v1.6.30 — Latest Stable Release

Memory-Safe
Edge Server
Built in Rust

Modular reverse proxy, cache, load balancer, and static host written in Rust. Secure by default with TLS, ACME, compression, edge policy, dynamic upstream discovery, and safe traffic mirroring built in.

Download v1.6.30 View on GitHub Quick Start →
Rust Fluxheim Core EUPL-1.2 x86_64 Linux ARM64 Linux macOS Dev Rootless Containers
/etc/fluxheim/fluxheim.toml 
include_conf_d = false

[server]
listen = ["0.0.0.0:80"]
tls_listen = ["0.0.0.0:443"]
default_vhost = "fluxheim.eu"

[tls]
enabled = true
backend = "rustls"
profile = "intermediate"
min_protocol = "tls1.2"
alpn = "http1-and-http2"
curve_preferences = ["X25519", "CurveP256", "CurveP384"]

[[vhosts]]
name = "fluxheim.eu"
hosts = ["fluxheim.eu"]

[vhosts.tls]
enabled = true

[vhosts.tls.certificate]
cert_path = "/etc/fluxheim/tls/fluxheim.eu/fullchain.pem"
key_path = "/etc/fluxheim/tls/fluxheim.eu/privkey.pem"

[vhosts.web]
root = "/srv/sites/fluxheim.eu"
index_files = ["index.html"]

Everything You Need at the Edge

Fluxheim ships as focused, modular builds — use only what your deployment needs.

Memory-Safe by Design

Written in Rust with a pinned stable toolchain. No buffer overflows, no use-after-free, no data races by construction.

Fluxheim HTTP Core

A Rust-native edge runtime with connection pooling, upstream retries, active health checks, HTTP/2, WebSocket upgrades, and gRPC pass-through.

Load Balancer Control Plane

Focused 1.5 load-balancer binary and image with advanced selection, local persistence, health/ejection policy, bounded queueing, and runtime member controls.

Modular Build Profiles

Compile only what you need. Focused profiles for static site, cache edge, reverse proxy, load balancing, TCP stream proxying, PHP-FPM, GeoIP, traffic mirroring, and compression-enabled production bundles.

TLS & Managed ACME

rustls-first with supported OpenSSL and FIPS/ISO proof build paths, client certificate auth, upstream mTLS, automatic ACME issuance, and multi-cert SNI.

Advanced Cache System

Memory, disk, tiered, and encrypted cache backends with cache-safe gzip, Zstandard, and Brotli compression plus range caching for large objects.

Container Native

Rootless Podman images for Wolfi, Alpine, SUSE Micro, and Debian. Systemd/RPM for native deployments. Zero external assets on startup.

Prometheus & OpenTelemetry

Opt-in Prometheus metrics listener, OTLP metrics export, trace context propagation, and OTLP trace export for full observability.

GeoIP / Geo-Context

Optional local MMDB lookups for country and ASN policy using MaxMind GeoIP2/GeoLite2 or CIRCL Geo Open datasets. No remote lookup or downloader in the request path.

TCP Stream Proxy

Raw L4 TCP services with dedicated stream routes, true idle/lifetime/byte caps, upstream TLS/mTLS controls, weighted/drain/backup policy, and route-local PROXY protocol.

PHP-FPM Support

Opt-in PHP-FPM FastCGI bridge for WordPress-style front-controller applications. Strict script resolution and bounded request handling.

Edge Policy Controls

Trusted-proxy-aware ACLs, rate limits, auth subrequests, traffic mirroring, regex rewrites, bounded queues, strict config validation, and hardened request handling.

Get Running in Minutes

Download a pre-built binary, drop in a config file, and start serving. Native systemd units and container images included.

bash 
# Download and extract the full build
curl -L https://github.com/valkyoth/fluxheim/releases/download/v1.6.30/fluxheim-1.6.30-full-x86_64-linux.tar.gz \
  | tar xz

# Move binary to system path
sudo mv fluxheim /usr/local/bin/

# Validate your config before starting
fluxheim --check-config --config /etc/fluxheim/fluxheim.toml

# Run with systemd (included unit file)
sudo systemctl enable --now fluxheim
bash 
# Pull from GHCR or Quay
podman pull ghcr.io/valkyoth/fluxheim:v1.6.30
podman pull quay.io/valkyoth/fluxheim:v1.6.30

# Run rootless with your config mounted
podman run -d \
  --name fluxheim \
  -p 8080:8080 -p 8443:8443 \
  -v /srv/sites:/srv/sites:ro \
  -v ./fluxheim.toml:/etc/fluxheim/fluxheim.toml:ro \
  ghcr.io/valkyoth/fluxheim:v1.6.30

# Available image variants: full, load-balancer, cache, proxy, php
bash 
# Clone and build the default profile
git clone https://github.com/valkyoth/fluxheim
cd fluxheim

# Default build (proxy + web + cache + tls-rustls + security)
cargo build --release

# Or build a focused profile
cargo build --release --no-default-features \
  --features profile-proxy-edge,acme-client

# Validate config and run
cargo run --release -- \
  --check-config --config examples/fluxheim.toml
Full installation guide →

Why Fluxheim?

Built for operators who want a modern, auditable stack without hidden legacy behaviour.

No hidden legacy protocol fallback

Config validation is strict. Ambiguous or insecure options are rejected, not silently accepted.

Checked-in Cargo.lock

Reproducible builds. Every dependency is pinned. cargo audit and cargo deny run in CI.

Rootless-first containers

Run without root. Internal ports 8080/8443 by default. Explicit runtime images for different operational policies.

EUPL-1.2 Open Source

Copyleft license compatible with many OSS licenses. EU-originated, legally clear for government and enterprise use.

Overview

A glance at what Fluxheim looks like in a production deployment.

Fluxheim architecture overview

Get Started

Installation, quick start, and your first config.

Read guide →

Configuration

Basic TOML configuration with practical examples.

Browse reference →

Feature Matrix

All modules, build profiles, and TLS backends.

See all features →
English (US)
English (EU) English (UK) English (US) Deutsch Français Svenska Norsk Nederlands Suomi Íslenska Dansk Español Português Eesti Latviešu Ελληνικά Italiano Lietuvių Hrvatski Čeština Bosanski Български Deutsch (Schweiz) Română Polski Русский 日本語 한국어 Magyar