🌐
onifast-web
Production-grade HTTP/HTTPS web server with automated ACME SSL, PHP-FPM process isolation, and dynamic .htaccess parsing.
Web Server
SSL / HTTPS
PHP-FPM
.htaccess Parser
onifast-web is the production-grade HTTP/HTTPS web server for the Onifast hosting stack.
It reads virtual-host configurations from an SQLite database shared with the panel, serving multiple domains on a single IP with per-domain PHP-FPM socket proxying, automatic SSL via ACME, IP blocking via the fail2ban database, and native .htaccess directive parsing.
Core Capabilities
Dynamic Virtual Hosts
Lookup virtual domains from SQLite schemas dynamically on every HTTP request.
Let's Encrypt / ZeroSSL
Automated provisioning and key handshakes using the standard ACME HTTP-01 challenges.
.htaccess Directive Engine
Native Go parser reading Apache-compatible rewrite conditions, headers, and reverse proxies.
Port Allocations
| Port |
Protocol |
Description |
| 80 |
HTTP |
Plain HTTP traffic for all hosted domains (redirectable) |
| 443 |
HTTPS |
TLS-terminated HTTPS traffic for all hosted domains |
| 4030 |
Internal HTTP |
Internal API challenge listener (SSL generation) — never expose! |
Virtual Hosting Architecture
Every domain registered inside the panel populates the primary virtual host database. When an HTTP header arrives, onifast-web reads the Host header to resolve:
- Per-domain Document Roots — Scoped as
/home/<user>/public_html/<domain>.
- Per-domain PHP-FPM Sockets — Isolated via UNIX sockets at
/run/php/php8.2-fpm-<user>.sock.
- Local .htaccess Configurations — Parsed hierarchically on every incoming client thread.
- TLS Certificates — Automated binding using certificates resolved by the ACME framework.
ACME SSL Certificates
Certificates are auto-provisioned using HTTP-01 challenges. Port 4030 serves challenge files internally, and certificates are outputted per-domain inside this storage directory:
/home/root/onifast/certs/example.com/fullchain.pem
/home/root/onifast/certs/example.com/privkey.pem
The panel's mod_acme_internal.go module requests certifications by contacting the internal API listener on port 4030, handling key challenge token placements dynamically.
PHP-FPM Process Isolation
onifast-web forwards matching .php requests to target pools over FastCGI. Each hosting account binds to a separate PHP-FPM process pool, offering CPU, memory, and permissions separation between active accounts.
PHP Sockets
Socket directories are configurable globally by setting the php_socket_dir key inside the serverconfig.json config file.
Native .htaccess Rewrite Parser
The server parses local .htaccess files inside document roots using a native Go interpreter (handler_htaccess.go). Directives are parsed on each request, ensuring instant configuration updates.
Supported Directives
| Directive |
Example Directive |
Description |
DirectoryIndex |
DirectoryIndex index.php home.html |
Define default index file searches for directory folders |
RewriteBase |
RewriteBase /app/ |
Map relative URL base paths |
ProxyPass |
ProxyPass /api http://localhost:8080/ |
Reverse proxy proxying with full WebSocket upgrades support |
RewriteCond |
RewriteCond %{HTTP_HOST} ^www\. |
Condition variables (supports logical AND/OR) |
RewriteRule |
RewriteRule ^old/(.*)$ /new/$1 [L,R=301] |
Regex URL rewriting and client redirects |
Redirect |
Redirect 301 /old /new |
Simple status-based redirect routing |
Header |
Header set X-Frame-Options "DENY" |
Add or clear HTTP headers on outbox payloads |
<If> |
<If "%{REQUEST_URI} =~ m#^/terms#"> |
Apply directives conditionally based on the requested URI (supports regex and exact match) |
Options |
Options -Indexes |
Enables or disables directory listings |
Require |
Require all denied |
IP/path access control rules |
SetEnvIf |
SetEnvIf User-Agent "curl" bad_bot |
Variables environment flags (e.g. block bot user agents) |
Common Rewrite Examples
WordPress Permalinks
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
Redirect HTTP to HTTPS
RewriteCond %{HTTP_HOST} ^yourdomain\.com$
RewriteRule ^(.*)$ https://yourdomain.com/$1 [L,R=301]
Reverse Proxy to Node.js
ProxyPass /app http://localhost:3000/
Allowing Iframe Embeds for Specific Paths
To allow specific paths to be embedded in iframes from other domains (e.g. legal agreements or EULA modals), wrap the header overrides inside an <If> block matching the requested URI:
<If "%{REQUEST_URI} =~ m#^/terms#">
Header always unset X-Frame-Options
Header always set Content-Security-Policy "frame-ancestors *"
</If>
Block .env Files
<FilesMatch "^\.env$">
Require all denied
</FilesMatch>
Security Hardening Controls
| Severity |
Threat Vector |
Go Mitigation Strategy |
| CRITICAL |
Hardcoded session secret |
Parse session encryption secrets from env files |
| CRITICAL |
Session cookie not Secure |
Set store.Options.Secure = true |
| CRITICAL |
X-Forwarded-For spoofing |
Verify and trust XFF headers ONLY from localhost (127.0.0.1) |
| CRITICAL |
Path traversal risk |
Sanitize paths and assert document root base scopes |
| CRITICAL |
No TLS minimum version |
Enforce tls.Config.MinVersion = tls.VersionTLS12 |
| HIGH |
Missing security headers |
Inject X-Content-Type-Options, X-Frame-Options, and HSTS |
| HIGH |
No panic recovery |
Add a panic defer recover() middleware |
| MEDIUM |
No request body limit |
Restrict uploads sizes using http.MaxBytesReader |
Performance Enhancements
| Severity |
System Bottleneck |
Optimization Strategy |
| CRITICAL |
New buffer allocations per thread |
Use sync.Pool to recycle 32KB buffer sheets |
| CRITICAL |
Blocking file reads |
Serve static assets with range support using http.ServeContent |
| CRITICAL |
No HTTP keep-alive timeouts |
Set IdleTimeout: 120s inside Server declarations |
| HIGH |
No gzip compression |
Wrap outputs with GZIP compression handlers |
| HIGH |
No HTTP/2 routing |
Initialize protocols via http2.ConfigureServer |
| MEDIUM |
Synchronous request logging |
Pass web actions to decoupled asynchronous logging channels |
Systemd Service Configuration
[Unit]
Description=Onifast Web Server
After=network.target
[Service]
ExecStart=/home/root/go/onifast-web
WorkingDirectory=/home/root/go
Restart=always
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
Kernel Capabilities
The AmbientCapabilities=CAP_NET_BIND_SERVICE directive is required. It allows the Go binary to bind securely to standard public ports 80 and 443 without needing root privilege access.