Releases: valkyoth/fluxheim
Release list
Fluxheim 1.3.0
Fluxheim 1.3.0 Release Notes
Summary
Fluxheim 1.3.0 is the shared ingress/TLS feature-graph split release. It makes
the focused cache and proxy profiles TLS/ACME-capable without forcing unrelated
application modules into those builds.
- Release type: focused packaging and feature-boundary release
- Compatibility: default and full builds remain broad production builds;
focused cache/proxy images are stricter by design - Primary area: Cargo feature graph, containers, packaging, and release docs
Scope
Fluxheim 1.3.0 starts the shared ingress/TLS feature-graph split. The goal is
to make TLS and ACME usable by focused builds such as cache, proxy, and future
load-balancer images without forcing every deployment to compile unrelated
webserver or cache modules.
Highlights
- TLS backends now depend on the shared
ingressfeature instead of forcing
the fullproxyfeature. - Added focused profile aliases:
profile-fullprofile-web-serverprofile-cache-edgeprofile-proxy-edgeprofile-load-balancer-edge
- Added CI validation for the new focused profile aliases.
- Added focused container configs for cache-edge and proxy-edge image builds.
- Added runtime config guardrails so binaries compiled without
webor
cachereject configs that require those modules. - Expanded local and GitHub clippy coverage for TLS-only, full, web-server,
cache-edge, proxy-edge, and load-balancer-edge builds. - Updated the roadmap:
1.3.1+: PHP/FastCGI and PHP runtime follow-ups.1.4: advanced proxy parity.1.5: enterprise load-balancer parity.1.6: shared Wasm extensibility.
Compatibility Notes
The focused profiles are a compatibility step toward stricter images. Static
web serving still uses the shared proxy runtime in this first split, so
profile-web-server intentionally includes proxy.
The load-balancer image profile is prepared in CI but remains gated until the
1.5 load-balancer line unless explicitly requested in a manual image
workflow run.
Checksums And Signatures
- Commit:
91c4cfe74b34c65f3d5d8b1f27ab39f725c91c5c - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
0171b48920678b99ae77d36c7888d5b523bcb45b5827ee0ef4a3a68131863b56 fluxheim-1.3.0.tar.gzc6acdf36b9310a3c6d9731f6dcbdeed5a5e79f75835b8ce24fa1ba2009d70237 fluxheim-1.3.0.zip
- Binary checksums:
26d2220a8a8e6eefd5b0fc65de100c9a55896ef359aea92b62840d09d44f29be fluxheim-1.3.0-full-x86_64-linux.tar.gz64f73b293ba87f9209744501e30b20c62ccd1e853f98435e7603431edb95bee3 fluxheim-1.3.0-cache-x86_64-linux.tar.gz8a7cca9dd3f434895dae4bc4c3cad45005683fd2d813301b3da08a18c815e71c fluxheim-1.3.0-proxy-x86_64-linux.tar.gz
- SBOM checksums:
0b98ffa64f8597c68aa9e7dfa0bab75c4ceb4027113705e2564575382500c7a1 fluxheim.spdx.json20af0d1856635524c9894705688171244e81baec0a3247e4f7d0290f7acc74f7 fluxheim.cyclonedx.json
- Reproducible build:
39065869d07a21352971b7c884ae3f3a93f1cf1db40929e362022598b631d45b
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:83f6649a2da859f9d1e45d300dbabb41ef72e0ddfd8ae881fc645733e34c6318 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:3da7a8c8f37b1acd13a5a0d28cd9350a9a9ef1adf7cea1aaf555fd3fc1e9fe74 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:b1f95109f9b67278ade4b197b02af51a4cc2be612270b32df5339f50ee7b3f92 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:41bbc9f5c585af3c66a61a221a1a96b9403cc38b370b3156d03963e243d7015f
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:bb4152e92bd89e4c1dd09ce4e583cf6340c0737b04f12a5dd478cf90e6026a6d - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:4bfae69db74e1aea20ff3abd6e5b41550d8e7b19bbba86faec9e000905ad1bdd - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:69937a3ee2ac45faa1e737f16a2938ba05b8669b4d64a83fa0d5629d002b46c6 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:7f2b6010eff66f0edb4f7c82107468c99d08d9bd7e7b1d764cdb1912b7afef2e
- Wolfi:
- Proxy Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:2f7dd19fd273236b34fd6fa09b07fd782c349004fd3650f0647ca0a771ed4b94 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:2e1e2bd355e5bb47a160f76ccb35510e557b018aae4387827291752948aec32c - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:96927c467c99234fbbe9d6f6f2f66f722652b31a2b95935a758d0b783940d8eb - Debian:
ghcr.io/valkyoth/fluxheim@sha256:3bd12333af9ea438eb50ecd545cc19df5c4b7319e2e88fa2476e1d2f7033d936
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Fluxheim 1.2.6
Fluxheim 1.2.6 Release Notes
Summary
Fluxheim 1.2.6 is a focused cache follow-up for full slice-based range cache
composition. It extends the 1.2.5 exact bounded range cache with an opt-in
fixed-slice engine for large proxy-cache objects.
- Release type: focused slice-cache follow-up
- Compatibility: opt-in; existing cache range behavior remains unchanged unless
range.slice.enabled = true - Primary area: proxy cache
Added
- Added
[cache.range.slice],[vhosts.cache.range.slice], and route-scoped
slice policy. - Added normalized slice cache keys for fixed-size byte slices.
- Added direct slice-cache response composition before upstream proxying.
- Added bounded missing-slice fill from origin using normalized single-slice
Rangerequests. - Added per-slice request collapsing so concurrent clients requesting the same
missing slice do not all fetch it from origin. - Added support for:
- bounded ranges, such as
Range: bytes=1000-1999; - open-ended ranges, such as
Range: bytes=1000-; - suffix ranges, such as
Range: bytes=-65536; - multipart multi-range responses when all requested ranges can be composed
from fresh compatible slices.
- bounded ranges, such as
- Added
If-Rangehandling for slice responses. Fluxheim serves from slices
only when the cachedETagorLast-Modifiedmatches; otherwise the request
falls back to the normal proxy path. - Exact admin purges remove all indexed slice entries for the same request path
when slice caching is enabled.
Config Example
[cache.range]
enabled = true
max_bytes = "128MiB"
[cache.range.slice]
enabled = true
size_bytes = "1MiB"
max_slices = 128
fill_missing = trueSafety Model
- Slice caching remains disabled by default.
- Each slice is stored under its own key and cannot collide with full-object
cache entries or 1.2.5 exact range entries. - Missing-slice fill only stores upstream
206 Partial Contentresponses whose
Content-Range,Content-Length, content type, total object length, and
validators are compatible. Content-Encodingresponses are not admitted to the slice cache unless they
are explicitly identity encoded.range.slice.size_bytesmust not exceedcache.max_object_bytes.range.max_bytesmust not exceed
range.slice.size_bytes * range.slice.max_slices.
Validation
Release validation should include:
cargo fmt --all --check
cargo test --lib
cargo clippy --all-targets -- -D warnings
sh scripts/smoke_proxy_cache.shThe proxy cache smoke now verifies slice fill, slice hit, open-ended ranges,
suffix ranges, multipart multi-range composition, and cached slice If-Range
matches.
Checksums And Signatures
- Commit:
17aa33f376ce25fb36b470044f6c1f6382a0c60e - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
0195168efd8ac886d9e2fc3707b54cea340c8e8fa3d837c4a8e301a3065d20b4 fluxheim-1.2.6.tar.gz7b457fe5d3bfaace1dd6cccb397fb75ae16da27c9e8a4faecddca8e5c0898eaa fluxheim-1.2.6.zip
- Binary checksums:
d4137182dd8589021becc936a5b8c42572fee92e8e610da3743ae9f5350349c0 fluxheim-1.2.6-full-x86_64-linux.tar.gz86a2f0a99dd1d070131d3212c8cb512b26c2ea07c975555b3f991759c6c2a104 fluxheim-1.2.6-cache-x86_64-linux.tar.gz
- SBOM checksums:
9568ddf2e0e5e91aeab13a277bba0fb732ff33c63169698415dbd0c9893f74ef fluxheim.spdx.json3d5ceea012cbe9360c48919c3528148843eec44406f10175def0a1bfaf748780 fluxheim.cyclonedx.json
- Reproducible build:
fcb59dd0693bd38e2ebdc0b36b37a72d7b36d10be1857f44ab101ac936350258
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:0eb134f33b7d6e0707fdb1c7a911fb5df022acfe5796522920411e7919dc7c28 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:3cf8dd421f523699637a3d8ac3ac5527bd6dd63eed01e542166d8f10037f5626 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:b2cc0cc0de9a955ea303f1f64327fad0b510a76679233221cf2091e8b8c03668 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:880c87cc102ad7ea4939b7c9eb2cf63c1f07fec019be9993944ad2d4bbfa75eb
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:83980d2556d9858ab1c222b4a5f0d58bec594071e4f46c4450a4c735062f9c94 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:18d0b8e76318ac5d2429ce843486a145ffa9d3acd99594437a846285e58cf9e9 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:1f3fba32cb18b03ac409ab53ada0c20cbcaa39870d97af073ee14c7fd479dcb9 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:1df4dd3679def2c21e5b670a7c5777f3f579332202a555b36b0ac0f1c6e66413
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Fluxheim 1.2.5
Fluxheim 1.2.5 Release Notes
Release Metadata
- Version:
1.2.5 - Release date: to be filled
- Git tag:
v1.2.5 - Release type: focused bounded range-cache follow-up
Summary
Fluxheim 1.2.5 closes the remaining practical large-file cache gap before the
1.3 load-balancer/proxy line. It adds opt-in bounded caching for safe single
Range: bytes=start-end proxy requests and keeps partial responses isolated
from complete-object cache entries.
Highlights
- Added
[cache.range],[vhosts.cache.range], and route-scoped range policy. - Added
range.enabledandrange.max_bytescontrols.range.max_bytesmust
be greater than zero and no larger thancache.max_object_bytes. - Added range-specific proxy cache keys, so repeated requests for the same byte
window can return cache hits without colliding with full-object keys. - Admitted range-cache objects only when upstream returns
206 Partial Content
with matchingContent-RangeandContent-Lengthmetadata. - Rejected unkeyed upstream
206 Partial Contentresponses from the normal
full-object cache path to avoid partial-response cache poisoning. - Added parser, selection, keying, and admission tests for the new range-cache
behavior.
Example
[vhosts.cache]
enabled = true
status_header = "x-cache-status"
content_types = ["application/octet-stream", "video/*", "image/*"]
max_object_bytes = "32MiB"
[vhosts.cache.range]
enabled = true
max_bytes = "8MiB"
[vhosts.cache.memory]
enabled = true
max_size_bytes = "512MiB"
[vhosts.cache.disk]
enabled = true
backend = "storage-bin"
path = "/var/cache/fluxheim/example"
max_size_bytes = "100GiB"Known Limits
- This release implements exact bounded range caching, not multi-slice assembly.
If production needs Varnish-style slice composition for arbitrary large
object ranges, that can move into a later media-edge/cache extension line. - Suffix ranges (
bytes=-N), open-ended ranges (bytes=N-), and multi-range
requests are intentionally not admitted to the range cache. If-Rangerequests stay on the normal path so validator-match and
validator-mismatch behavior remains controlled by the existing full-object
range handling.
Checksums And Signatures
- Commit:
e56a1da27511ff94740b8e397eb23b9178cb2112 - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
e12f9685dda289a34249bb64db85a9fe5adee6b8ea65f5bc830b64e932c06baa fluxheim-1.2.5.tar.gzd76f745d74bde764a55d7edad5c97fa9ff842232a7a17ad09486e6a465caffe0 fluxheim-1.2.5.zip
- Binary checksums:
9f650fa2dde4d8f839633b8ad135c1719a65df04d0aa57ac216e10fa78bb7d28 fluxheim-1.2.5-full-x86_64-linux.tar.gz01507b7df25554db5cc8ee1656ebad008adc475c5241e310db1b8a10480d5b90 fluxheim-1.2.5-cache-x86_64-linux.tar.gz
- SBOM checksums:
67a0c8ecf445e82479b3d081c47567f27a3f036c6e605c3d7840456f91bd5308 fluxheim.spdx.json22f545f16eec2e6e63d80e56a9804b4372f1ccb12dbb7ae5b2289717a0af39c4 fluxheim.cyclonedx.json
- Reproducible build:
e9c9b6ee1da80c358d6fa0d85f295a572c630018c09d92df9a1953df057a7618
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:227b57747b26bfc6039931cbc71dd54b6cb027c8d92a0c05f91eff482897a2b2 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:8e81204541a1f5cc73ac40974e1a8529eb21e82489c97739f3a5ac83fced0b1b - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:4d26a609dafc9fbc0c14b2f870a3dedf4cc2f4233150a42246cb4051a482f379 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:3f1bf581732771a17c1f4645c36d386af65ac52fea0bae7fde4c183881a8bbd7
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:86bc69cb89781700ae24c0108bc19341d3d1f69e2d0b154704f916f3663094ab - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:20ac6ff9402bdd2c4632bef0c468018ee4569c772dc2fff5b11e08f17ed6a19f - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:397191460732f94dc5d54977116edbd580d91b90b252de7df93d664820e0a0a6 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:1e344fa0ec36c6cf5b3ddfc4096e36f2ced2fac34675e0c2e36dbe043bee1f20
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Fluxheim 1.2.4
Fluxheim 1.2.4 Release Notes
Release Metadata
- Version:
1.2.4 - Release date: to be filled
- Git tag:
v1.2.4 - Release type: focused distributed-cache follow-up
Summary
Fluxheim 1.2.4 focuses on distributed cache metadata and peer-fill. It adds a
bounded peer-fill policy, safe cache-only serving on peer nodes, outbound
peer-fill on local proxy-cache misses, local storage of valid peer hits,
activity metrics, and a two-node smoke test for the peer-fill path.
Highlights
- Added
[cache.peer_fill],[vhosts.cache.peer_fill], and
route-scopedpeer_fillpolicy configuration. - Added bounded peer-list, timeout, object-size, concurrency, and fail-open
settings for peer-fill runtime behavior. - Added strict peer-origin validation. Peers must use explicit HTTP(S)
host:portorigins, cannot include userinfo/query/fragment, and non-loopback
HTTP requiresallow_insecure_http = true. - Added aggregate Prometheus gauges for peer-fill enabled policies, configured
peers, and maximum configured peer-fill concurrency. - Added
cache-keyandcache-lookupoutput plus expectation flags for
selected peer-fill policy shape. - Added peer-fill policy coverage to protected admin cache-status JSON.
- Added the first runtime primitive for safe peer fill: proxy-cache requests
withCache-Control: only-if-cachedreturn a fresh local cache hit or a
504miss response without contacting the origin backend. - Added outbound peer-fill on proxy-cache misses. Fluxheim asks configured peers
foronly-if-cachedhits, strips sensitive client headers from peer
requests, stores valid peer hits locally, and falls back to origin only when
fail_openallows it. - Added low-cardinality peer-fill activity events for hit, miss, peer error,
origin fallback, and fail-closed outcomes. - Added a local two-node peer-fill smoke test that warms node B, serves a node
A miss from node B asPEER-HIT, verifies the origin is not contacted again,
proves node A stores the peer response locally, checks peer-fill metrics, and
verifies fail-closed peer misses return504without contacting origin while
fail-open peer misses fall back to origin. - Enforced
peer_fill.max_concurrent_requestsat runtime per vhost/route cache
policy. If the peer-fill budget is saturated, Fluxheim followsfail_open:
fallback to origin when allowed, or a bounded504miss response otherwise. - Preserved peer response
Ageduring peer-fill admission. Peer-filled objects
are stored with their remaining freshness and downstreamPEER-HITresponses
report the peer age rather than resetting freshness to zero. - Stored peer-fill hits under the correct
Varyvariance key and extended the
peer-fill smoke to prove variant-specific peer hits and local post-fill hits. - Added
examples/cache-peer-fill.tomlas the focused validated fixture for
the distributed-cache config shape.
Known Limits
- This release line now has the cache-only serving primitive, outbound peer
fetch, bounded peer-fill activity metrics, and local two-node smoke coverage. - Peer base URLs intentionally require an explicit port for now to avoid
ambiguity in private cache clusters.
Checksums And Signatures
- Commit:
e1a532dbd8409d8645449be35342bb78eac14c9a - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
4e04912b7e1351c54ff341cebfa59a706ea87e4eee20b34baf585dd885226250 fluxheim-1.2.4.tar.gz541b25aafa0d1ec49b78565fd2aa9d7c4a28cd6ec10593b2caff5304038b3586 fluxheim-1.2.4.zip
- Binary checksums:
c1df2f63d25eae31e33be4cf1dfca76ec48c0f6d964f9720c785bc787fb59c74 fluxheim-1.2.4-full-x86_64-linux.tar.gzdf63ca4fc5b76de98d754cbea13c6f209f51ae75fa5ec2884303a92096df040d fluxheim-1.2.4-cache-x86_64-linux.tar.gz
- SBOM checksums:
c5c1cfe5e5d2cada71b3c07723812c62919dbe34444b840712076ab565fb43ad fluxheim.spdx.jsonc7a1fa8cefaf09f7cd8382cd3eb31977d73b0e7d0da977d48858141a808e86f3 fluxheim.cyclonedx.json
- Reproducible build:
66db78ab4dc475d1eadf83415bc50c24bf7e79331d697c457842f4e89f57d8e4
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:08fdbb4830fbbbf56e3a7f33edac81f555853fbed071aae937a0778835bf037e - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:194ff4d791bb9c2e4655761c9d31d9a5eadedd5f3aca222b5c4b706ec65de6d2 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:5be56960991dc6042578547c9840089d55de8eaab3a5d753f79cf19159e9d392 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:111dd3298f64e9a4f590a0b1514ff06320e47b6c70f5cdc47a0cdc640d4d43d7
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:046f4963c7937d7adcdb8c55b60c4eae2ac6fc6c25fa92119c0c34304b3c8613 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:1318584ec0911d6074f2dd8a2b91deb42f4b35525da7783aa3be3a1fb295ca9f - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:0f105898597d77d04e2397d50ef5396b2fcde1472365e8c54446e7c072708ece - Debian:
ghcr.io/valkyoth/fluxheim@sha256:7d03d1f10b0cd1cb83977df2021cf679cc54dcbeacbdaed5a42a9f7b514006d7
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Fluxheim 1.2.3
Fluxheim 1.2.3 Release Notes
Release Metadata
- Version:
1.2.3 - Release date: to be filled
- Git tag:
v1.2.3 - Release type: focused cache-encryption follow-up
Summary
Fluxheim 1.2.3 adds optional disk cache encryption at rest. Encryption is
disabled by default. Operators can use a local AES-256-GCM key file or
credential for simple deployments, or OpenBao Transit for external key custody
where Fluxheim should store only Transit ciphertext in the cache backend.
Highlights
- Added
[cache.disk.encryption]policy configuration for disk cache object
encryption. - Added local-key AES-256-GCM encryption using a safe key file or
systemd/container credential. - Added OpenBao Transit encryption over HTTPS or loopback HTTP with token
loading from a safe file or credential. - Bound encrypted cache objects to the configured key id and combined cache key
as authenticated data. - Kept encryption opt-in so normal filesystem and storage-bin cache deployments
do not require OpenBao. - Added
examples/podman-compose-openbao.ymlfor a local OpenBao dev server. - Added focused local-key and OpenBao Transit encrypted cache example configs.
- Added release-gate smoke coverage for local-key encrypted storage-bin cache
traffic. - Added
fluxheim cache-keygenfor generating local AES-256-GCM cache
encryption keys. - Added
scripts/smoke_openbao_cache_encryption.shto verify real
Transit-backed proxy-cacheMISSthenHITbehavior and confirm that stored
cache objects containvault:v...ciphertext rather than plaintext response
bodies. - Added
docs/cache-encryption.mdwith local-key setup, OpenBao policy,
rotation guidance, and smoke-test commands.
Known Limits
- OpenBao Transit adds an external encrypt/decrypt call for each disk cache
object write/read. Use it where external key custody matters more than the
extra latency, and keep OpenBao close to Fluxheim. - Local-key encryption protects cache objects at rest, but it does not encrypt
memory cache contents. - Distributed cache metadata and peer-fill are planned for
1.2.4. - Wasm-based extension points, including cache-rule hooks comparable to VCL/Lua
style customization, are planned for1.4.
Checksums And Signatures
- Commit:
59f0ed668b5767666df68543e8d64d3383e677dd - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
6bbf89257d4e9a1f8a4ce7a5d8e9f4e880a16ebfc06ffcdb2b844a0800982f43 fluxheim-1.2.3.tar.gz8f9008f55f0cb256ab03f5aae727f4af671a4aa94ea5cb089e6378341d4b5253 fluxheim-1.2.3.zip
- Binary checksums:
5b6e9a99442aac456dc80cb34b45c487918ae2e48cd6eee5a9c321cb2e06b974 fluxheim-1.2.3-full-x86_64-linux.tar.gz0847bba2a3681db10cb844b5d03223f7a64e0a20a260504ec41618254eb82613 fluxheim-1.2.3-cache-x86_64-linux.tar.gz
- SBOM checksums:
585f28c5044ccecc1f36ff395ac6b695e9159e994231a222e0ff50547421e7b9 fluxheim.spdx.json5326d1b69426d4d81662f16e8f1cc516dd53dc70c1597aa68dfcf60212bfda79 fluxheim.cyclonedx.json
- Reproducible build:
c7bda9c78bc399b92d0783e314b8d96aaf2d0e4fe56eeda00e18ba09dc39b4a6
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:3f9a01462c7b321d3abc5e5c6026aecbf441899917914b4567af66aade3df98e - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:019801877525ebc7af463e52b3d98dcb8b3b048c5498a3e3c65016981fc33c57 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:177b2e5e33881fa83860601d02322a63ed4af3a18ca814b686d081de13788f13 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:2b260a802051d813455ab078268576e327d438ed1866948a4d77a84b94a9d9b3
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:16a029c4ae6aa0013bc9d1ed877de6a6095726bc9bbf19ce9c6dd8509d8ba053 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:a82b2e7ba7418d00d33435f5ce320ddda4612ef5d2691514209b93066150895b - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:26d95266b435cb361ea4518335711f6867d7638aa8e25dd443fd8b2b292b973d - Debian:
ghcr.io/valkyoth/fluxheim@sha256:0ebe3edb800ca8a7a33f3ce2df637996b8d10e64b27a2397797fa3dceedc334a
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Fluxheim 1.2.2
Fluxheim 1.2.2 Release Notes
Release Metadata
- Version:
1.2.2 - Release date: 2026-05-13
- Git tag:
v1.2.2 - Release type: focused storage-bin cache follow-up
Summary
Fluxheim 1.2.2 adds the focused slab/bin-style disk cache backend planned
after 1.2.1. The existing filesystem disk cache remains the portable default,
while operators can opt into cache.disk.backend = "storage-bin" for large,
high-churn cache workloads that should avoid one-file-per-object storage.
Highlights
- Added
cache.disk.backend = "storage-bin"runtime selection while keeping
the existing filesystem backend as the default. - Added the storage-bin disk cache backend with manifest files, deterministic
bin files, durable object index recovery, reusable free ranges, and LRU
eviction parity. - Added management parity for storage-bin cache stats, activity reset, exact
purge, indexed hard/soft purge, stale purge, cache lookup, and cache warm
workflows. - Debounced durable storage-bin index writes after insert, eviction, and purge
bursts to reduce write amplification under high-cardinality cache fills. - Added clean shutdown flushing for pending storage-bin index updates.
- Added same-key rewrite handling so revalidation or object replacement can
release and reuse the previous range. - Added conservative tail-bin reclamation so eviction and purge can remove
fully-free highest-numbered bin files without moving live objects. - Exposed storage-bin pressure stats through admin JSON and Prometheus gauges,
including allocated bin bytes, reusable free bytes, free range count, largest
free range, and bin file count. - Added
examples/cache-storage-bin.tomlplus CI and smoke coverage for the
storage-bin backend.
Validated Scope
- Local gate passed before release prep:
cargo test -q storage_bin --lib- focused storage-bin rewrite, drop-flush, and tail-reclaim tests
cargo check --features profile-observability,acme-clientcargo check --no-default-features --features proxy,web,cache,tls-rustls,securitycargo clippy --features profile-observability,acme-client --all-targets -- -D warningssh scripts/smoke_storage_bin_cache.shcargo run --quiet -- --check-config --config examples/cache-storage-bin.tomlperl scripts/check-doc-links.plscripts/validate-release-metadata.shgit diff --check
Known Limits
- The storage-bin backend is opt-in in
1.2.2; the filesystem backend remains
the default until production testing proves the bin format across more
deployment shapes. - Storage-bin compaction is conservative and only reclaims fully-free tail
bins. Moving live objects between bins is reserved for a later compaction
pass if production data shows it is needed. - Partial streaming admission and range-slice fill remain future cache work.
- Optional cache encryption at rest, including local-key and OpenBao
Transit/KMS key providers, is planned for1.2.3. - Distributed cache metadata and peer-fill are planned for
1.2.4. - Wasm-based extension points, including cache-rule hooks comparable to VCL/Lua
style customization, are planned for1.4.
Checksums And Signatures
- Commit:
a01c112bfd90508cf881696ff0783b0d67e839b1 - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
df0ee34334845ad12ff226580c5242ea9b4b2a1abf3177a8ad9159b2807da3a3 fluxheim-1.2.2.tar.gz8c1b41950731697b0028199db3bc1e1032465b90c0d62ad0d48006652f0539f7 fluxheim-1.2.2.zip
- Binary checksums:
d4726be13f3fc235907a5b6ac1aa93f8e1d4cf1327e5bc10ff3dbedc4fb98fc9 fluxheim-1.2.2-full-x86_64-linux.tar.gz37f134bc9ae39fc07ef013bd32df5f9cc32d7654fb8f4743927c2c62d4180ded fluxheim-1.2.2-cache-x86_64-linux.tar.gz
- SBOM checksums:
68ee3a3943a40cdd93f712221a5965f4e214f7fbaf3a39caf916851a551a7083 fluxheim.spdx.jsone45447c0f91407d71a13dd0701a7a3623b499c3b8ae4ceba2b62f7bb63f4429b fluxheim.cyclonedx.json
- Reproducible build:
5e51a65becec7cdf2b435e7373325d971d48177ab6bcb89e53037de52be86558
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:4a6b77d3296364f3658a0059867621aff3320354569a9e9d6b9c17c44bac2d3f - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:a77beac4d175482aed408d6198669447227fa4607a7d36f05b221538b5150513 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:925fe7b03ae081fa27c23792488b7db1a3607068d76fb5a0386485b3ce333a91 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:4f6f5420a600b26ceb2d10eb4b0265255558f70b1bea8d3a927267087c67512c
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:bcbdd8c859899998501521bd633a6858112bd63569f9de15d508e38b96f6738b - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:0027070fcd458a341b4ae88dcb3286b36f57d7a56b9604aa3f2708d0130df757 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:139966e54d767c3a5c11db710d17ab51b8f2b20ecd149412412905e9f0ce0f9d - Debian:
ghcr.io/valkyoth/fluxheim@sha256:2e67cee58c887169bd1a61f0767a9ebfbc6e4cd1c85cdbe278df570d6e9b5ed5
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Fluxheim 1.2.1
Fluxheim 1.2.1 Release Notes
Release Metadata
- Version:
1.2.1 - Release date: 2026-05-12
- Git tag:
v1.2.1 - Release type: focused cache follow-up
Summary
Fluxheim 1.2.1 adds the focused local/static cache follow-up planned after
1.2.0. Operators can now opt local [vhosts.web] files and route-scoped web
actions into Fluxheim's cache policy model with local_static = true.
Highlights
- Added explicit
local_static = truecache-policy opt-in for local static
vhost and route web responses. - Local static cache keys include request identity plus file identity metadata,
so updated files create new cache entries instead of reusing stale bodies. - Local static cache responses can emit configured cache status and reason
headers, includingMISS,HIT,BYPASS, andREVALIDATED. - Local static cache hits emit
Age. - Cache-key, cache-lookup, and exact-purge helpers now resolve local static
files and use the same file-identity cache key whenlocal_staticis enabled. - Memory storage is preferred when both memory and disk tiers are configured,
avoiding a second disk copy of files already served from the local site root. - The local static smoke test now verifies
MISS,HIT, andAgebehavior.
Validated Scope
- Local gate passed before release prep:
cargo check --features profile-observability,acme-clientcargo check --no-default-features --features proxy,web,cache,tls-rustls,securitycargo check --no-default-features --features proxy,cache,tls-rustls,securitycargo test --lib --features profile-observability,acme-clientcargo clippy --features profile-observability,acme-client --all-targets -- -D warningssh scripts/smoke_static_local.sh- example config validation for
examples/vhosts.tomlandexamples/conf.d git diff --checkrpmspec -q packaging/rpm/fluxheim.spec
Known Limits
- Local static cache storage currently admits full buffered static responses.
Partial streaming admission remains reserved for a later cache storage pass. - Slab/bin disk storage is planned for
1.2.2. - Distributed cache metadata and peer-fill are planned for
1.2.3. - Wasm-based extension points, including cache-rule hooks comparable to VCL/Lua
style customization, are planned for1.4.
Checksums And Signatures
- Commit:
481dd56ec3ee2456c31f9cd582cd02f796d0f045 - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
1e1d7cede7b147d9f2a30d9c992eaec07ef202302eac2f52917e9892c5f7f8f7 fluxheim-1.2.1.tar.gzef31837452bb1c67bdaf440ccc57bad08893393de00712b259442181cd0bf60a fluxheim-1.2.1.zip
- Binary checksums:
8480da7d93b60844a6708d2fab78eb5f993097ef6c0be4da2d49b8e1b2d71db7 fluxheim-1.2.1-full-x86_64-linux.tar.gz935b66cdbe2567c06e5291d659ec558a636949d28088f8d1497d0e9fc4cbed82 fluxheim-1.2.1-cache-x86_64-linux.tar.gz
- SBOM checksums:
aa736449767054cb293857f247b67e2b02c8b7e90684288e4b9044c1fb9cf9e5 fluxheim.spdx.jsona30e1d37c46a39c8fb66b004b67615acbc5ed757f008b94650efbef259dc8092 fluxheim.cyclonedx.json
- Reproducible build:
91841e60171cf99555bc401344badbcf55591c26684b21dac6c4062dd45c441b
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:9effff5004976e161e89ba841ce4f58456f613173bdfe0d870dfb4ad2c5db3fd - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:b20e1fe483adec9c07c23e71aafc49c4c846f11f32c94833db4f2856f1da52bc - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:279a6dc9201cb68ccf166f8fe36bcdeea06bf9d88e4d54c3ed7c78a341689859 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:a68cd8d1201d63947005d32ba3ab879d1423cdd112c8a0a32dbd285f7217bf7c
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:54e2f3884d4e2e582927c8788677214e75dbfe21998ae037b2bb5f6e89514742 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:76e789e1afbde55a332ddc79533b07c6442568982c404d06a9099d6c623e0582 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:f03d1437287bb4fcff7b333397ed9bc60be8afe12a25524fe2098c69a7b32247 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:3391f03939400d79ce7c4dad88a38a71cd3974a5ce2238f3f6e3abeab6c0418e
- Wolfi:
Fluxheim 1.2.0
Fluxheim 1.2.0 Release Notes
Release Metadata
- Version:
1.2.0 - Release date: 2026-05-12
- Git tag:
v1.2.0 - Release type: stable operations and cache completion pack
Summary
Fluxheim 1.2.0 completes the production cache and observability work started
after 1.1.0. It adds fuller reverse-proxy cache controls, stronger purge and
disk-index behavior, Prometheus and OpenTelemetry coverage, and hardened admin
control-plane defaults.
Highlights
- Vhost and route cache policies with memory, disk, or tiered storage.
- Cache status and reason headers for cache-participating proxy responses.
- Cache key controls for namespaces, selected key parts, query participation,
request-header variance, and originVaryhandling. - Cache admission controls for content types, extensions, response status TTLs,
request headers, cookies, query parameters, origin response headers, and
Set-Cookiehiding or refusal. - Stale-on-error and stale-while-revalidate policy support.
- Request-collapsing locks and cacheability predictor integration.
- Disk cache v5 metadata with full startup reconciliation, purge-index rebuilds,
stale cleanup, safer path handling, and debounced checkpoint persistence. - Protected admin cache status, activity, reset, exact purge, bulk purge,
indexed purge, prefix purge, tag purge, wildcard purge, stale purge, and soft
purge support. fluxheim cache-key,fluxheim cache-lookup, andfluxheim cache-warm
helpers for cache inspection and prefill workflows.- Prometheus cache, storage-pressure, and activity metrics.
- OTLP metrics export and OTLP trace export coverage, including local
Prometheus and Jaeger smoke paths. - Hardened admin/control-plane behavior, including stricter remote-admin
guardrails, authenticated admin health by default, admin auth throttling,
strict host-routing mode, host anomaly counters, and stricter sensitive-path
trust checks. - RPM and native packaging now build with
profile-observability,acme-client
for ACME and observability coverage in packaged deployments.
Validated Scope
- GitHub CI green before tag.
- CodeQL/code scanning has no open release-blocking alerts before tag.
- RPM package builds and runs.
- Packaged default and container configs validate.
- Proxy cache smoke verifies HIT behavior, cached-hit
Age, conditional304,
and byte-range206behavior through the proxy path. - Observability smoke verifies Prometheus metrics and OTLP export paths when
local Prometheus and Jaeger endpoints are available.
Known Limits
- Local/static vhost response caching remains planned for
1.2.1;1.2.0
cache storage applies to proxy cache paths. - Slab/bin disk storage is planned for
1.2.2. - Distributed cache coordination is planned for
1.2.3. - Optional remaining cache refinements such as partial streaming admission,
cache import/export, richer ban predicates, and HEAD-to-GET parity are
reserved for1.2.4if still needed after production testing. - Wasm-based extension points, including cache-rule hooks comparable to VCL/Lua
style customization, are planned for1.4. - HTTP/3/QUIC, ECH, and post-quantum TLS policy remain future milestones.
Checksums And Signatures
- Commit:
f53667fd5d937e0830bb96440ea3bedbdb57abe7 - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
8040cc734afdada591db2264eb181f91559d68f3a039fae12fd9ee138c2eb0ad fluxheim-1.2.0.tar.gz1e174177d41ddddbc09b9e307190f2bb5a3847848c66353f2e4cd53143d860fc fluxheim-1.2.0.zip
- Binary checksums:
5485eed8b74e5f8c484acedd0024d6af7722e35e370d465b169d11db773eac8e fluxheim-1.2.0-linux-x86_64.tar.gz
- SBOM checksums:
3e912226a8f75c13a24171a1cabdf612b072ffec4bc00690ef46c7b91a3c7518 fluxheim.spdx.json31e53f39429fbf24a0fca44fd83bab86f9c5977c13172ed966edca923c6ad409 fluxheim.cyclonedx.json
- Reproducible build:
5e921a8b083e74fa023d6f28a4c79c13396843350eb8dfb941ad3d70a29f62be
- Full Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:7f86c505f93e4d733b63c2cf394a2f41331c22121c712f48fdf53d9e0cc0d29c - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:2a2393ef74291bcda4e46af9d89c67d1db2b1ba2b67734fa7200e5fdd6b14b92 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:3d32ab0a4d3e9b065e30b2abe29a17cb08300716ef3b72661ad6ca3f721200d7 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:2b98c39b65e12ae28e54d17fcc811c4f8a1afb78ed2d01df45334b74b83c123d
- Wolfi:
- Cache Build Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:80425d79169a1706344935576d58bea202233b19a5d6ad2f1d19e3ba726bcbf2 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:859aaa39b9c364e25e3bc05047559b8bcbf011bb70ad21f991f2414dde3d9d42 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:85cf80759df2f6baae4c5c29c23177e22fee9377fdcd171a871157fa03628541 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:6bab121afc6470cede76c9a62b19129a5aeb59a697e544963781688ddf3fd193
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Fluxheim 1.1.0
Fluxheim 1.1.0 Release Notes
Release Metadata
- Version:
1.1.0 - Release date: to be filled
- Git tag:
v1.1.0 - Release type: stable TLS policy and certificate operations
Summary
Fluxheim 1.1.0 focuses on making public TLS and certificate lifecycle
operations production-practical. It keeps the 1.0.0 gateway foundation and
adds explicit TLS profiles, backend-validated TLS policy controls, structured
HSTS, and native ACME issuance/renewal paths.
Highlights
- TLS profiles:
modern: TLS 1.3 only.intermediate: default TLS 1.2+ production compatibility baseline.compat: explicit TLS 1.2+ compatibility alias, currently equivalent to
intermediate.
- TLS policy controls for minimum protocol version, ALPN, curve preferences,
and cipher-suite allow-lists. - Backend validation for unsupported TLS policy combinations.
- Structured HSTS response policy with
max_age_secs,include_subdomains,
andpreload. - ACME-managed certificate paths derived safely from vhost names.
- HTTP-01 local challenge serving for ACME-managed vhosts.
- TLS-ALPN-01 challenge certificate generation and rustls ALPN serving for
ACME-managed vhosts. - Actalis External Account Binding secret loading from environment variables or
file-backed secrets. - Built-in Google Trust Services production and staging ACME issuers with
separate EAB secret defaults. acme-clientfeature for live account/order/finalize support and background
renewal checks.- Official RPM and container builds now compile
profile-core,acme-clientso
packaged deployments include theacme-renewCLI and renewal worker. acme-initcommand for guided issuer bootstrap, including Actalis EAB secret
files and systemd credential drop-in creation.- RPM packaging creates
/etc/fluxheim/secretsand ships an optional Actalis
systemd credential drop-in example. - Reloadable downstream SNI certificate objects after successful ACME renewal
when the selected TLS backend exposes a reloadable resolver or callback.
Validated Scope
- Static and proxied vhosts from the
1.0.0gateway release. - Rustls default TLS backend with SNI certificate selection.
- OpenSSL and BoringSSL TLS policy wiring where the selected backend exposes
listener controls. - s2n config validation for unsupported custom listener policy.
- File-backed ACME EAB secrets for systemd credentials and container secrets.
- Due-only ACME renewal command flow and background renewal service.
Known Limits
- HTTP/3/QUIC remains post-
1.1.0. - Encrypted Client Hello is planned, but not implemented.
- Post-quantum hybrid key exchange is not yet enforceable by the default
rustls/ring backend.X25519MLKEM768is accepted by the schema for future
planning, but the rustls backend rejects it until a stable crypto provider is
available. - TLS certificate compression is future work and depends on TLS stack and
browser support. - Advanced provider-specific certificate automation and cluster-wide
certificate coordination remain later milestones.
Checksums And Signatures
- Commit:
01e3c00ecb03fbc1fa7a1825869b34e7c8e39e6f - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
5864f6994d10e431fa6bd3c4722dabef63a11e9c88726151e644f63523939b27 fluxheim-1.1.0.tar.gz973dfe6421738e175b9e2a068f8ebf5f452e77d99272448f49a2488df7d5e262 fluxheim-1.1.0.zip
- Binary checksums:
26155a914d51c75ec96696e520d9e11d4fda2965cb18430a46833e26170fb44d fluxheim-1.1.0-linux-x86_64.tar.gz
- SBOM checksums:
2eac10f00dbe6ffbfe4f7cbb22b944bcee0d3c42313c9c58e78e9a11c8e25fbf fluxheim.spdx.json095180cde35ddf845a55e5825f0c7bc4e657c7cc53284b5d7e19db69ce3e1906 fluxheim.cyclonedx.json
- Reproducible build:
7c17bb0b44c06f9fec5282070eaeea72c663152226df29770bedfe67f9dcd523
- Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:39b4da0e3873189d360ba742640479d67b3378b64a3c51a470291aa858e10727 - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:409495e2d9bdb20168884ef75cc1c0db67394c57c7c80958bd2a1dd4348ff634 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:3e3849f6166ec21d51561ef193a3fcded2c7efdbeb4651a1912b13ed84c2d3b6 - Debian:
ghcr.io/valkyoth/fluxheim@sha256:99361b2b4bad6eec06e76f35cce2789c47c201beeec0810f5f641494bd677ca6
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4
Fluxheim 1.0.0
Fluxheim 1.0.0 Release Notes
Release Metadata
- Version:
1.0.0 - Release date: 2026-05-08
- Git tag:
v1.0.0 - Release type: stable gateway foundation
Summary
Fluxheim 1.0.0 is the first stable gateway foundation release. It is intended
for production testing of static sites, vhosts, redirects, TLS/SNI, HTTP/2,
secure defaults, systemd/RPM deployment, and external ACME challenge forwarding.
Highlights
- Static site serving with secure path validation, index files, ETags, range
requests, and optional directory listing. - Vhost routing with default-vhost fallback, wildcard host matching, route
exact/prefix/fallback matching, redirects, static route actions, and proxy
route actions. - HTTP to HTTPS redirects and canonical host redirects that preserve safe request
URIs. - TLS with rustls by default, static vhost certificates, SNI selection, and
default-vhost fallback certificate support. - External ACME HTTP-01 challenge forwarding helper for
/.well-known/acme-challenge/. - Dynamic request header templates for common proxy migrations.
- Native systemd/RPM packaging, packaged default config/site, and server
preparation helper. - CodeQL, cargo audit/deny, SBOM generation, reproducible-build checks, panic
policy hardening, zeroized admin token handling, and constant-time admin token
verification.
Validated Scope
- Native RPM/systemd deployment.
- Static web roots and config preflight.
- HTTP/80 and TLS/443 listeners.
- HTTP/2 via ALPN.
- Multi-certificate SNI with rustls.
- External certbot/Actalis challenge forwarding.
- Basic proxy migration headers and route/vhost proxying.
Known Limits
- Native ACME certificate issuance/storage is still future work; use an external
ACME client plus deploy hook for this release. - HTTP/3/QUIC is post-1.0 work.
- Advanced gateway modules such as compression policy, identity-aware auth,
trusted proxy providers, secure links, WAF, and WASM are roadmap items. - Vhost TLS certificate changes require the normal process restart/reload
workflow; automatic renewal reload is not first-class yet.
Checksums And Signatures
- Commit:
bb6d6606d529d589fd62eeaf2d8c1e1abff33732 - Local gate: GitHub CI green before tag; local release metadata checks passed
- CodeQL/code scanning: no open release-blocking alerts before tag
- Source archive checksums:
a6a4ffc9bf29e872ed2f31015dc6a3872bd2745d447fbd93359bb135dd15fe0e fluxheim-1.0.0.tar.gz85cdd6b31e002b214ab3457dd99ea9ff12ef4ac515e894853b401d8ea50df30b fluxheim-1.0.0.zip
- Binary checksums:
b5c2e4478f6f80690fbb8b2fee63e616865ac84d1fee4c1cbcf840cebc691690 fluxheim-1.0.0-linux-x86_64.tar.gz
- SBOM checksums:
f5c0add6030b7c0411a59847a8e0e634ff1945a84526c4fdff372b27b6bf7f1c fluxheim.spdx.jsond62619bbe42c8adc09abcdba8f957f84753ea82df30dd6286ac16fdb9fe9e3c8 fluxheim.cyclonedx.json
- Reproducible build:
c3b173663b2740b4054eb931cceca82932081eb68a5e717ac5bf6fcf77f97b62
- Container digests:
- Wolfi:
ghcr.io/valkyoth/fluxheim@sha256:71f51f4e7d4091c0a13401adb0b8654adf2cca8f2070857ef6b9adb5924ff6ce - Alpine:
ghcr.io/valkyoth/fluxheim@sha256:0c1042d4ea8f2c3c6f9a2be9f92f22d9cabbbb18a801d30821ac7e18bd6de080 - SUSE Micro:
ghcr.io/valkyoth/fluxheim@sha256:10f8b8d425a6db2c6d315c97ad916ba1877d06910539ff379e5929e6df8ebf5d - Debian:
ghcr.io/valkyoth/fluxheim@sha256:4662635e64d267e404fcc5caa8700c73684e2a4ccac9ceff3fb4b704505794b7
- Wolfi:
- Tag signature:
Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4