Changelog

Released June 23, 2026

• +Moves inherited global/vhost compression policy into the native HTTP/1 proxy and route proxy
• +Merges root/vhost/route header-policy inheritance into native route proxy construction
• +Moves safe forwarded-client-IP ownership, trusted-chain append, regex rewrites, ACLs, concurrency, and rate limits onto the native path
• +Adds native ACME HTTP-01 challenge serving, traffic mirroring, auth-request, and route-scoped gRPC validation

Released June 21, 2026

• +Moves route-level native response compression onto the HTTP/1 route proxy through fluxheim-compression
• +Moves proxy.error_pages onto native HTTP/1 proxy fallback pages backed by fluxheim-web

Released June 21, 2026

• +Adds native HTTP/1 route static-web serving backed by fluxheim-web
• +Adds route request-header mutation, response rewrites, static upstream round-robin, and static upstream weights to the native route proxy

Released June 21, 2026

• +Adds native route redirect actions with safe {uri}, {path}, and {query} expansion
• +Moves route body limits and response-header overlays onto native HTTP/1 route proxy responses

Released June 21, 2026

• +Adds native HTTP/1 route-proxy execution for exact, prefix, and fallback routes with method filters and safe rewrite handling
• +Adds native-http1-proxy-candidate rows to runtime cutover evidence so remaining compatibility blockers are explicit

Released June 20, 2026

• +Promotes the native HTTP/2 downstream safety preview to cutover-ready after focused parity tests
• +Makes the representative native runtime cutover report blocker-free for simple HTTP/1, HTTP/2, admin, metrics, stream, and UDP configurations

Released June 20, 2026

• +Cuts stream and UDP proxy service startup over to Fluxheim-owned native task boundaries
• +Adds cancellation-safe native shutdown waiting and abort-on-cancel background task joins

Released June 20, 2026

• +Starts native admin and metrics serving behind Fluxheim-owned server primitives
• +Hardens native background handles so dropped critical handles abort instead of silently detaching tasks

Released June 20, 2026

• +Adds NativeBackgroundSupervisor for Fluxheim-owned background task orchestration
• +Adds critical task watchdog support and hardens shutdown delivery edge cases

Released June 20, 2026

• +Adds native runtime cutover evidence gates and fluxheim-config-tester --runtime-cutover
• +Moves remaining Pingora exception targets to a documented multi-release exit plan while keeping policy gates active

Released June 19, 2026

• +Adds explicit pingora-compat feature gating for the remaining compatibility runtime boundary
• +Moves rustls/OpenSSL downstream TLS SNI, certificate storage, reload, PEM parsing, and native HTTP/1 TLS listener previews into Fluxheim-owned code

Released June 19, 2026

• +Continues the Pingora-exit slice by shrinking the remaining root compatibility surface for proxy, cache, and runtime paths
• +Splits native health checks into HTTP/gRPC, database, exec, and TCP/TLS transport helper modules with stricter probe bounds

Released June 19, 2026

• +Removes the direct Pingora dependency from fluxheim-load-balancer
• +Adds Fluxheim-owned bounded HTTP/1.1 and h2 gRPC active health checks with policy coverage to prevent Pingora reintroduction

Released June 19, 2026

• +Adds native HTTP/1.1 proxy cutover readiness planning on ServerPlan
• +Fails closed for compatibility-only proxy features such as auth subrequests, mirroring, redirects, strip/rewrite transforms, and advanced load-balancer policy

Released June 18, 2026

• +Adds a Fluxheim-owned native HTTP/2 upstream client primitive with bounded headers, bodies, trailers, and deadlines
• +Adds h2 client/server tests for trailer preservation, oversized responses, stream resets, and flow-control timeout behavior

Released June 18, 2026

• +Adds native rustls/OpenSSL upstream TLS and mTLS support to the staged HTTP/1.1 proxy path
• +Adds ordered static upstream failover for safe methods plus bounded no-follow TLS material reads and hostname-policy coverage

Released June 18, 2026

• +Adds bounded native HTTP/1.1 upstream connection pooling for safe content-length and no-body origin responses
• +Adds keepalive pool sizing, upstream idle timeout handling, conservative no-reuse guards, and real socket reuse/expiry tests

Released June 18, 2026

• +Adds reusable native HTTP/2 connection primitives with bounded request-body collection and response trailer support
• +Hardens HTTP/2 response lifetime, handler timeout, DATA capacity handling, prohibited headers/trailers, and request-body zeroization

Released June 17, 2026

• +Adds the native HTTP/2 runtime preview gate and h2 stack probe with bounded headers, URI, body, streams, frames, buffers, and rapid reset policy
• +Adds HTTP/2 preview smoke coverage and extends native HTTP/1 behavior coverage for HTTP/1.0 keep-alive/close semantics

Released June 17, 2026

• +Adds the bounded native HTTP/1 upstream client and staged native proxy handler for plain static upstreams
• +Adds native proxy candidate inventory, Fluxheim-owned proxy headers, privacy-mode behavior, and fail-closed eligibility for unsupported policy layers

Released June 17, 2026

• +Adds the native HTTP/1 connection/listener runtime over Tokio IO and staged native static-file adapter
• +Maps server limits into native HTTP/1 policy and adds socket tests for keep-alive, body framing, shutdown, static files, slow clients, and connection caps

Released June 17, 2026

• +Adds Fluxheim-owned HTTP/1.0/HTTP/1.1 request-head parsing, request-body framing classification, Host validation, persistence handling, and chunked decoding
• +Adds downstream HTTP/1 policy defaults and hardened native parser boundaries for future runtime cutover work

Released June 16, 2026

• +Moves server bootstrap planning, listener inventory, service intent, background-task intent, HTTP/2 policy, PROXY protocol policy, and private Unix socket planning into fluxheim-server
• +Keeps the current runtime as an explicit compatibility adapter while native server/listener work continues

Released June 16, 2026

• +Adds fluxheim-tls as the downstream TLS listener planning and provider-policy boundary
• +Moves TLS listener plans, SNI selection, wildcard matching, ALPN/cipher/curve policy, and rustls/OpenSSL provider checks into the TLS crate
• +Hardens TLS feature gates, SNI fallback behavior, PROXY v2 signature validation, and trusted PROXY CIDR validation

Released June 16, 2026

• +Adds the first dedicated fluxheim-headers boundary for header policy helpers
• +Moves rewrite algorithms, forwarded-header handling, hop-by-hop request policy, and repeated-header joining into Fluxheim-owned header code
• +Moves stream PROXY protocol byte parsers into fluxheim-protocol and tightens privacy/proxy CIDR validation

Released June 15, 2026

• +Moves shared background task lifecycle primitives into fluxheim-runtime
• +Moves OTLP metrics export, ACME certificate reload control, admin snapshot validation state, and rollback decisions into Fluxheim-owned runtime/snapshot code
• +Hardens the local certificate reload control socket and private backend filtering

Released June 15, 2026

• +Adds fluxheim-stream as the internal TCP stream proxy runtime boundary
• +Moves stream upstream selection, PROXY protocol parsing/writing, source policy, DNS-rebinding guards, byte accounting, and timeout handling behind Fluxheim-owned stream code

Released June 14, 2026

• +Moves cache key identity, object envelopes, disk index management, storage-bin helpers, tag handling, and cache storage interfaces into fluxheim-cache
• +Adds tests and release gates that enforce Pingora dependency removal targets during normal cargo test runs

Released June 14, 2026

• +Starts the first concrete 1.6.x implementation release after the foundation tag
• +Removes pingora-load-balancing/pingora-ketama from full and load-balancer image profiles, restores 1.6 load-balancer image builds, and moves TCP health checks plus request-key extraction behind Fluxheim-owned boundaries

Released June 14, 2026

• +Started the 1.6.x Pingora-exit foundation line while keeping runtime behavior unchanged
• +Added modularity policy validation, legacy oversized-file exceptions, runtime baseline capture, and performance evidence capture
• +Added release-gated Pingora dependency exceptions, runtime parity fixtures, and the extraction dependency graph
• +Added initial fluxheim-runtime and fluxheim-server boundary crates plus typed policy proof primitives

June 2026

• +Introduced the enterprise HTTP/TCP load-balancer line with focused binaries, images, runtime member and weight controls, persistence, health checks, queueing, and migration docs
• +Expanded Fluxheim-owned runtime boundaries across HTTP, stream proxying, load balancing, background tasks, cache interfaces, observability, config, and shared crates
• +Added managed affinity cookies, service discovery, active and protocol-aware health checks, restart-persistent state, and runtime backend mutation controls
• +Added UDP beta guardrails, cache origin-protection budgets, ARM/Linux and macOS developer assets, config tester archives, and broad proxy/cache/PHP-FPM security hardening

Released May 25, 2026

• +Production proxy parity release with trusted-proxy-aware ACLs, local rate limits, concurrency limits, bounded queues, and edge policy metrics
• +gzip, Zstandard, and Brotli response compression with vhost/route overrides and cache-safe Vary handling
• +Load-balancer resilience, TLS/protocol parity, PROXY protocol v1/v2, upstream mTLS, HTTP/2 controls, and gRPC pass-through

Released May 23, 2026

• +Managed php-fpm process supervision under the existing php-fpm feature, while external php-fpm remains the default
• +Respawn watchdog, bounded backoff, SIGTERM-before-SIGKILL teardown, sanitized environment, and private generated pool state
• +Auditable [vhosts.php.fpm] mode = "managed" config surface for private sockets, worker counts, process manager modes, slowlog, temp paths, and pool files
• +Expanded WordPress PHP-FPM smoke coverage across external, managed-static, managed-dynamic, managed-ondemand, and managed-respawn modes
• +Recommended Wolfi PHP image now installs php-8.5-fpm and uses managed php-fpm container config by default

Released May 23, 2026

• +FIPS/ISO-required configs fail closed for unsupported internal cryptography, managed ACME, and local cache encryption
• +Provider-backed admin auth, numeric-local-loopback OTLP exception, and OpenBao Transit cache encryption evidence boundary
• +New compliance evidence template and release evidence package sections for regulated reviews

Released May 22, 2026

• +rustls/AWS-LC FIPS-capable candidate backend through tls-rustls-fips
• +FIPS and ISO/IEC 19790 rustls profile aliases, config examples, diagnostics, and validation script

Released May 21, 2026

• +OpenSSL FIPS/ISO-capable TLS validation through tls-openssl-fips and provider diagnostics
• +FIPS deployment guide, config fixtures, validation script, release evidence, and OWASP Top 10 2025 baseline

Released May 20, 2026

• +PHP-FPM keepalive pooling, upstream retry/failover, and request body disk spooling for safer operation under load
• +WordPress routing/cache preset plus PHP application recipes for common framework and forum deployments
• +PHP metrics and OpenTelemetry attributes, X-Accel-Redirect, X-Sendfile, and X-Accel-Expires support

Released May 18, 2026

• +fluxheim-acme standalone companion binary for certificate renewal, status, and ACME reload socket signalling
• +fluxheim-config-tester standalone binary for validating configs in CI and container entrypoints without starting the gateway
• +ACME reload Unix socket — live certificate pickup without gateway restart
• +New profile-php build profile — proxy + web + php-fpm + tls-rustls + security
• +Security hardening improvements across the request pipeline

Released May 16, 2026

• +Opt-in PHP-FPM FastCGI bridge for WordPress-style front-controller applications
• +Strict script resolution and bounded FastCGI request/response handling
• +Browser-validated WordPress proxy/PHP cookie compatibility fixes
• +PHP-FPM can serve static assets from same root while routing PHP to FPM
• +New php-fpm Cargo feature (implies proxy and web)

Released May 14, 2026

• +Shared ingress/TLS feature-graph split — focused cache and proxy profiles are now TLS/ACME-capable
• +New profile-cache-edge — cache without static web module
• +New profile-proxy-edge — focused reverse proxy edge
• +Official focused container images for cache and proxy profiles

May 2026

2026

• + TLS policy profiles
• + Multi-certificate rustls SNI
• + Managed ACME certificate issuance and renewal
• + EAB-capable issuers (Actalis and others)
• + File-backed TLS secrets
• + acme-init guided issuer bootstrap tool
• + Packaged certificate renewal systemd units

2026

• + Virtual host routing by Host header with default-vhost fallback
• + Route-level static, proxy, and redirect actions
• + Static file serving with MIME detection, ETag, conditional 304, byte ranges
• + Whole-vhost and route-level reverse proxying
• + rustls TLS with SNI, static/bought certificate support
• + Safe ACME HTTP-01 challenge forwarding
• + Admin control-plane with bearer-token auth and brute-force throttling
• + Secure request/response header policy
• + Optional HTTP → HTTPS redirect with safe Host validation
• + Systemd unit, RPM packaging
• + Rootless Podman container images