diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..ce8df6e --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,191 @@ +# Changelog + +## 0.1.0 (2026-05-23) + + +### Features + +* Add ACME certificate automation module ([fb074af](https://github.com/PQCrypta/pqcrypta-proxy/commit/fb074aff9e9e8bd43ec6204421a8b1e9a2c98040)) +* Add alt-svc header to 103 Early Hints + update docs ([3fca87e](https://github.com/PQCrypta/pqcrypta-proxy/commit/3fca87e07bd7c7b9df5d04b782daf664c2af926b)) +* add canary / percentage traffic splitting ([da8cd88](https://github.com/PQCrypta/pqcrypta-proxy/commit/da8cd88fc8be1de134f9789818a5b626038cafb2)) +* add canary routing and traffic shadowing to HTTP/3/QUIC listener ([17d30e4](https://github.com/PQCrypta/pqcrypta-proxy/commit/17d30e4f71217c391d58b6628f95b876087f2c2a)) +* Add client/server error type filtering to /metrics/errors endpoint ([12718d9](https://github.com/PQCrypta/pqcrypta-proxy/commit/12718d94049d58661effd7b73cbf8362c2cd2f64)) +* Add comprehensive ClientHello/SNI parser unit tests ([7bcc046](https://github.com/PQCrypta/pqcrypta-proxy/commit/7bcc046fe3c97437c2d59ba2321afbaf8c018ef3)) +* Add comprehensive Prometheus metrics registry ([640c9dc](https://github.com/PQCrypta/pqcrypta-proxy/commit/640c9dc636308e6d7449a8996928bfb2d3ff6b4d)) +* Add configurable 0-RTT setting with secure default ([b98fc39](https://github.com/PQCrypta/pqcrypta-proxy/commit/b98fc395ab5dadab84373613903109f0dace906e)) +* Add enterprise load balancer with 6 algorithms and session affinity ([c490589](https://github.com/PQCrypta/pqcrypta-proxy/commit/c4905895ac46885cfe94189c1d5c9b1473745ffb)) +* Add HTTP/3 Performance & Monitoring headers ([f8c9a86](https://github.com/PQCrypta/pqcrypta-proxy/commit/f8c9a86734f3dba45c003b3cb211862c20958e41)) +* Add HTTP/3 performance headers to QUIC listener ([43d67bf](https://github.com/PQCrypta/pqcrypta-proxy/commit/43d67bf158eb71fa41ac9ce33c2b69dd79cbb688)) +* add native QUIC speed test handler via WebTransport /speedtest path ([468c263](https://github.com/PQCrypta/pqcrypta-proxy/commit/468c2631091429408cea0bd5e65861962e5eb225)) +* add native WebTransport telemetry wall handler at /telemetry ([18f98c7](https://github.com/PQCrypta/pqcrypta-proxy/commit/18f98c7038889c40027f330e927a83d7195e1dc5)) +* Add nginx-compatible access logging for HTTP/3 and HTTP/1.1 ([9d74280](https://github.com/PQCrypta/pqcrypta-proxy/commit/9d742809a97e06176704fd7d5bf47bab8335be05)) +* Add OCSP stapling automation service ([b352e2c](https://github.com/PQCrypta/pqcrypta-proxy/commit/b352e2c4962e175c31cccdd11430d8b1da60d1ff)) +* add OpenTelemetry distributed tracing ([7d6b38c](https://github.com/PQCrypta/pqcrypta-proxy/commit/7d6b38caca5bafe97992a75e3b668be18c78b6fc)) +* Add per-error detail tracking to proxy metrics ([63d8658](https://github.com/PQCrypta/pqcrypta-proxy/commit/63d865850afa855a2a65a7e8319409477e055415)) +* Add PQC-TLS, compression, security, and HTTP/3 features ([f011cbf](https://github.com/PQCrypta/pqcrypta-proxy/commit/f011cbfb43cfaad20a5586e2baaf04a725ee23c3)) +* Add proper WebTransport support using wtransport crate ([c817ce5](https://github.com/PQCrypta/pqcrypta-proxy/commit/c817ce5fa2afdcbd91f87a7a3997c02dc01d4d57)) +* Add server header branding to all HTTP/3 responses ([6a07a4d](https://github.com/PQCrypta/pqcrypta-proxy/commit/6a07a4dc9a7d2695bd76fe714834b67c113ac7e8)) +* add setup_fingerprint_db.sh to download Salesforce JA3 database ([a606bd6](https://github.com/PQCrypta/pqcrypta-proxy/commit/a606bd67d837cecd063c61059e006cdfe408badd)) +* Add standalone HTTP listener for Alt-Svc advertisement ([65c0c7f](https://github.com/PQCrypta/pqcrypta-proxy/commit/65c0c7fbc013b8ca83392d56462fef8b811f64fd)) +* add tcp_only_hosts config — send Alt-Svc: clear to prevent QUIC upgrades ([d2624d1](https://github.com/PQCrypta/pqcrypta-proxy/commit/d2624d12c693943ba7c23591d6ad002ec6c34b68)) +* add webtransport_cert_path/key_path config for explicit cert override ([fdc5c44](https://github.com/PQCrypta/pqcrypta-proxy/commit/fdc5c447a44bb2d2a8a6b4d4b11eaef350d9b19b)) +* add weekly JA3 fingerprint database refresh cron ([040515f](https://github.com/PQCrypta/pqcrypta-proxy/commit/040515fec70733e65462da16ab5c05b12f808b54)) +* Complete security integration - JA3/JA4 fingerprinting, circuit breaker, TLS capture ([f330a97](https://github.com/PQCrypta/pqcrypta-proxy/commit/f330a976d902849e15fd172747665a30cbc7ecd7)) +* Config-driven TLS version + remove nginx replacement claims ([29a6628](https://github.com/PQCrypta/pqcrypta-proxy/commit/29a6628a2340b0bba2158a0ceab45c5b52c72dd7)) +* **cors:** multi-origin reflection for pqpdf.com ([b323ad0](https://github.com/PQCrypta/pqcrypta-proxy/commit/b323ad01ee7ddce71429d9ca7c26140c529fe653)) +* distributed rate limiting with Redis backend on all paths ([f3a0691](https://github.com/PQCrypta/pqcrypta-proxy/commit/f3a0691b18fbd09a3fd7f69fbddfc8630a73cc6a)) +* Enable ACME certificate automation with SAN support ([b22d5a1](https://github.com/PQCrypta/pqcrypta-proxy/commit/b22d5a11bb514a4fb8e8e740bfbade87a8c1be1f)) +* Enable dedicated WebTransport server with proper protocol support ([342fbc5](https://github.com/PQCrypta/pqcrypta-proxy/commit/342fbc57a1ae0fbe1d437eb8227fe8c99c402bdd)) +* Enable OCSP stapling and ACME certificate automation services ([32f4b30](https://github.com/PQCrypta/pqcrypta-proxy/commit/32f4b30941f87e21aded347f2eabe9ab770b8260)) +* Enable X25519MLKEM768 hybrid PQC key exchange via rustls-post-quantum ([4540813](https://github.com/PQCrypta/pqcrypta-proxy/commit/45408130d53e4ddcfd2c8f18c6be2a1ad57bc155)) +* Full nginx replacement with TLS terminate, re-encrypt, and passthrough modes ([4b99eb0](https://github.com/PQCrypta/pqcrypta-proxy/commit/4b99eb09ef272bb66af7fd3480091f95b41b649e)) +* handle SIGHUP to reopen log files for log rotation ([622f464](https://github.com/PQCrypta/pqcrypta-proxy/commit/622f46476b5288749c19c554294cc7bf478224bb)) +* HMAC nonce replay prevention, path+query signing, zero-trust admin constraint ([e2e0aab](https://github.com/PQCrypta/pqcrypta-proxy/commit/e2e0aab728c3c9980eecbbce71ff4d10284fd564)) +* HTTP/1.1-only ALPN per SNI — prevent browser HTTP/2 connection coalescing ([1596b0a](https://github.com/PQCrypta/pqcrypta-proxy/commit/1596b0a6149d18bc04e3227af33746b3e07af529)) +* implement 30 security and operational features ([87c4f26](https://github.com/PQCrypta/pqcrypta-proxy/commit/87c4f2606e834c4a919e1d34ecf630490383cf8f)) +* implement allow_http11 enforcement for per-route HTTP/1.1 control ([fd0ebd0](https://github.com/PQCrypta/pqcrypta-proxy/commit/fd0ebd0ba30d488b6b273a0a53b550e93066148c)) +* Implement full RFC 8555 ACME protocol for certificate automation ([547a90a](https://github.com/PQCrypta/pqcrypta-proxy/commit/547a90a8b10528f3d1c43077856774854ba678da)) +* Implement HTTP/3 103 Early Hints support ([28aa5e5](https://github.com/PQCrypta/pqcrypta-proxy/commit/28aa5e5dafddb231e8570c605ea393c4d15830d6)) +* Implement OpenSSL TLS accept loop with fingerprinting ([d0a4b39](https://github.com/PQCrypta/pqcrypta-proxy/commit/d0a4b3951bd1fe929c908a623b2d952a82d4a738)) +* Implement proper HTTP/3 support via QuicListener ([7fa9fb3](https://github.com/PQCrypta/pqcrypta-proxy/commit/7fa9fb3c40bedcdd21e947c3631d77e682c880d8)) +* Implement PROXY protocol v2 and extend PQC configuration ([42a12e8](https://github.com/PQCrypta/pqcrypta-proxy/commit/42a12e8cf84045cc56a181d70b95f3c9c1c95f76)) +* implement RFC 9111 response caching across HTTP/1.1, HTTP/2, HTTP/3, QUIC and WebTransport ([e6fe977](https://github.com/PQCrypta/pqcrypta-proxy/commit/e6fe977597860b52b84b683807025e68cbcea3e5)) +* implement traffic shadowing / mirroring ([4dff0e9](https://github.com/PQCrypta/pqcrypta-proxy/commit/4dff0e9cd3f0162f96fe1150feaa40b99f2a95e2)) +* Initial release of PQCrypta Proxy ([b7472f9](https://github.com/PQCrypta/pqcrypta-proxy/commit/b7472f9a33abe1d2fa4c65f5f9ab3e6cc8bdb2fb)) +* Integrate TLS fingerprinting and fix silent error handling ([8aa1c5f](https://github.com/PQCrypta/pqcrypta-proxy/commit/8aa1c5fd08ef7b490f3815ae2ec4ff6642386b50)) +* Integrate TLS fingerprinting, composite rate limiting, and HTTP/3 features ([d5eb7b3](https://github.com/PQCrypta/pqcrypta-proxy/commit/d5eb7b3b9c8b53093c6c657423797bbc9f1471e8)) +* Make all hardcoded values configurable ([b8d3124](https://github.com/PQCrypta/pqcrypta-proxy/commit/b8d3124fb0e48fdfb86d80a7be53666d61407904)) +* Make security error thresholds configurable ([7aa5350](https://github.com/PQCrypta/pqcrypta-proxy/commit/7aa535090990dde39e573029c12cd6d71f8875fd)) +* multi-location speedtest — remotellm deployment + dynamic IP updater ([b2a7eb0](https://github.com/PQCrypta/pqcrypta-proxy/commit/b2a7eb0eecc63347313ecec225af0d2aa59ab727)) +* normalize_paths config flag — disable path lowercasing per site ([ab8d47d](https://github.com/PQCrypta/pqcrypta-proxy/commit/ab8d47db642c60f4a1c95cff84f3341720dc73d1)) +* per-domain ACME certs with SNI routing and hot-reload ([0b514df](https://github.com/PQCrypta/pqcrypta-proxy/commit/0b514df242473130e37cf31ded97dad4ccbd8fbe)) +* **pqc:** Integrate OpenSSL 3.5+ as primary PQC TLS backend ([61a00c0](https://github.com/PQCrypta/pqcrypta-proxy/commit/61a00c0df21bb336e74ecdce4207413bbe3bcf89)) +* **pqc:** Successfully enable X25519MLKEM768 hybrid PQC TLS ([a88cc25](https://github.com/PQCrypta/pqcrypta-proxy/commit/a88cc25f2fb4565b81e3fcfbcfb8d845c25ea3e3)) +* **rate-limiter:** Implement cutting-edge multi-dimensional rate limiting ([6324a70](https://github.com/PQCrypta/pqcrypta-proxy/commit/6324a70d4024454d49fbaf959c6a9b49f09038cd)) +* split tcp2/api2 endpoints — tcp2 HTTP/1.1 only, api2 QUIC/WebTransport ([d2ebb7c](https://github.com/PQCrypta/pqcrypta-proxy/commit/d2ebb7c433b2593b79d64c47d0b51020c8a1bb0b)) +* streaming multi-probe traceroute with concurrent ICMP/UDP/TCP/QUIC methods ([c97490c](https://github.com/PQCrypta/pqcrypta-proxy/commit/c97490c1d30fcba8a357cd351cb2587ec567f139)) +* TCP speedtest handler supports any tcp_only_hosts, not just tcp.pqcrypta.com ([08881d5](https://github.com/PQCrypta/pqcrypta-proxy/commit/08881d563d19381531c2973a40224d5a13952094)) +* TLS/QUIC improvements, config updates, HTTP listener and ACME enhancements ([de6b95f](https://github.com/PQCrypta/pqcrypta-proxy/commit/de6b95f9ba171f5f6bc1b85ad32588e3021e500d)) +* v0.2.2 — CIDR blocklists, proactive health checks, QUIC shared state, session TTL, configurable ports ([be6ffb4](https://github.com/PQCrypta/pqcrypta-proxy/commit/be6ffb44dc48251a9a10eb66e46e67e4b47422f8)) +* **waf:** add scanner/reconnaissance probe path blocking ([dab6ee7](https://github.com/PQCrypta/pqcrypta-proxy/commit/dab6ee7676c21eb95f640cbd69e61b7a54e8f720)) +* WebSocket upgrade passthrough ([802c35f](https://github.com/PQCrypta/pqcrypta-proxy/commit/802c35fe2657d5ba9c560d715f12bb13dd1bc722)) +* Wire up fully implemented features ([fd5c9b5](https://github.com/PQCrypta/pqcrypta-proxy/commit/fd5c9b52799564a1960ab9eba38dd3db961f7af9)) +* zero-trust primitives — HMAC proof-of-possession, internal mTLS, zero_trust_mode ([41ce906](https://github.com/PQCrypta/pqcrypta-proxy/commit/41ce9063187c816d1c725d38ab10c2a7e4c6e308)) + + +### Bug Fixes + +* add 50ms timeout to Early Hints send_response to prevent QUIC flow control deadlock ([a422b6b](https://github.com/PQCrypta/pqcrypta-proxy/commit/a422b6b98693ee00db85453b4168f66f06cb4930)) +* add ALPN select callback to per-domain SslContext — fixes HTTP 426 ([fe37e05](https://github.com/PQCrypta/pqcrypta-proxy/commit/fe37e051ff5781dcf59ca667735f3ada0f4e5e98)) +* Add Alt-Svc header to all error responses for HTTP/3 discovery ([ee297c6](https://github.com/PQCrypta/pqcrypta-proxy/commit/ee297c6697a31dc22958f1c9b3cb507e62b02526)) +* Add Alt-Svc header to HTTP/3 responses from config ([ccb5482](https://github.com/PQCrypta/pqcrypta-proxy/commit/ccb5482acebfd8e7943bc541d50c2c7734f970a3)) +* add Alt-Svc: clear to QUIC 404 responses and TCP upload logging ([7792340](https://github.com/PQCrypta/pqcrypta-proxy/commit/779234040facc576b14857d1d099c0f1a3f1f65b)) +* add CDLA-Permissive-2.0 to license allow list for webpki-root-certs ([3e116b4](https://github.com/PQCrypta/pqcrypta-proxy/commit/3e116b4963d48128f167cc8bdfa824bc00034567)) +* add CORS headers to 429 rate-limit responses on all paths ([4dbb827](https://github.com/PQCrypta/pqcrypta-proxy/commit/4dbb8278cf85394564c0a11eb893e3ee36c952e7)) +* add excluded_hosts to response cache; fix HTTP/2 host extraction from URI authority ([54b5a8d](https://github.com/PQCrypta/pqcrypta-proxy/commit/54b5a8d6155ab6e10045574a47a73b7c302e1408)) +* add idle timeout and max duration to speedtest and telemetry sessions ([ce551b3](https://github.com/PQCrypta/pqcrypta-proxy/commit/ce551b3ec95d9b2afd96399e2e15f0e61090f9b8)) +* Add permissions for Security Audit check run creation ([3b39f38](https://github.com/PQCrypta/pqcrypta-proxy/commit/3b39f389ad3ff7fe8c00816e33129a8e2f5883da)) +* Add platform-specific cfg for Unix socket code ([2c74b1d](https://github.com/PQCrypta/pqcrypta-proxy/commit/2c74b1dd417c9049471dd285654ab873a381cc96)) +* Add server header to 103 Early Hints response ([e4c589d](https://github.com/PQCrypta/pqcrypta-proxy/commit/e4c589d0110e75b4b4a2d67105a27dd19209d7f1)) +* add tcp-upload-stream route to run_http_listener (basic Rustls path) ([3af7ca6](https://github.com/PQCrypta/pqcrypta-proxy/commit/3af7ca6049216858de3ed4624933cc633b7eff0c)) +* Add timeouts and size limits to WebTransport handlers ([4a27099](https://github.com/PQCrypta/pqcrypta-proxy/commit/4a270992bd4f53abfeac41dc90526b42bca8f1ac)) +* address all 6 security findings from static analysis report ([aa25ae5](https://github.com/PQCrypta/pqcrypta-proxy/commit/aa25ae5f0815dd965cb90a1b611f8a7584f39d5b)) +* address all 8 findings from February 2026 security review ([705a981](https://github.com/PQCrypta/pqcrypta-proxy/commit/705a981d32fbc842ad1905f7f201ed275ee9af45)) +* address all 9 findings from security review (SEC-A01 through SEC-A09) ([28ed13f](https://github.com/PQCrypta/pqcrypta-proxy/commit/28ed13f466c1059ec5535223fda7b92f3161987c)) +* Address security vulnerabilities and Docker build issues ([fdb8db9](https://github.com/PQCrypta/pqcrypta-proxy/commit/fdb8db9c78fe0765b2269b589c41960e6b7dac29)) +* allow pqcrypta.com origin for WebTransport sessions (SR-02) ([66a6cec](https://github.com/PQCrypta/pqcrypta-proxy/commit/66a6cec1a3b2d7379cbe4afe009342f55d0c32e5)) +* apply rustfmt formatting to SR-04 and SR-06 changes ([1c12938](https://github.com/PQCrypta/pqcrypta-proxy/commit/1c129384b5caede2c8431056dda86bc9184251ee)) +* cargo-deny CI — remove invalid version input, allow OpenSSL license, skip redox_syscall duplicate ([b3863ec](https://github.com/PQCrypta/pqcrypta-proxy/commit/b3863ecc905f409d4c12874e46062bca8e5bd890)) +* CI compliance - clippy lints, formatting, and test fixes ([e948f54](https://github.com/PQCrypta/pqcrypta-proxy/commit/e948f541c1b7492389efa51259fc96191029e71b)) +* **ci:** Skip pqc-signatures feature on macOS tests ([2540853](https://github.com/PQCrypta/pqcrypta-proxy/commit/2540853a4f328db2ffb956f2d7ad2d3b77a42003)) +* Clean up warnings and add handle_session method ([c17226e](https://github.com/PQCrypta/pqcrypta-proxy/commit/c17226ece125dde3aec998b3bf3d21d1a71631a8)) +* clippy cast_possible_wrap, or_fun_call, explicit_clone; rustfmt; doc blank line ([7473b5e](https://github.com/PQCrypta/pqcrypta-proxy/commit/7473b5e84fc98dc8e5cdb81ec31a2ab63a62c037)) +* Copy vendor directory in Docker build for path dependencies ([10f9e35](https://github.com/PQCrypta/pqcrypta-proxy/commit/10f9e35f3559060af8f65cd860b3ffb086bcd7bc)) +* Correct ALPN protocol parsing with length-prefixed format ([1d385da](https://github.com/PQCrypta/pqcrypta-proxy/commit/1d385dafe665a2293879e20698418b36b0012b04)) +* **deps:** upgrade quinn-proto 0.11.13 -> 0.11.14 (RUSTSEC-2026-0037) ([8ef5dec](https://github.com/PQCrypta/pqcrypta-proxy/commit/8ef5dec5ba0bab600b02f1dd5351952331b16bc1)) +* ExcessiveLoad on QUIC + host port-stripping in proxy_handler ([4f06046](https://github.com/PQCrypta/pqcrypta-proxy/commit/4f0604657f78eab124ba70f2316e99d26c38b80d)) +* Fine-grained histogram buckets with linear interpolation for accurate proxy latency percentiles ([3a922d8](https://github.com/PQCrypta/pqcrypta-proxy/commit/3a922d884fb23ed5bcca250da289be5213bba406)) +* Forward original request headers in HTTP/3 to HTTP/1.1 proxy ([1f7f903](https://github.com/PQCrypta/pqcrypta-proxy/commit/1f7f90315a36e7662a0303feb6c5e3957a5e8e10)) +* Forward query strings in HTTP/3 QUIC proxy requests ([ec99854](https://github.com/PQCrypta/pqcrypta-proxy/commit/ec9985414175bb2334a81a4956b1508051fe9776)) +* Forward Set-Cookie headers in QUIC listener for auth ([ab0b1b6](https://github.com/PQCrypta/pqcrypta-proxy/commit/ab0b1b66d9eb5d6e0c7389ccd70d22d27d6a1a30)) +* Handle CORS preflight requests in QuicListener ([74f30de](https://github.com/PQCrypta/pqcrypta-proxy/commit/74f30dec97d8b63b3107497222bcbdb4815eaa36)) +* Health check traffic invisible to all proxy metrics ([a8b6aa5](https://github.com/PQCrypta/pqcrypta-proxy/commit/a8b6aa5d7e68b51998d3d179944f72a7d1944cb5)) +* ignore RUSTSEC-2025-0134 (rustls-pemfile deprecated, not a vulnerability) ([aea48cb](https://github.com/PQCrypta/pqcrypta-proxy/commit/aea48cb389e0c9535be880c7169c6f8965f14e69)) +* improve brute force PASS message for 401-rejecting login endpoints ([ef49aab](https://github.com/PQCrypta/pqcrypta-proxy/commit/ef49aab45e3838a7880abbb4456da81f3faf14d9)) +* Increase QUIC buffer sizes to prevent ExcessiveLoad errors ([307fdff](https://github.com/PQCrypta/pqcrypta-proxy/commit/307fdff2edc5d2dcf13b2a170669193fc8bc38d8)) +* migrate deny.toml to cargo-deny 0.16+ format (remove deprecated keys) ([980e584](https://github.com/PQCrypta/pqcrypta-proxy/commit/980e58419603ce36ac7533f8e8b1eaad71e076f4)) +* Move hyperlocal to Unix-only dependencies for Windows build ([d2035aa](https://github.com/PQCrypta/pqcrypta-proxy/commit/d2035aaf364a742a8bad5d91e2825f24f095cc6d)) +* Move signal-hook dependencies to Unix-only for Windows build ([0a683a2](https://github.com/PQCrypta/pqcrypta-proxy/commit/0a683a2c480520ff17276e76c3a056e91b35e0a7)) +* Move tempfile to cross-platform dependencies ([7e89939](https://github.com/PQCrypta/pqcrypta-proxy/commit/7e89939610d47d5f6cacea87b1646ccee06492ea)) +* OCSP stapling gracefully handles missing responder URL ([2145708](https://github.com/PQCrypta/pqcrypta-proxy/commit/2145708241fa2d8270f68d68b33e0f111b510ff7)) +* preserve backend CSP header — only inject proxy default when backend did not set one ([9985109](https://github.com/PQCrypta/pqcrypta-proxy/commit/998510923a4561ce23f61e379c6d604d2029dfe4)) +* QUIC early hints restricted to GET/HEAD, Grafana cookie Domain rewriting, route header overrides ([a37d718](https://github.com/PQCrypta/pqcrypta-proxy/commit/a37d718ebb789ab69ce80b08160db6d36cdc27a0)) +* reject WebTransport CONNECT when no WT route matches the host/path ([dd1383e](https://github.com/PQCrypta/pqcrypta-proxy/commit/dd1383edf04936a4176ef4eeba943c84138bd04b)) +* remove duplicate worker_threads key in remotellm-proxy.toml ([474371a](https://github.com/PQCrypta/pqcrypta-proxy/commit/474371a4047e1b935155b800ac5703a9af30e9d7)) +* Remove PQ Crypta-specific integration references ([62f9487](https://github.com/PQCrypta/pqcrypta-proxy/commit/62f9487bd613546eec61f67bacf2be338c5795ae)) +* Replace cumulative latency histogram with 5-minute sliding window ([73dee93](https://github.com/PQCrypta/pqcrypta-proxy/commit/73dee93079f65797a8f81342205dc535ecc529a9)) +* Replace implicit clone with explicit clone for clippy ([0b1d42b](https://github.com/PQCrypta/pqcrypta-proxy/commit/0b1d42ba8faf90c6a6a30589bd24e5459c9b4287)) +* replace unsafe casts with checked conversions to resolve Clippy warnings ([b3bce5f](https://github.com/PQCrypta/pqcrypta-proxy/commit/b3bce5f1d7db5b4ae33df659b2d983eea1c41f07)) +* resolve all 2 errors and 12 warnings in pentest suite ([9bfee0e](https://github.com/PQCrypta/pqcrypta-proxy/commit/9bfee0ea09f83325d01a1739e0854c3d92d14609)) +* Resolve all CI Clippy and Rustfmt failures ([e03b5df](https://github.com/PQCrypta/pqcrypta-proxy/commit/e03b5df43babe406092f88d55d6bfea0fa2fc78f)) +* resolve all clippy -D warnings (unwrap_or, casts, clamp, doc length) ([df94076](https://github.com/PQCrypta/pqcrypta-proxy/commit/df940763ff4447a89fc094a8f04c114d8ce793ee)) +* resolve all clippy -D warnings errors ([82840b4](https://github.com/PQCrypta/pqcrypta-proxy/commit/82840b454e89ce6ce929abf3fd970d0189df170c)) +* resolve all clippy warnings in quic_listener.rs and cache.rs ([6ec7558](https://github.com/PQCrypta/pqcrypta-proxy/commit/6ec7558ae3bce797c5576cb4cca339b11fc018bf)) +* resolve all vulnerabilities from 2026-02-22 security audit ([4ecff0e](https://github.com/PQCrypta/pqcrypta-proxy/commit/4ecff0e3ddedc5702cf8873f8295adeafe4ee426)) +* resolve cargo-deny CI failures ([1b48e7b](https://github.com/PQCrypta/pqcrypta-proxy/commit/1b48e7b5e957687f3d6b01d66050d83686a2ac7c)) +* Resolve CI clippy and dead code warnings ([9f1650c](https://github.com/PQCrypta/pqcrypta-proxy/commit/9f1650c1e5ecf9facb548249e7360be09a4e19f3)) +* Resolve CI failures - clippy warnings and dead code ([84f6282](https://github.com/PQCrypta/pqcrypta-proxy/commit/84f6282d2b246af743c38c17f4e15328f3ef51e7)) +* Resolve CI failures - clippy, rustfmt, and test issues ([e5bc0db](https://github.com/PQCrypta/pqcrypta-proxy/commit/e5bc0db29403c9fe8fbd98f8a04a5ef2ca29a48e)) +* Resolve CI failures — clippy warnings, test assertion for composite error keys ([aa9f399](https://github.com/PQCrypta/pqcrypta-proxy/commit/aa9f399e52541cfc070f25c86ad7394252b46123)) +* Resolve CI failures across all platforms ([e154e0d](https://github.com/PQCrypta/pqcrypta-proxy/commit/e154e0d9a2317b14adf4dad9a25e55b2383f69d2)) +* resolve clippy and rustfmt CI failures ([f490bc1](https://github.com/PQCrypta/pqcrypta-proxy/commit/f490bc1e33fcdf8c681b8500e4eea763cb09c839)) +* Resolve clippy and rustfmt CI failures ([d98fda7](https://github.com/PQCrypta/pqcrypta-proxy/commit/d98fda7cea391b64cb106b023a87b939cbe923a4)) +* Resolve Clippy errors (too_many_arguments, return_self_not_must_use) ([7e66c24](https://github.com/PQCrypta/pqcrypta-proxy/commit/7e66c24694c4a5b5c3cfe37f26a51aae94635787)) +* resolve clippy errors in rate_limiter (raw strings, u128 cast) ([d40264a](https://github.com/PQCrypta/pqcrypta-proxy/commit/d40264aa01fe16e0b1aa1aa6744b75441587b34e)) +* resolve clippy too-many-arguments and while-let-loop warnings ([75009ea](https://github.com/PQCrypta/pqcrypta-proxy/commit/75009ea0888438d8be42d9cd8fbcee7d3feece73)) +* Resolve clippy warnings and fix tests for ACME implementation ([7062399](https://github.com/PQCrypta/pqcrypta-proxy/commit/7062399af29a50c6cfd77be26c59a1045c5f63b3)) +* resolve Rust 1.95 clippy lints; pin cargo-deny to 0.19.7 ([2455de4](https://github.com/PQCrypta/pqcrypta-proxy/commit/2455de4ffd0bdf917cae09f17a9a262dfa38d09b)) +* Resolve rustfmt formatting violations ([8e83ac8](https://github.com/PQCrypta/pqcrypta-proxy/commit/8e83ac8e4c1166068f951ca478c6139e29eb47ef)) +* rustfmt + clippy too_many_arguments on handle_h3_request ([19942f0](https://github.com/PQCrypta/pqcrypta-proxy/commit/19942f0a21a775d6ddff114669eb58aef2337a44)) +* rustfmt and clippy compliance ([2146784](https://github.com/PQCrypta/pqcrypta-proxy/commit/2146784d92249b8f316e456a542df5df276ea7ff)) +* rustfmt compliance in proxy.rs ([8655435](https://github.com/PQCrypta/pqcrypta-proxy/commit/8655435aee4c5f4a1cab49a13e06b8d090083ac1)) +* rustfmt violations and time crate security advisory (CVE-2026-25727) ([ef8c888](https://github.com/PQCrypta/pqcrypta-proxy/commit/ef8c888f7ea0ef5edf975bb01c22a0790d740a9f)) +* SEC-007 evict stale admin auth entries; add Semgrep suppression for NoVerifier ([9555a07](https://github.com/PQCrypta/pqcrypta-proxy/commit/9555a072e418a236568fb95e5a32110d961875d6)) +* SEC-008 QUIC/H3 security middleware bypass + SEC-009 nosemgrep placement ([d87d39e](https://github.com/PQCrypta/pqcrypta-proxy/commit/d87d39e188db6e1b5f27332156ec9efbb7ec340f)) +* Security hardening release v0.2.0 ([6b2452c](https://github.com/PQCrypta/pqcrypta-proxy/commit/6b2452cd0f3603edf04613e22f0e2b3f2b874c46)) +* server download timeout now matches client test duration via max_secs ([dea4d36](https://github.com/PQCrypta/pqcrypta-proxy/commit/dea4d36683ec70403e7d9819d240d2ba99b7d8ce)) +* set HTTP/2 flow control windows to 16 MB/64 MB to match QUIC throughput ([9d6ed8d](https://github.com/PQCrypta/pqcrypta-proxy/commit/9d6ed8d4ceb71b9abdfda031c91d668402723a5a)) +* share SNI cert resolver with HTTP listener for ACME hot-reload ([f5c6774](https://github.com/PQCrypta/pqcrypta-proxy/commit/f5c6774cd7309ca352cd129a7bf08b8a069323a3)) +* skip SSRF patterns on X-Forwarded-For header to prevent false positives ([52663c1](https://github.com/PQCrypta/pqcrypta-proxy/commit/52663c1c83a56282196f23a0f8878e53a58b23fa)) +* Store last_status and last_seen per endpoint error entry ([cdff143](https://github.com/PQCrypta/pqcrypta-proxy/commit/cdff143622923f9bd1debbc2863945e72ba0a7d9)) +* stream SSE responses through proxy without buffering ([bb28fc0](https://github.com/PQCrypta/pqcrypta-proxy/commit/bb28fc0ea357b9cff5859ef9a5f89a0809f5dadf)) +* strip hop-by-hop headers from backend responses to prevent ERR_QUIC_PROTOCOL_ERROR ([1668773](https://github.com/PQCrypta/pqcrypta-proxy/commit/16687730175f826e21ab0b3adbec8c6eb99868a9)) +* strip hop-by-hop headers; buffer body before releasing backend connection ([ab5e604](https://github.com/PQCrypta/pqcrypta-proxy/commit/ab5e604d9e74e7baca4e317cdca094f308ff394c)) +* strip port from Host header in proxy_handler before all host comparisons ([f3e8281](https://github.com/PQCrypta/pqcrypta-proxy/commit/f3e828193c8c5ec089275ab26b9cc7555ad2bf14)) +* Support multiple Set-Cookie headers in QUIC proxy ([6dab0d8](https://github.com/PQCrypta/pqcrypta-proxy/commit/6dab0d817021feb80f45f70964141a278e199812)) +* suppress Alt-Svc on TCP speedtest endpoints to allow real TCP testing ([76ec83d](https://github.com/PQCrypta/pqcrypta-proxy/commit/76ec83d7c8d4c54a1196ac646bdd01d8469a2c8c)) +* TCP upload streaming — exempt /speedtest/tcp-upload-stream from body size limit ([cdae633](https://github.com/PQCrypta/pqcrypta-proxy/commit/cdae6337b843489d0781454a60c0504b6a7c1ab7)) +* unchecked_time_subtraction clippy lint + upgrade aws-lc-sys/aws-lc-fips-sys for RUSTSEC-2026-0042..0049 ([cac0ff8](https://github.com/PQCrypta/pqcrypta-proxy/commit/cac0ff8d7531050613b944f6fa64a0a369d211b5)) +* Update blocklists, QUIC listener, sync status ([4acd64c](https://github.com/PQCrypta/pqcrypta-proxy/commit/4acd64c4804ba7b3efe17521e8035b44667b549d)) +* Update blocklists, security rules, and sync status ([626213d](https://github.com/PQCrypta/pqcrypta-proxy/commit/626213dbab5b4c441d00a3aa17cb1a3bb561097d)) +* update bytes 1.11.0 → 1.11.1 to patch CVE-2026-25541 (integer overflow) ([dc18a52](https://github.com/PQCrypta/pqcrypta-proxy/commit/dc18a52d7cf196b7ece1ee9f12c54af19d0805e1)) +* update deny.toml unmaintained field for cargo-deny v2 compatibility ([1f683d5](https://github.com/PQCrypta/pqcrypta-proxy/commit/1f683d53d76f7652201aa7f9227106729211621d)) +* Update dependencies for h3 0.0.8 compatibility ([e9ae125](https://github.com/PQCrypta/pqcrypta-proxy/commit/e9ae125bef408e565fe45ed642b4f1fdc1d24b15)) +* Update Priority header to match RFC 9218 standard format ([ebd24e2](https://github.com/PQCrypta/pqcrypta-proxy/commit/ebd24e2995e8888df56866aeafe24ec397bbe5ab)) +* Update proxy config, blocklists, and connection handling ([a25d131](https://github.com/PQCrypta/pqcrypta-proxy/commit/a25d13115db782539c3b42944ac17c073cc4c973)) +* Update server header to match Cargo.toml version v0.2.0 ([1e47101](https://github.com/PQCrypta/pqcrypta-proxy/commit/1e471013b5288b3d438d1b6e99275bd3490a0b6c)) +* upgrade rustls-webpki for RUSTSEC-2026-0049; add itertools skip in deny.toml ([ae96b08](https://github.com/PQCrypta/pqcrypta-proxy/commit/ae96b08be09814dd3fb5d6c381db91f6ba459dbd)) +* Use set_certificate_chain_file for proper intermediate cert ([285e776](https://github.com/PQCrypta/pqcrypta-proxy/commit/285e7765001883d4eee3a82baf3c6a73021759d0)) +* use toml code block in doc comment to avoid doc_link_with_quotes clippy warning ([7472b9f](https://github.com/PQCrypta/pqcrypta-proxy/commit/7472b9f3aa26b6df26e3c4fe21e83f703106a5e6)) +* WebTransport CONNECT rejection must verify route.webtransport=true ([e2fdb2b](https://github.com/PQCrypta/pqcrypta-proxy/commit/e2fdb2bb4f80a02e109ca31db711f047f5128777)) +* WebTransport server cert mismatch — use api-domain cert for port 4433 ([3d386a7](https://github.com/PQCrypta/pqcrypta-proxy/commit/3d386a75be5d4392fa23a7869d7c19ae8b4a33da)) + + +### Performance Improvements + +* reduce pentest timing oracle samples 50→20, tune resilience timeouts ([80792ed](https://github.com/PQCrypta/pqcrypta-proxy/commit/80792ed7f6d326edc27716f668c72c6e4caf0ac4)) + + +### Reverts + +* restore pentest timing oracle to 50 samples, resilience to original timeouts ([e6f1870](https://github.com/PQCrypta/pqcrypta-proxy/commit/e6f18705fa51ab56f2facc6efd5ae3620e7f18b3)) diff --git a/Cargo.lock b/Cargo.lock index 7e97776..2c6cce9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2332,7 +2332,7 @@ dependencies = [ [[package]] name = "pqcrypta-proxy" -version = "0.2.2" +version = "0.1.0" dependencies = [ "anyhow", "arc-swap", diff --git a/Cargo.toml b/Cargo.toml index 4c93dd1..007aabd 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "pqcrypta-proxy" -version = "0.2.2" +version = "0.1.0" edition = "2021" authors = ["PQCrypta Team "] description = "Production-ready QUIC/HTTP/3/WebTransport proxy with hybrid PQC TLS support"