly modules now carry an explicit cache identity made from
the plugin SHA-256 digest, manifest ABI version, native hook feature surface,
and Fluxheim crate version. - The native HTTP/1 hook registry compiles plugins through manifest-derived
identities, so future module reuse cannot silently cross ABI, feature, or
release boundaries. - The runtime compile API now has regression coverage proving a supplied
compiled-module identity from one plugin cannot be accepted for another
plugin's bytes. - Cache-lookup and cache-store Wasm hooks now acquire a derived per-vhost
admission budget under the process-wide cache-hook budget, so one vhost
cannot starve cache hook execution for another vhost. - Prometheus Wasm plugin metrics now preserve bounded labels for every current
hook family, including route selection, cache lookup pass/bypass, cache-store
skip/deny, and the cache-specific global and per-vhost admission scopes. - Authenticated admin status now reports both the general Wasm process-wide
admission budget and the separate cache-policy process-wide admission budget.
Test Coverage
- Add runtime tests proving ABI and feature-surface changes produce distinct
compiled-module identities for the same plugin bytes. - Add runtime coverage for digest-mismatch rejection before module compilation
can be accepted under the wrong identity. - Add live native HTTP/1 coverage proving a saturated cache hook on one vhost
does not block cache hook execution on another vhost. - Extend metrics and admin-status tests for the mature hook-family visibility
fields added in this release. - Add a live native HTTP/1 cross-family chain regression test that exercises
access-decision, request-header mutation, route-decision branch selection,
cache-key mutation, cache-store metadata, cached HIT behavior, and
response-header mutation in one request flow. - Add reload classification regressions for Wasm plugin digest changes and
attachment phase changes so module/hash and hook-chain updates remain
process-upgrade events.
Checksums And Signatures
- Commit:
c231d0ba594069e8344cf874c477aecc53c31c8d - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
c94b429c07259e8cde0657603dc408e94090509ff7c7d0ed7536095e69a82c49 fluxheim-1.7.6.tar.gz03d363b71af3454af89149425afe17950196f6843c833e4197e2a0b6f6f9cdbd fluxheim-1.7.6.zip
- Binary checksums:
- x86_64:
ba4034ad0465467c47e5fc1dfb5268ab52790401550aa1ba3b1feb5d229e7fb5 fluxheim-1.7.6-full-x86_64-linux.tar.gzeaff8b4edd4722a35be7f331387caa131bdc1c019ddeeb5eb71260ca7c263dcf fluxheim-1.7.6-cache-x86_64-linux.tar.gzaadb9a9395c6c520bdf5a3cac3d7c7aa40adb8de15fa05592fb20c6468a93209 fluxheim-1.7.6-proxy-x86_64-linux.tar.gza7e37c42511a04ebd4dac10740d8cc259bd9b2f712675abe911c0d78e7e88181 fluxheim-1.7.6-php-x86_64-linux.tar.gz4aa9be2ce7210746bcfe329291d68dd0001b0e7e3d342845949405a7b5a6d4db fluxheim-1.7.6-load-balancer-x86_64-linux.tar.gz6beceee3d220867007ee95ec2f7f40e6bae413283aa0eccefa938de96e712505 fluxheim-1.7.6-config-tester-x86_64-linux.tar.gz
- aarch64:
0465cf84d6cb458c71c4feeffc5817e18906618bfeeb41e890220e4342729bde fluxheim-1.7.6-full-aarch64-linux.tar.gzcda18da6022f865a43a28513b7b85bb4649f71d6bf7cdfc2874e06e03f9f9d3d fluxheim-1.7.6-cache-aarch64-linux.tar.gzb5f7277af6c5d91291d2a83a1246d99182a84988bd3d858b0988f94c46b03ef7 fluxheim-1.7.6-proxy-aarch64-linux.tar.gzc659872adffce902dc509a60bbccf1cbca9283a825a08f5652887cd62b4bac91 fluxheim-1.7.6-php-aarch64-linux.tar.gz825e9e70b9e7e4f9f4ebd8706768f195eed301b4eadca2d6045b8700f5b1765b fluxheim-1.7.6-load-balancer-aarch64-linux.tar.gz790ec7e1e8a9e0c364d2fec5d42ea399f4e06a6dbbc4a4b5df3716a64ddbc3f8 fluxheim-1.7.6-config-tester-aarch64-linux.tar.gz
- macos:
f0ccf2aaab50775c0f190f80972524bc045037523cb443ebda2c67b16535b908 fluxheim-1.7.6-dev-aarch64-macos.tar.gz
- x86_64:
- SBOM checksums:
ac35ec4409927685e4cae635bcca524c9736d9a52b276f72787a9ab71dd6ea80 fluxheim.spdx.jsond456b9b6f5b844ed4eee13245544b4915ec4923a95643629b4dc189be8803cd3 fluxheim.cyclonedx.json
- Reproducible build:
854523f27160e547093f5730eff3c15975fc2777a2f0410d6904cea3d501c2a8x86_64877526f4c8aabe5f302658790de493710e60da34a3175281115db79aaa75937caarch643d1a69e5c99354e04e4f9dde5bd5fad0f3f79a89c026da8fa5a95f645bc82dedmacos
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:462b98287a0eb0e405cd302b818c5bab0507e18845191eb0abe3732bfd953477 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:73fa2fac2aeafb9b6c526947feadbc593f64cad8d7e8cda151e251e7ddb1d264 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:1b9f669cc292bc603f469bcf5f2bb1151e998f7c1e16cb8efbd8a65eaed95e4f - Debian:
ghcr.io/valkyoth/fluxheim@sha256:42c6bb83a9221d5a9197ae7650c6c9746b9f042ebb1d153b8a6b8d4a965e73f8
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:516e1b6a845fad44abd7adcb0e55ea4e4aff84fe5ba1f4f9f414274b8fae5b81 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:15499cba800245ee55f3539cbe8a284c46b111209d7fb977b4878eb3c78765ae - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:7b83328c5b2bcb904a185ef52ecaf33e3a54ab5c0b7a2b9902fa01e756c26252 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:0dac5e12c5f77ef2e90e0cb9ebfe40d6e7d21b88226eb50761ebefee0de7668a
- Wolfi:
- Proxy Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:b4c53ff4fa77edd3ceb205794bceda9555c87c6d317e5ef3f12b48de5e13bcac - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:06b16018d2136d40fb38ae2d2fbdded43b806b8a11672dd1816a398bd8657a4b - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:83f47565b19863884df0842d32f0564f32f917ed8ad2be684414e5d410ebf411 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:96b321626f2356326daefb3d9394c0dbc382be8f66379b175201ea9d0bed21aa
- Wolfi:
- PHP Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:65a3f46bcd7981319c8e38a1cf53e5b4fdd4ea745ca994682532d805e52f2d9d - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:617c59eeb6252d39bd7af50a701d78e5242c8bcf17755469887e954675c33288 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:380c4dd0cf9477265fca8e5cd63f96230b79dd4da9be065d45b8f02f55b3161d - Debian:
ghcr.io/valkyoth/fluxheim@sha256:888798aec2a6dd514c42821e149b4f279108164206c46f3c67d7400e12aed167
- Wolfi:
- Load Balancer Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:5f9140cf1dcff8a6f74d7bbad2fe16cf854bfb88c1fc7b73beabdcb643923a9d - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:132c7659712399a2bd435e8b70560e7cbd43856202ecfca9e5abb293220797aa - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:4a6dafe13049dc769504981026df8a733445349c7fb93e9d0e43784c49f2bd0a - Debian:
ghcr.io/valkyoth/fluxheim@sha256:243d9ae5e71d603d62c22dc6682afb287c6bc9ad7574626a503cb57c5c718184
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Fluxheim 1.7.5
Fluxheim 1.7.5 Release Notes
Fluxheim 1.7.5 continues the VCL-like WebAssembly cache-policy milestone with
the first bounded cache-key and cache-store metadata hooks. The new host-call
surface is intentionally low-cardinality: plugins can add a symbolic
device-class cache variant, choose fixed TTL/tag metadata, and set one fixed
stored-object response header, but still cannot emit arbitrary key bytes or
mutate arbitrary cached response headers.
Highlights
- Add a bounded
set_cache_key_component(label_id, value_id)host call for
cache-lookupWasm hooks. - Add symbolic
X-Device-Classcontext undercontext(5, 0)for cache-policy
plugins. - Allow only the fixed
wasm-device-class=mobileand
wasm-device-class=desktopcache-key components in this slice. - Add bounded
set_cache_ttl(ttl_id, 0)andadd_cache_tag(tag_id, 0)host
calls forcache-storeWasm hooks. - Allow only fixed TTL classes and fixed cache tags in this slice.
- Add bounded
set_cache_store_header(name_id, value_id)for cache-store
hooks, limited to fixedx-fluxheim-cache-policyvalues. - Add bounded cache-store response content-type inspection through a symbolic
context(6, 0)class, without exposing raw response headers. - Thread Wasm-selected key components through native static-upstream and
load-balanced proxy cache lookup paths. - Thread Wasm-selected key components through fixed-slice range-cache keys so
ranged mobile and desktop variants cannot share slice objects. - Thread Wasm-selected TTL/tag metadata through native cache storage without
exposing arbitrary response-header mutation. - Thread fixed stored response-header metadata into the cached object while
leaving the immediate origin MISS response unchanged. - Add live native HTTP/1 listener coverage proving one URL can cache separate
mobile and desktop variants, then HIT the original variant. - Add live native HTTP/1 listener coverage proving Wasm-selected key
components also isolate fixed-slice range-cache objects. - Add live native HTTP/1 listener coverage proving a plugin TTL override
expires an otherwisemax-age=60object and refills from origin. - Add live native HTTP/1 listener coverage proving a plugin can set the fixed
stored response header on cache HIT and that forbidden header IDs fail
closed. - Add negative coverage proving duplicate stored-header mutations fail closed
and stored-header mutation caps are enforced. - Add negative coverage for aggregate cache-key component caps, cache-tag caps,
and TTL singleton merge behavior. - Add
examples/wasm/cache-lookup-policy.wat,
examples/wasm/cache-store-policy.wat, and a matching config template for
the bounded cache-policy ABI. - Add live native HTTP/1 listener tests that compile the checked-in example
Wasm sources and prove image-only cache-store metadata, cache-key, TTL, and
stored-header behavior.
Security Notes
- Unknown component IDs, unknown values, duplicate component labels, and
component counts above the hard cap fail through the plugin fail mode. - Duplicate cache-key component labels and aggregate component counts are
enforced across the fullcache-lookuphook chain, not only within a single
plugin invocation. - Unknown TTL IDs, duplicate TTL overrides, unknown tag IDs, and tag counts
above the hard cap fail through the plugin fail mode. - Unknown stored-header IDs, duplicate stored-header mutations, and stored
header mutation counts above the hard cap fail through the plugin fail mode. - Cache-store metadata caps are scoped independently to TTL, tag, and stored
header metadata so one exhausted metadata family cannot silently drop a later
family. - Oversized cache-store candidates are rejected before cloning response bodies
for stored-header metadata mutation. - Store hooks receive only symbolic content-type classes for response-header
inspection; raw response header names and values remain unavailable. - The hook does not expose arbitrary request headers, raw cache-key bytes,
request bodies, response bodies, filesystem access, network access, or cached
object contents. - Built-in access, route, rate-limit, concurrency, header, and cache admission
controls keep their normal order.
Operator Notes
- This is a preview ABI for controlled cache-key variation. The only accepted
cache-key label is currentlywasm-device-class; the only accepted values
aremobileanddesktop. - Store TTL, tag, and stored response-header choices are fixed IDs, not
arbitrary strings. Richer store admission mutation and cache response policy
hooks remain staged for later1.7.xslices.
Checksums And Signatures
- Commit:
c849e3311d9862e336ddeb1171a19a1c064b568a - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
d3316196c58aa0f01a99e4f9f8ec9fe6c45f5ea76d7b43fb63f2f2320bb0bcf8 fluxheim-1.7.5.tar.gza928f0c6dd9cfaa227871d487135dae167ab9ce23bbd9d1b0deabb7ef31788a8 fluxheim-1.7.5.zip
- Binary checksums:
- x86_64:
6275ae5d6542285e15fcf207be68372edd7c8123e3a9d608eae0232b67d52135 fluxheim-1.7.5-full-x86_64-linux.tar.gzd703ce77cec7828eb758188fbbab703843dce91d3762593d9ab1d665fa4f46a5 fluxheim-1.7.5-cache-x86_64-linux.tar.gz329ca82c825a092c877f92670e65ba5bf2bca969a2c89e31f416fe6774e26b91 fluxheim-1.7.5-proxy-x86_64-linux.tar.gz87a982cba770134b0334b45beb1ed04ce0fe371c4169bbe380f643c2619c1d05 fluxheim-1.7.5-php-x86_64-linux.tar.gz99e06ae168e71c277616ebb31c9c1295a5e61cc6e6ee0ce47213476da60dc6b1 fluxheim-1.7.5-load-balancer-x86_64-linux.tar.gzdba07e8f18b8537e667a18056f1ed4bb75681028ad1078a855001d1708e8f376 fluxheim-1.7.5-config-tester-x86_64-linux.tar.gz
- aarch64:
014e86f4fb850cd69428fa1db73126f33448352d78af906d4cadfb71738b1d79 fluxheim-1.7.5-full-aarch64-linux.tar.gz1144eb8637e9770e4e8b8ba858ecf07719372e8a4fe9e8ba3f1b82c6f6c53688 fluxheim-1.7.5-cache-aarch64-linux.tar.gzeb177989c3067cdb5e9abc4b0da5cc5f0217b98c4f50ab69787f792db225cb32 fluxheim-1.7.5-proxy-aarch64-linux.tar.gz02d6c7cbc52f53ba87b5134096739ea25fa3268dc8325106cbf3c4bf167c66e8 fluxheim-1.7.5-php-aarch64-linux.tar.gz0bceaab3d5897db69b879107d2bc55f1eba1898526d543839a61b56dcc64c606 fluxheim-1.7.5-load-balancer-aarch64-linux.tar.gz3960a6fde3ffa1f11ce02eb5c7dd081641f2524e61b7aa31be7fbe82a2de36f1 fluxheim-1.7.5-config-tester-aarch64-linux.tar.gz
- macos:
ce34af1384e0936e083c8dc06fc51c962c811b314be94c2edbadadf7767a06ea fluxheim-1.7.5-dev-aarch64-macos.tar.gz
- x86_64:
- SBOM checksums:
0c0fb4585b18442ab1df9f814142d8325aa1a3cbfcce6acfe013b97b077aa0d7 fluxheim.spdx.json788380fb58d94d8738eedb1b82a02da814172fc67a5fa9991ec1e3c4e8d3a258 fluxheim.cyclonedx.json
- Reproducible build:
16056a59918c939fccfe1522b11cb1e8ce4a748ea73222bd4f03f146ca3ea072x86_64add39ef66006d018dfa76ba4d18f7114e1d7fafaf7c61b906ca6e5b2c8495a8eaarch64ec83da96f971f05914d7bda079577be2f2434f31142412aafce21d3a6b1adbfdmacos
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:39db6caa5b498a68f4455e2f08bba1c109d7f6c6c1c70a3e5ce792bdfcc887ac - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:495ef2913bdfd2c8b0db91101f54cd6e025c7f66f262cd91581d62544b414485 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:0ae64c168a1e5ac435f9922f9db626f4479e6ee1dc3794ab42f33bddcb546e08 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:adb9829ad3c63132ed06b560089ba0703064ab413b7f9aa987ed7f9b47f3bda6
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:22894fbae4dcfc3d0712226eb12a30a8d998792c945f52de8de48070946f5522 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:72c71aaeff9407ec1320de6098ec397fae396e1752649b7cab275d4ca1cf5c42 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:16121cd319cd58155acff3dff193019620c4cd9f14a07bd4a3668b237d8a5a5d - Debian:
ghcr.io/valkyoth/fluxheim@sha256:ab618b9b41bddcbfe51548d2fe0a91513c871c3ae357898d058c77e1d318a510
- Wolfi:
- Proxy Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:2f3c2116106612b831ffe85d335b1a3fbfbd7590cbff2361788a5b3dd8627769 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:05d923cac92dd7bf78874a75b6bcceb5e19e5cd34f44ecf74a42b9d89a956e10 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:ce7c41edb4a4dda642573146ac984a5ec5454af31bac94942becac709e34ec91 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:0248a039b063a5095600388abdf6a68af4d769bfef5390a0d492ff7db837f55f
- Wolfi:
- PHP Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:a38e17bad99759a05cff5ad3a6aeade67cf912632c1035b4fb7ff12399f0e328 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:4f2dfcc04e2d53738f489590b1d1d61a98aa9409f92c1e024e1b95dd4e3ab851 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:12f2faeadc9c57d45619073bc4d0bbfa502a40b3e8a3c6704ae1871f50a9f28c - Debian:
ghcr.io/valkyoth/fluxheim@sha256:4487c4d9307b5d7c6cfa9a0965051c853cbb81f24871cc2a7d62a82e74512875
- Wolfi:
- Load Balancer Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:4247e06fe5562382e32589aa6e7da22fc3f73054e191b1cddda5ae2ebffcc57e - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:7c1d596a35346fe4cab29c6ac83468e7fe5db0f4149dd3a9a20488feb5c65bde - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:4b8fc026d8500e3fbec5b65dbf2210681d203e28452aef19a16ea5debd4ef97a - Debian:
ghcr.io/valkyoth/fluxheim@sha256:46f5527a86c369e08597a814da7887f1bedfb91415a0e446e21b486498f4d19a
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Fluxheim 1.7.4
Fluxheim 1.7.4 Release Notes
Fluxheim 1.7.4 starts the VCL-like cache-policy part of optional WebAssembly
extensibility. The first live cache hook is intentionally constrained: plugins
can decide whether cache lookup proceeds, passes through origin, bypasses
cache, skips storage after an origin response, or denies, but cannot yet mutate
raw keys, TTLs, tags, response headers, or stored metadata.
Highlights
- Add live native HTTP/1
cache-lookupWasm hook execution for vhost and route
attachments. - Add live native HTTP/1
cache-storeWasm hook execution after origin
response and before memory/disk cache writes. - Add a bounded
fluxheim_cache_lookup() -> i32preview ABI under the existing
fluxheim_policy_v1host-call namespace. - Add cache lookup outcomes:
0: continue normal cache lookup and storage;1: pass through origin without lookup or storage;2: bypass cache lookup and storage;3: deny with403.
- Add cache store outcomes:
0: continue normal cache storage;1: serve the origin response but skip storage;2: deny with403.
- Apply cache-lookup hooks before native proxy-cache slice lookup, normal
lookup, peer-fill, request collapsing, origin-fill protection, and store
admission. - Thread selected route/vhost Wasm hooks into route-proxy cache paths so cache
decisions use the same attachment model as access, header, and route hooks. - Add
wasm.max_total_cache_concurrent_executionsas a separate process-wide
admission ceiling forcache-lookupandcache-storehooks. - Add live listener tests proving a plugin can pass
/api/*without storing
while normal cacheable paths still produceMISSthenHIT. - Add live listener tests proving a plugin can skip storage after an origin
response and deny before cache write/client delivery. - Add live listener coverage proving a later cache-store
denywins over an
earlierskip. - Add fail-closed live coverage for cache-lookup deny behavior.
Security Notes
- The cache-policy hooks are constrained to integer outcomes and coarse path or
response-status context. They do not expose raw headers, bodies, filesystem,
network, admin APIs, private keys, cache-key bytes, or cached object bodies. - Built-in access policy, rate limits, concurrency limits, route selection, and
header policy keep their normal order; the cache hook cannot bypass them. - Cache hooks use their own process-wide cache admission ceiling so hot
cache-policy routes cannot starve access-decision, route-decision, or header
hooks on unrelated vhosts. - Cache-store hook chains are most-restrictive-wins: every hook runs unless a
hook returnsdeny, anddenywins over an earlierskip. - Plugin execution failures still follow the configured fail mode:
fail-closed denies with503, while fail-open continues normal cache
behavior. - The
wasmfeature remains optional and is still rejected with
privacy-mode. - The release gate updates
crossbeam-epochto0.9.20to clear
RUSTSEC-2026-0204.
Operator Notes
- Plugins that use
cache-lookupexportfluxheim_cache_lookup() -> i32. - Plugins that use
cache-storeexportfluxheim_cache_store() -> i32. passandbypassoutcomes reportx-cache-status: BYPASSwith
x-cache-reason: wasm-passorwasm-bypasswhen cache status headers are
enabled.passandbypassshare the externalBYPASScache status but record
distinct cache-policy activity aspassandbypass.- Richer cache-policy hooks for bounded cache-key components, TTL override,
tag assignment, store-admission mutation, and safe response-header mutation
remain staged for later1.7.xslices.
Checksums And Signatures
- Commit:
befc640024b3718e490ba5b5744d1726371f6acf - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
73c21bd501c6067477b7478a8d2147133646763dc743a07b81694bd0b8308763 fluxheim-1.7.4.tar.gz7dd086c160f49b1ca7b59149f916ece9d0c29fe4cd7a592e4669c12cbac23900 fluxheim-1.7.4.zip
- Binary checksums:
- x86_64:
c24bfda56df17a3b0fea6c5d7984d5234d2985f98d97836209bccb62876d033a fluxheim-1.7.4-full-x86_64-linux.tar.gzae310dcaae7873b337d12eafeeabb5445fe9ae1a37b5ab9230895e60188d4753 fluxheim-1.7.4-cache-x86_64-linux.tar.gzcb2683a7e29a5ce4a990b5f0bce216a518ff687624c0575e3fc7739f7fbf95a4 fluxheim-1.7.4-proxy-x86_64-linux.tar.gzc608addb563b38e729e31c7e6d8b3be0e68a2976a61e7b17137dbf0d406c06d7 fluxheim-1.7.4-php-x86_64-linux.tar.gz33feefe76ab7082c5b19581d2c3525dce4b6a48c22c87430fd12bb4a5eabcf91 fluxheim-1.7.4-load-balancer-x86_64-linux.tar.gzb28007bbf0778a023141c5de7a2faaa865031890a5ea6d3e710c4493f2199da3 fluxheim-1.7.4-config-tester-x86_64-linux.tar.gz
- aarch64:
a0c62b041b7f261dbcf4d23f507c36e87305439ba661894952c4afc97c9871cb fluxheim-1.7.4-full-aarch64-linux.tar.gz3ea635b2ff883a84dd453521a51445f1651151152b9e14082cad0192ce29d744 fluxheim-1.7.4-cache-aarch64-linux.tar.gz9ede717945867b9edabda103b81b701ff589484b9128ef00372adec5d9f98531 fluxheim-1.7.4-proxy-aarch64-linux.tar.gzd4ccdf264d72b0811d56513eef244015fd9550b6e5e517662d2915a4999f2e80 fluxheim-1.7.4-php-aarch64-linux.tar.gz666ca2a57fb51716b532cd642a84f5964f7c68a47141205135a76193a5593b27 fluxheim-1.7.4-load-balancer-aarch64-linux.tar.gza728616b18ff81e86cf4c3bb4135e357cb9bb2fb0feb922110e1af6c701800a6 fluxheim-1.7.4-config-tester-aarch64-linux.tar.gz
- macos:
5131694028fe19c4d4918745814f9d8e35ec8ff176ab24c6bec9d3c7b58c4ddf fluxheim-1.7.4-dev-aarch64-macos.tar.gz
- x86_64:
- SBOM checksums:
621d1868a28d782a439c252d1a4bb7b1511b3e5c5e88b1527a32594fb0010e41 fluxheim.spdx.json6a0a727a2814c6ddf91d965d38ede300e51c6d168e8dbbcd8d37e770ee84ddc6 fluxheim.cyclonedx.json
- Reproducible build:
cb13c979cb1fcf036cab9a69bdee22949946d9bceb85f966b12844fd174bdbd1x86_64f5f6b2338628c3ef525a3b0ae7c0da8fe9ae4d0948247510a685b1ca2a185d01aarch648ef32281b2227cf23e337d5e00344b14a80be8505d51e6ea0013250fa4e5c465macos
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:398d019d80aa15cfe26506506dba67f67b3e1a3583a17bb894af2288945e76b9 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:634cab1db3054b01750a25c65f9c7baa244ec93240ee0b90081d67f1c37f4981 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:b3221a2d5910ec08a779cd024920defe715fbc9643ca653592d239e46ac71f1d - Debian:
ghcr.io/valkyoth/fluxheim@sha256:c220b2c6b58561f43f391b964a1226a1b9cc31ff859195a01beed4dc4a8d6091
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:5e7475427223812a04e54ea72517ffc97a2b3fce88f91341f34e0e93641b0b34 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:ed9222cc22773ca54a6517d6701ab90b991ca017651a66d56e904c2f29125320 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:6e6fcb4d88f0ee0470c61bd68622f9728db1a33b1271a1c07ff934c034e27426 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:284f65e27589ecf6e3b9f4d41c342749b53ce09405d2f813bce70ad075f300bc
- Wolfi:
- Proxy Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:541a33fa75070779d397a6befe950d869c2cdc842658ebe0ec5039ff0c766231 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:19b648c78277770a13e7366ebdee181334b9dcfcd22e30a8295f81986168cc89 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:1bf0212048daa4fbda4479fffd526b66797a5cb3875d68834aeb03bb678be0f5 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:cd5fc3880948367dec623b3133e150f324faf141d23147d5b1906399618b41f4
- Wolfi:
- PHP Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:bf1c533b2ba75bca8b97d2d94b6b73f72f62d3a3e99c161b287b35b1a18c6d96 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:65a3452a111107c81d6253cbab35e616fee5c4be48ced1a5ca4b71671b22eb44 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:bbeafeb00f8303d593e8f7b1145b54b52b935d8bad6a61bf42f121d76d30f3c5 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:81a159f9bc07df0302aa2a588e057eaf9ee4b9f57c5d8eac7d8c26972ac9d527
- Wolfi:
- Load Balancer Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:1cc26ae633ed681f9c8ae2d56285fdeeecbcea956a3129aa9e78d2f4decc02d4 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:09521f3c366001644bb81fffd85fe41b62e604e83095038936ee918edfd45006 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:457f2783d0c2d0272557646935b0a43f9ef3c8378fab9a5754956342305efe46 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:171e2b339403aca700a857af40f573b9d94cb30045d9c4c9588da3dac4d3eda5
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Fluxheim 1.7.3
Fluxheim 1.7.3 Release Notes
Fluxheim 1.7.3 starts the HAProxy-Lua/SPOE-style routing-policy part of the
optional WebAssembly extensibility line. The first live route-decision hook is
intentionally constrained: plugins can continue, deny, or select a symbolic
configured route branch, but they cannot invent upstream addresses, bypass
route matching, or override built-in Fluxheim access policy.
Highlights
- Add live native HTTP/1
route-decisionWasm hook execution for vhost and
route attachments. - Add a bounded
fluxheim_route_decision() -> i32preview ABI under the
existingfluxheim_policy_v1host-call namespace. - Add symbolic request context for route decisions, including the existing path
class plus boundedx-canary: 1andx-mirror: 1signals for the first
configured-branch routing examples. - Add configured-route branch selection for the
canaryandmirrorbranches.
Fluxheim accepts the decision only when a configured route with that name also
matches the current request method and path. - Add live listener tests with two local origins proving a Wasm route decision
can move a request from the standard route to the configured canary route. - Add live native load-balancer route coverage proving a Wasm-selected route
still delegates backend choice to the configured Fluxheim load-balancer
policy. - Add live managed-cookie persistence coverage proving a Wasm-selected
load-balanced route still pins the backend through Fluxheim's configured
persistence policy. - Add live traffic-mirror listener coverage proving a Wasm route decision can
select an already configuredmirrorroute without giving plugins dynamic
shadow-target access. - Add fail-closed coverage for a plugin that selects an unavailable branch.
Security Notes
route-decisionhooks cannot create destinations or bypass route matchers.
A selected branch must map to an existing configured route with a matching
method and path.- Built-in vhost ACLs, vhost rate limits, and vhost concurrency limits run
beforeroute-decisionexecution, so denied or shaped clients cannot spend
the process-wide Wasm admission budget first. - Built-in preselected/decoded route ACLs run before
route-decision
execution, while selected-route ACLs and route-specific rate/concurrency
limits run after the final route decision. A plugin-selected route cannot
bypass its own configured route policy. - Selected-route body limits, redirect policy, and request/response header
policy still apply after the Wasm decision selects a route. - If a plugin selects an unavailable branch, Fluxheim returns
503rather than
falling back silently. - Wasm module compilation now waits for a bounded compile slot with a condition
variable inside the configured compile timeout instead of polling in 1 ms
sleeps under startup/reload contention. - The
wasmfeature remains optional and is still rejected with
privacy-mode.
Operator Notes
- Plugins that use
route-decisionexport
fluxheim_route_decision() -> i32. - The initial preview return values are:
0: continue with normal route selection;1: select the configured matching route namedcanary;2: deny with403;3: select the configured matching route namedmirror.
- Direct backend pool/member choice, plugin-provided persistence-key choice,
and dynamic mirror/shadow target decisions remain staged for later1.7.x
slices. - Refresh dependency pins for
aws-lc-rs,bytes,maxminddb,zeroize,
getrandom,arc-swap, andenv_logger;base64-ng,sanitization,
cargo security tools, smoke images, and GitHub Actions pins were checked and
already current.
Checksums And Signatures
- Commit:
d40605659539632f184a01ea536e2f79e7c5fa31 - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
472f7ed39708f020cde7ccde01d109d9cde08090ffb8396190cf148a22806a50 fluxheim-1.7.3.tar.gzbd82e4e10c242ba86663a0ef2b31b03a4bd796f641cc535ac07df831c7ad84ff fluxheim-1.7.3.zip
- Binary checksums:
- x86_64:
ac76cf1e38c9f6d110ab9e1a82651a41ff0600bf6cc8362e3b6e7e676d640ad3 fluxheim-1.7.3-full-x86_64-linux.tar.gz87e7e509f35e654b24d80f03829287d7f623ec58f41e1215b0bf3a3398ecfe5e fluxheim-1.7.3-cache-x86_64-linux.tar.gz06112b0e91bb985d470659b8315cc807f9fddae2fdfe140d3c586c050aab080b fluxheim-1.7.3-proxy-x86_64-linux.tar.gzd2dd5bb649ca32a3e6437519a4d3bfa94a317323250909a5dc78f1e2546df592 fluxheim-1.7.3-php-x86_64-linux.tar.gze067b34f4aabc7b941e81b58e962043681f9f177d8c7cd6c284e96b163037ee7 fluxheim-1.7.3-load-balancer-x86_64-linux.tar.gzcbe01af881f9cf0dafdcd4541ebe385132ccc940d6d18d5ee23a883b905a2bdd fluxheim-1.7.3-config-tester-x86_64-linux.tar.gz
- aarch64:
83d7bdf4cd3a48267faf1cc4aeaec085325a3db632ac419a9c6338847f306054 fluxheim-1.7.3-full-aarch64-linux.tar.gz07bc1317b5d9dc18e52cf6e242e120952c2b91ad82f231c63e120cf10660cc1d fluxheim-1.7.3-cache-aarch64-linux.tar.gzb3ef93bd0452f1a6d1d4edc976e05dd3fb20b31a942280e1d632954afa718e2d fluxheim-1.7.3-proxy-aarch64-linux.tar.gz2aad1a1d455c4b270605a3be7b40b5ddc9b012a8c63910ebe0ed6183085de654 fluxheim-1.7.3-php-aarch64-linux.tar.gz5507d0bd781b458946371a23e9f2c15c8c44dea1cf76eb665d71bd0e9445b32a fluxheim-1.7.3-load-balancer-aarch64-linux.tar.gzed066af4cbfdce353021e53e5be355ca3968626ed13d232315dc22c48837fdad fluxheim-1.7.3-config-tester-aarch64-linux.tar.gz
- macos:
535cb3e9ceb46e45336c6d890bfddf61baa9b94a42e71928e1c5c83eec0ae7aa fluxheim-1.7.3-dev-aarch64-macos.tar.gz
- x86_64:
- SBOM checksums:
e2bf218c025acd5f691e76062f2223ad7f6167d60e10acddcc927b7823ba233e fluxheim.spdx.json6a469063e11fca5af15b909de7193750ed0d97af7a816e703ad173c6bf863f4f fluxheim.cyclonedx.json
- Reproducible build:
54b2c6baa21061bf55685a8d2b3f4983ec93188d7db4f1f5fd9dc691ce32440bx86_6461ab7b28bb374ba31ddbc1fec3fa949bd5fcd7b6a1e33421634488ca5fb9f254aarch64cf09cd6db45a5b4ac8c173b80762ae5f126c24103b5474039082589051bfbc60macos
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:30049a8decddc2cbba0b28af61c22c6567095acbe4f42209235b7f790442bf22 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:707a38b54b46b1a7333b62a1943cdf04c8e03c4fbafc964e3a22684c9fa11d3e - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:8d9475cc2efc77845978dff3b2911d0a71ca1a58085b4cc75a0bde4eb60174a4 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:0909da492f90b6c110f8bee83f2f0ffc10ec94513b8f100a5e93200cc94badaa
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:f1329ca0db6f2421048667cdf3b8812afc09e6773b84bd7fe24bb8d3fb972b3b - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:2478849264307489ae484c9441323bbec136703434b6e18e2104b20e3cc0f7ec - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:1b88e1036f09447008f2fc0d1ebe0a02e80e1a87bdfa76fce04f17e7bfb77bbf - Debian:
ghcr.io/valkyoth/fluxheim@sha256:0208ea8b86d409390b698706c6a3834024f6b76958a362b5941b74c453711dae
- Wolfi:
- Proxy Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:2e39f5126f6840ebfb9f9c8c59d661df57385edb270daa85e01cb7d242617f3c - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:25380d5a9a5c156cb2af21cfeae968bdc9d03d267046053101a15d9d4bfb309b - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:5b0cbe914807346e90a68e7df720426b485c9e826b527dbb15670827d4289a0d - Debian:
ghcr.io/valkyoth/fluxheim@sha256:118ce74ecf4b3a08760baa2918471061c4b5f29c1abd2405274f86a555e0dc5b
- Wolfi:
- PHP Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:09b23f9d2acdfb0efd48cdc70fd9da131b73690276db9c91bbe8fb9a1b080e94 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:6474f973a8b0c228e510f8133fd1729aeb5692e544e83a10d9cd623dab89b1f4 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:09eb9fd2d399250529283d85c84d07956f45ce9e4b936e4a745dfadf6d817ebf - Debian:
ghcr.io/valkyoth/fluxheim@sha256:486d6a5c6e1321e77b8be3ba79750d58f246acf1b6f985f9e6a31d3d69d7614a
- Wolfi:
- Load Balancer Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:1afa3c43f841365fcb8922252699f9f7140d2ac0c36d94688936391c98296df1 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:2f67c0c911846347423d2652a30e386fc0235e768ea90f5bf0f076474e2f33d4 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:276591dd49fa339d613edc348fe97cb2f86477c37897a4c4034aa4f3161c84aa - Debian:
ghcr.io/valkyoth/fluxheim@sha256:4db34538477dde07a5fe8d4234f71cee6d10d59abeff116db93655b299674cb6
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4