Spooky

Changelog

Release notes for every version of Spooky. Versions follow semantic versioning — breaking config or API changes increment the major version.

May 28, 2026

upstream_tls.verify_certificates: false — new config option to disable upstream TLS certificate verification for backends with self-signed certs in development or trusted internal environments. Matches the opt-out behavior of NGINX (proxy_ssl_verify off) and Envoy (ACCEPT_UNTRUSTED). A warning is logged at startup when disabled.

Upstream send errors now log the full error cause chain instead of the opaque client error (Connect), making TLS failures — missing SAN, untrusted root, cert/SNI mismatch — immediately diagnosable from logs without a packet trace.
Validator no longer hard-rejects upstream_tls.verify_certificates=false; it now emits a warning and allows startup to continue.
Debian package and systemd unit: TLS certificate files must be owned root:spooky with mode 640 so the spooky service user can read them. Documentation and installation examples corrected accordingly.

Packaging layout: Debian assets moved under packaging/deb/ — make-deb.sh, systemd unit, and default config.
Installation and Docker docs updated to match current packaging paths and runtime behavior.
Debian package version bumped to 0.1.1-beta.

May 12, 2026

Initial release of Spooky — HTTP/3-first reverse proxy and load balancer.

HTTP/3 termination using quiche (RFC 9114) and QUIC transport (RFC 9000).
HTTP/2 backend connectivity (RFC 9113).
TLS 1.3 with certificate chain loading (RFC 8446).
TLS bootstrap ingress for HTTP/1.1 and HTTP/2 compatibility with Alt-Svc upgrade flow.

Upstream pool architecture with per-upstream configuration.
Route matching on path prefix and host headers with longest-match selection.
Method-aware route matching via route.method.
Six load balancing algorithms: random, round-robin, consistent hashing (64 replicas), least-connections, latency-aware, and sticky-cid.
Configurable load-balancing key sourcing (load_balancing.key) and per-backend weight configuration.

Sharded ingress dispatch — per-worker UDP sockets for parallel packet processing.
Global route-queue cap with 503 + Retry-After shedding under overload.
LB fallback, health probe, and streaming timeout semantics.
Panic handling hardened for worker and control-plane tasks.
Per-backend concurrency limiting (64 max in-flight requests). 10,000+ concurrent connections tested.

Dual ingress: QUIC/HTTP3 and TCP/TLS bootstrap for browser compatibility.
Bootstrap path enforces LB strategy and health-aware backend resolution — parity with the QUIC path.
Bootstrap path enforces downstream mTLS policy and QUIC request policy pipeline.
Header sanitization and RFC 7239-compliant IPv6 normalization in Forwarded.
Connection limiter, per-connection timeout guard, and deterministic WebSocket upgrade handling.

YAML-based configuration with comprehensive semantic validation at startup.
Per-upstream load balancing strategy and embedded routing rules.
Upstream TLS verification enforced by default; cleartext backends require explicit opt-in.
Downstream mTLS support via listen.tls.client_auth.*.
performance.control_plane_threads applied to startup runtime configuration.

Bearer token authentication with constant-time comparison.
Metrics endpoint (/metrics), health probe (/health), and readiness probe (/readiness).
TLS-enabled control-plane listener path support and startup hardening.

Debian package with systemd unit, system user/group, and config at /etc/spooky/config.yaml.
Docker packaging with compose bootstrap and operator smoke-test scripts.
CLI with --config flag.
Streaming request/response handling with bounded queues and hard body caps.
Deterministic cap-breach behavior via 413 and 503 under pressure.

No dynamic backend discovery — static config-driven only.
No configuration hot reload — restart-based config apply model.
Pre-GA: requires extended soak and failure-mode hardening before broad production rollout.