Fluxheim 1.6.31

[eldryoth]

Fluxheim 1.6.31 Release Notes

Fluxheim 1.6.31 starts the cache/PHP native-integration slice of the Pingora
exit work.

Highlights

• Native HTTP/1 proxy planning now reports cache policy and PHP-FPM gaps with
  explicit blocker reasons instead of folding them into the generic HTTP policy
  bucket.
• Direct native route-proxy construction now fails closed for vhost/route cache
  and PHP-FPM policies until those adapters are implemented, so callers cannot
  bypass the planner and silently drop policy.
• Image/static cache request eligibility and cache-key construction now live in
  the Pingora-independent fluxheim-cache crate. The root compatibility module
  only wraps those shared keys into Pingora cache keys while that runtime path
  remains.
• NativeHttp1Request now implements the fluxheim-cache request-view trait,
  allowing the native proxy to reuse cache bypass, revalidation, range, and
  slice policy helpers without a Pingora request header.
• PHP-FPM response parsing now lives in the Pingora-independent
  fluxheim-php-fpm crate and returns plain status/header/body parts. The root
  proxy path only converts those parts into the current runtime response type.
• PHP FastCGI parameter value validation and request-header-to-param-name
  mapping now live in fluxheim-php-fpm, giving the native and compatibility
  paths one shared policy for bounded, control-free PHP params.
• PHP SERVER_NAME fallback selection now also lives in fluxheim-php-fpm,
  keeping host/fallback sanitization shared by native and compatibility paths.
• PHP FastCGI request-header param translation, resolved HTTP_HOST insertion,
  CONTENT_TYPE value selection, and runtime custom-param filtering now live
  in fluxheim-php-fpm; the current proxy path only applies those generated
  pairs to fastcgi_client::Params.
• PHP split-container path mapping for SCRIPT_FILENAME and safe
  PATH_TRANSLATED generation now lives in fluxheim-php-fpm, keeping dot
  segment, hidden path, backslash, and control-byte rejection shared.
• PHP request-path to SCRIPT_NAME/PATH_INFO parsing, allowed-extension
  matching, and deny-prefix checks now live in fluxheim-php-fpm; the proxy
  still owns static-file lookup and final execution decisions.
• PHP static-file to script-name mapping and slashless directory-index redirect
  decisions now live in fluxheim-php-fpm, sharing root confinement, hidden
  path rejection, and extension checks across native and compatibility paths.
• PHP static-offload target validation now lives in fluxheim-php-fpm,
  including X-Accel-Redirect control-byte rejection, X-Sendfile fpm_root
  mapping, and PHP-script offload blocking.
• PHP X-Accel-Expires TTL parsing and restrictive origin cache-policy detection
  now live in fluxheim-php-fpm, giving native PHP response handling the same
  cache safety rules as the compatibility path.
• PHP response-header stripping policy now lives in fluxheim-php-fpm,
  including hop-by-hop headers, Connection tokens, configured hidden headers,
  and static-offload internal headers.
• PHP custom error-page/status interception decisions now live in
  fluxheim-php-fpm, keeping native and compatibility response handling on one
  status policy.
• Shared PHP response/request policy now pre-reserves bounded CONTENT_TYPE
  joins, rejects extensionless static-offload files, ignores invalid
  Connection header tokens before response stripping, and asserts ASCII-only
  parser invariants.
• PHP CONTENT_TYPE joining now caps and validates during accumulation instead
  of building an oversized intermediate string before rejecting it.
• Pure local-static cache keys now use the explicit fluxheim-static-v1;
  prefix, matching the static-cache namespace used by the compatibility cache
  wrapper and making raw key inspection unambiguous.
• Native route-level static web now supports the memory-only
  cache.local_static adapter, reusing shared cache admission, bypass,
  revalidation, TTL, status-header, and file-identity key policy.
• Native vhost-level static web now supports the same memory-only
  cache.local_static adapter and still falls through to the vhost proxy
  fallback when a static file is not found.
• Native static-web memory cache accounting now includes conservative per-entry
  overhead, cache-key bytes, reason bytes, and response-header bytes before
  admission, preventing small cached objects from undercounting memory use.
• Native static-web memory cache insertion now samples Instant::now() once
  for stored/expiry time and avoids running the prune pass inside the initial
  insert lock; pruning also avoids full-table vector allocation and sorting.
• Unsupported native cache shapes still fail closed with explicit cache-policy
  blockers: vhost cache, proxy/image cache, disk cache, and non-static route
  cache remain compatibility-runtime work until their adapters are implemented.
• Native HTTP/1 cutover planning now recognizes the supported static-web
  memory local-static cache adapter, so those routes no longer make an
  otherwise native-ready vhost fallback proxy look unsupported.
• PHP request-body replay/spooling and bounded FastCGI stdout/stderr response
  collection now live in fluxheim-php-fpm; the root crate keeps only a thin
  compatibility adapter for the current PHP runtime.
• PHP-FPM keep-alive pool ownership now lives in fluxheim-php-fpm behind a
  small metrics callback boundary, so connection reuse, stale idle pruning,
  pool labels, and bounded response collection are owned by the PHP crate.
• Native HTTP/1 upstreams now support configured PROXY protocol v1/v2 send
  through proxy.upstream_proxy_protocol, using Fluxheim-owned frame builders
  and writing the header before upstream TLS or HTTP bytes.
• Native upstream PROXY protocol remains connection-scoped: HTTP/1 origin
  pooling is disabled for those upstreams, and native HTTP/2 upstream
  combinations fail closed until multiplexed per-request identity can be
  represented safely.
• Native requests now carry both the direct listener peer/local address and the
  trusted-forwarded effective client address, so upstream PROXY protocol uses
  the same client identity as native ACL/rate-limit/header policy.
• When that native effective client identity comes from forwarded headers,
  upstream PROXY protocol sends source port 0, the documented unknown-port
  value, because forwarded headers do not include the original client port.
• Native HTTP/1 now has a host router that builds one native route proxy per
  configured vhost and dispatches exact and wildcard Host matches with the same
  default-vhost fallback behavior as the compatibility runtime.
• A native runtime manifest now refuses blocked plans and exports the
  Fluxheim-owned service/listener/background-task graph for blocker-free plans,
  giving the final runner replacement a tested orchestration contract without
  changing production execution yet.
• Native runtime launch-plan validation now rejects duplicate TCP or duplicate
  UDP listener bind intents before reporting the native adapter as the target,
  while still allowing TCP and UDP listeners to share the same address.
• Native runtime launch-plan errors now appear in the cutover evidence report,
  so concrete runner-contract failures are visible even when the high-level
  blocker summary is otherwise ready.
• The native runtime cutover evidence report now includes downstream HTTP/1
  and HTTP/2 launch-policy rows, giving final-runner hardening values a stable
  diffable contract.
• NativeHttp1Request now implements the load-balancer request-view trait
  behind the fluxheim-server/load-balancer feature, preparing native
  persistence and hash selection to consume native request metadata without a
  Pingora request adapter.
• SelectedUpstream now exposes stable address and authority accessors, giving
  native callers a public bridge from Fluxheim-owned load-balancer selection to
  upstream connection setup without reaching into backend internals.
• Selected-upstream metadata now also has public accessors for aliases,
  persistence outcomes, managed affinity cookies, reporters, and permit
  presence, completing the native routing metadata bridge.
• The metrics service now has a concrete native HTTP handler around the
  existing Prometheus response generator, giving the future native runner a
  direct handler for metrics HTTP.
• Root native HTTP/1 proxy construction now applies root response-header policy
  and root compression config before cutover planning marks a root proxy as
  native-ready.
• The native host router can now serve root-only proxy configs without
  [[vhosts]], so the future native runner can instantiate the same root
  proxy shape that the planner reports as native-ready.
• Root static web can now be instantiated by the native host router without
  [[vhosts]], including the supported local-static memory cache mode. Root
  disk/rich cache modes remain explicit native cache blockers.
• The native cutover planner now reports vhost fallback-only static-web, cache,
  and PHP-FPM blockers even when the vhost has no configured upstream proxy,
  matching the native host-router construction path.
• The native cutover planner now also reports route fallback-only static-web,
  cache, and PHP-FPM candidates when a route has no upstream proxy, making
  route-level native blockers visible instead of folding them into the parent
  vhost or fallback proxy summary.
• Native rate-limit delay mode now acquires vhost/route concurrency permits
  before sleeping, so delayed requests still count against configured
  concurrency budgets instead of occupying listener tasks outside those limits.
• Native rate-limit table pruning is now bounded and incremental per shard,
  replacing whole-shard HashMap::retain sweeps in the request hot path with a
  small prune queue scan when a shard is full.
• Native rate-limit sharding now hashes the full IPv4/IPv6 client address
  instead of using only the final address byte, reducing attacker-controlled
  hot-shard concentration when many trusted forwarded identities are present.
• Native rate-limit shard selection now uses a per-process random FNV seed and
  routes indeterminate-client buckets through that seeded hash path instead of
  pinning them to shard zero.
• Native rate-limit token refill and expiry pruning now use saturating
  Instant arithmetic, avoiding panic surfaces if a bucket timestamp is ever
  observed ahead of the current sample.
• Native static-web filesystem path resolution now rejects residual
  percent-encoding after the initial decode pass, avoiding ambiguous
  double-encoded traversal forms on fallback static serving.
• The native metrics handler can now require a bearer token and compares that
  token with sanitization constant-time equality. The current compatibility
  metrics listener still relies on listener binding and network ACLs until the
  final native runner cutover wires token configuration into service creation.
• Documentation now states that native rate-limit delay mode intentionally
  holds vhost/route concurrency permits while sleeping, keeping delayed tasks
  inside the configured concurrency budget instead of allowing unbounded
  sleepers outside the cap.
• Updated sanitization to 1.2.2 and base64-ng to 1.2.3 across the root,
  server, TLS, and load-balancer crates.
• The remaining normal-profile Pingora dependency exception target is now
  aligned with the roadmap: 1.6.31 is the cache/PHP adapter release, and 1.6.32
  remains the final Pingora-free proof release.

Test Notes

• Added server-plan tests for root cache, vhost cache, route cache, vhost
  PHP-FPM, and route PHP-FPM native cutover blockers.
• Added route-proxy builder tests proving vhost/route cache and PHP-FPM
  policies are rejected directly until native adapters own those paths.
• Added a live native HTTP/1 proxy test proving safe-method failover skips
  duplicate weighted upstream slots before trying the next unique backend.
• Added live native static-web route and fallback tests for double-encoded
  traversal rejection.
• Added native metrics handler tests for bearer-token rejection and acceptance.
• Added standalone fluxheim-cache tests for cache-key construction,
  namespace/query/host normalization, and local-static file identity.
• Added native HTTP/1 tests proving cache request policy helpers work through
  NativeHttp1Request for origin-form and absolute-form targets, duplicate
  headers, and range-policy rejection.
• Added standalone fluxheim-php-fpm tests for plain PHP response parsing,
  unsafe header rejection, and response/header size limits, then re-ran the
  existing root parser compatibility tests with php-fpm enabled.
• Added standalone fluxheim-php-fpm tests for FastCGI param value bounds,
  control-byte rejection, and deterministic HTTP header param-name mapping.
• Added standalone and compatibility tests for PHP SERVER_NAME fallback
  behavior when the request host is unsafe.
• Added standalone fluxheim-php-fpm tests for duplicate request-header
  joining, Proxy header blocking, joined-value caps, safe HTTP_HOST
  insertion, content-type selection, and runtime custom-param filtering.
• Added standalone fluxheim-php-fpm tests for split-container script
  filename mapping and unsafe PATH_INFO rejection, plus the existing root
  compatibility test for PHP fpm_root mapping.
• Added standalone fluxheim-php-fpm tests for direct script detection,
  front-controller fallback, PATH_INFO split mode, unsafe segment rejection,
  allowed-extension matching, and deny-prefix matching.
• Added standalone fluxheim-php-fpm tests for static file script-name mapping
  and directory-index redirect decisions, plus existing root compatibility
  coverage for slashless PHP directory indexes.
• Added standalone fluxheim-php-fpm tests for PHP static-offload path policy,
  plus root compatibility coverage for X-Accel-Redirect and X-Sendfile
  handling.
• Added standalone fluxheim-php-fpm tests for X-Accel-Expires TTL parsing and
  restrictive origin cache-policy detection, plus existing root compatibility
  coverage for absolute-epoch parsing.
• Added standalone fluxheim-php-fpm tests for PHP response-header strip lists
  and internal static-offload header names, plus existing root compatibility
  coverage for hidden response headers.
• Added standalone fluxheim-php-fpm tests for PHP error-page/status
  interception decisions, plus existing root compatibility coverage for PHP
  custom error pages.
• Extended PHP-FPM tests for extensionless static-offload rejection and invalid
  Connection token filtering.
• Added PHP-FPM tests proving CONTENT_TYPE rejects control bytes and
  over-limit joined values without retaining the oversized joined result.
• Updated standalone fluxheim-cache tests to assert the local-static key
  prefix is fluxheim-static-v1;.
• Added live native route static-web tests proving the supported memory
  local-static cache returns MISS on the first request and HIT on a second
  request through the native listener.
• Added live native vhost static-web tests proving memory local-static cache
  returns MISS/HIT through the native listener, plus cutover-plan coverage
  for the supported vhost static-cache shape.
• Added native static-web memory-cache tests for conservative cache-entry
  weight accounting and expired/oldest-entry pruning behavior.
• Added route-config tests proving static-web routes accept the supported
  memory local-static cache adapter.
• Added native planning coverage proving static-web memory local-static cache
  routes do not block native HTTP/1 proxy cutover candidates.
• Added standalone fluxheim-php-fpm tests for in-memory request-body replay,
  secure spool-file replay/cleanup, and combined FastCGI stdout/stderr response
  size accounting, while keeping root PHP compatibility tests green.
• Added standalone and root compatibility tests proving PHP-FPM keep-alive pool
  labels remain stable after the pool move.
• Added native upstream-client tests proving PROXY protocol v1 and v2 bytes are
  written before HTTP request bytes, plus a live native proxy listener test
  proving listener destination metadata reaches the upstream PROXY line.
• Added native proxy config tests proving HTTP/1 upstream PROXY protocol is
  accepted, origin pooling is disabled for it, and HTTP/2 upstream
  combinations fail closed.
• Added live native host-router tests proving exact Host dispatch, wildcard
  longest-suffix matching, unknown/missing Host fallback, and default-vhost
  config validation.
• Added native runtime manifest tests proving blocked plans return explicit
  blockers and blocker-free multi-service plans expose proxy, admin, metrics,
  stream, UDP, ops-socket, and listener bindings.
• Added native metrics-handler tests proving the Prometheus text response is
  served through the NativeHttp1Handler boundary and a live native HTTP/1
  listener.
• Added native metrics-handler tests proving only GET/HEAD /metrics is
  served, with HEAD returning the Prometheus content length without a body.
• Added native root-proxy tests proving root response headers are stripped,
  set, and appended through the root config constructor, plus planner coverage
  for non-default root response headers.
• Added native host-router tests proving root-only proxy configs are served
  without vhosts and truly empty configs still fail closed.
• Added root static-web native host-router coverage plus planner tests proving
  supported root local-static memory cache is native-ready and unsupported root
  disk cache still fails closed as a cache blocker. The root static-web
  host-router test also proves the native memory cache returns MISS then
  HIT through a live listener.
• Added native cutover planner tests for vhost fallback-only static web,
  unsupported static-web disk cache, and PHP-FPM so policy blockers remain
  visible without an upstream proxy candidate.
• Added a live native admin listener test proving the authenticated health
  endpoint is served correctly through the native HTTP/1 listener.
• Startup now logs a native runtime manifest preview for blocker-free plans,
  showing the Fluxheim-owned service/listener/background-task graph while the
  compatibility runtime remains active.
• The native runtime cutover evidence report now includes manifest service and
  background-task rows, so CI archives the exact native service graph that the
  final runner will consume.
• Added launch-plan validation tests proving duplicate TCP listener binds keep
  the native target adapter disabled, while TCP and UDP listeners on the same
  address remain valid because they use distinct kernel transports.
• Added cutover-report coverage for native launch-plan error rows, including
  duplicate listener binds.
• Added native launch-policy TSV coverage for representative HTTP/1 and HTTP/2
  hardening values.
• Added feature-gated native request-view tests proving URI keys, repeated
  header values, and Cookie headers are exposed to fluxheim-load-balancer.
• Added a feature-gated native server test proving NativeHttp1Request drives
  real load-balancer header-hash selection through the shared request-view
  boundary.
• Updated load-balancer selection tests to exercise the new public
  selected-upstream metadata accessors.
• Re-ran targeted tests for native HTTP/1 client encoding, load-balancer
  persistence constant-time comparisons, and TLS secret handling after the
  dependency refresh.
• Re-ran the native runtime cutover evidence gate and the Pingora dependency
  policy gate against the 1.6.31 planning state.

Checksums And Signatures

• Commit: 1f6674226276f9b0fb3b93014e4dc3ca70bc5fe2
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • [MANUAL_SHA256] fluxheim-1.6.31.tar.gz
  • [MANUAL_SHA256] fluxheim-1.6.31.zip
• Binary checksums:
  • x86_64:
    • cac073bbc123c306916c0a1d8c203a3411a0a7a0a96e6a36062d99462eed35c4 fluxheim-1.6.31-full-x86_64-linux.tar.gz
    • fc86dd1744316aa0a5cc1fd4fc9ea0a3d9caa65d07c3b2c5bb02f2d6f44b1a87 fluxheim-1.6.31-cache-x86_64-linux.tar.gz
    • 35d13d3e3bfc3d0058a7cc29f86e0f5bdeddb99c86e9390d916ef89d5d2eed3e fluxheim-1.6.31-proxy-x86_64-linux.tar.gz
    • d6ddd70411b9b3b434553681a0c14f812fa0b995810f4c34df55df8127abe1e7 fluxheim-1.6.31-php-x86_64-linux.tar.gz
    • b366b343b8b561fbc51fe80ab133b50433b1f7065bd139d6ccc563b1cb9be13c fluxheim-1.6.31-load-balancer-x86_64-linux.tar.gz
    • 0b20544305015f5aee973019ad4876618208206e056ee3d0f77ed024fa42e8fc fluxheim-1.6.31-config-tester-x86_64-linux.tar.gz
  • aarch64:
    • 377ee0359b9cd777639432a582d9c5cf460a6414e214ea6358212c3e5cde037e fluxheim-1.6.31-full-aarch64-linux.tar.gz
    • 5d7d390f648bfc53a68c952b0413998b3f5748849befd8b95d6e43f21ed5f0c4 fluxheim-1.6.31-cache-aarch64-linux.tar.gz
    • 7c020f3df1c04bdae27cbd72468adc105d1658804c61dbcea480f703366f2073 fluxheim-1.6.31-proxy-aarch64-linux.tar.gz
    • 55a99fde8ee46616d0fdd1a3eb6420c877284767e64446264f3be053b4876930 fluxheim-1.6.31-php-aarch64-linux.tar.gz
    • d21a359397ea54b60bbf86e54115b848c6e4cb17f7a8800d367b998ced983ec3 fluxheim-1.6.31-load-balancer-aarch64-linux.tar.gz
    • ab44f7024207397f1f7abb1619e0489290759cf16d88665e40e1c2da5d41c03a fluxheim-1.6.31-config-tester-aarch64-linux.tar.gz
  • macos:
    • 2bb29762909fb89d268077807458babfad9de9e1f3a496d594c9cde7b34ff10a fluxheim-1.6.31-dev-aarch64-macos.tar.gz
• SBOM checksums:
  • f5de6896deb2b2e3d2f3c93056043d772de9eda777c11a1f31618870cbcf1266 fluxheim.spdx.json
  • e4ed4493265b5e856fd03b862297fe4f906d8c6264ffb233752a44ddcdd1ab79 fluxheim.cyclonedx.json
• Reproducible build:
  • 86fc14f50f855c463031ecf929eb4fbc8d4f4246dd5f47b72e475a890d18fcae x86_64
  • 2a8bea99a3feb90b55d014bb54da0eadd3594bb484820f1d38a94b121483298b aarch64
  • a9f4f26267421bd2e57465304d40afcad1264ac897d4bc399b094c13df78a978 macos
• Full Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:1ec3aadab1b78e41c8a230e1cb3530258115bc0579fb36a5849f082287a9f586
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:b8651a28c479556fab821a6075820b1477909e5351113244c154e5ee399b6aa4
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:6bd1e1e6e859e2247767851c5ffed7d641fa454fb1810f9bf8f56136c192f201
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:0d1d7772559cb2a0eaf010298caa3d1b5afae22ff545e21c499f15bb1fa78a0e
• Cache Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:aa453a5e71e3a96a83651fce55b415f7e6a687cdc60dfdc4a1b692d5c828636b
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:a7fc2343e453e9bac4c8d661c5f7148966b3e63cccab89e407fb2ed1ce105556
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:1a0b7c8917c2846e5d0ba8a8189733e32227583062de19c471b94e9a58cb17fd
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:834278d586b132513098bc7d554e0fe2ab7777917b58d0c1b3750e64ade03e3f
• Proxy Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:bedb716c4ecd24e3b5005e8b9d91e524e6568ae315c614b1705040a8bb724528
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:c85bb998fbe482b15d185ad8a98d0c15bf6b6ccbc9a3726dbb1485e1415402d6
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:33eead14bbdbf974e84b32e971f7b4b521c6fdc3ebf12412037726b95e063460
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:41805cd513ba86d0280951aa83a60c8fa47ee8deddc0b3734e0bac0f7593ebd5
• PHP Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:3c15aaf653aba6500ecd0f9391ea200f42c607f82d265fee86b6e2ec6f4b3904
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:266937674f3db5cc496edd44691d52b317cacd5ab1da880fdee1b336bcd1c5ff
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:0bd6ecad9b3573198d3eed0160b1a30414e71e1ed0c482b5c6edaa019cb26fff
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:0e8e6c49a76bcba621b506821beb98b77bd53ca00c9de0f48399676457ae4b3b
• Load Balancer Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:364d0c47c25c0414114e0c318a4ed5ceca7f76d3b239b383a7ef9847feb9b8d7
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:868c8334674088c6025748111384f51f785660181b04b67c55670b200b60009d
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:55dc9cea996393654206d4e654556fcd4168460d1613bf9ed97954d39e27edf0
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:b10b2e97e48578b3609302078df9224fd32835e45fbfcfde191734541a5dc1bd
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4

---

This discussion was created from the release Fluxheim 1.6.31.