UWAS

Unified Web Application Server

One binary to serve them all.

Apache + Nginx + Varnish + Caddy + cPanel → UWAS

Note: UWAS is production-ready with 50+ installed instances.

What is UWAS?

UWAS replaces your entire web server stack and hosting control panel with a single Go binary. Auto HTTPS, built-in caching, PHP support, .htaccess compatibility, reverse proxy, WebSocket forwarding, WAF, multi-user access control, and a 40-page React dashboard with 205+ API endpoints.

One binary. Zero hassle.

Current Snapshot (v0.6.7)

• Dashboard pages: 40 (web/dashboard/src/pages)
• Admin API routes: 221 (route registrations under /api/v1 in internal/admin/api.go)
• Go packages: 54 (from go list ./...)
• CLI commands: 19
• Test status: go test -p 1 ./... passing
• 69 security/stability fixes + 14 hot-path perf wins since v0.4.0 (see CHANGELOG)

v0.6.x highlights (standalone apps + hard legacy cutover):

• Apps are first-class objects under /etc/uwas/apps.d/<name>.yaml
• Domains expose apps with reverse proxy upstreams such as apps://my-api
• File Manager, built-in SFTP, dashboard SFTP users, and SSH keys open app domains at the app work_dir
• Creating an empty Node.js, Python, Ruby, or Go app seeds a tiny runnable demo
• Native app restart stops the full process tree so npm/node children do not keep old ports bound
• The Applications dashboard uses an inline app builder instead of a creation overlay
• Legacy domain-keyed type=app config and migration endpoints are removed
• Docker apps support image or BuildKit build context workflows

v0.5.0 highlights (refactor + perf + observability sweep, 43 commits):

• TLS handshake allowlist is now lock-free (atomic pointer instead of mutex + linear scan)
• IPACL / GeoIP / CORS / WAF middleware run as predicates on the hot path (no per-request wrapper allocation)
• API-key authentication is O(1) (secondary hash index alongside the username map)
• Cache LRU promotion debounced; per-host mutex on access-log writes; ACME renewal split from cert-map iteration
• New internal/respond package centralizes JSON responses with operator-visible 5xx logging
• Per-handler latency histogram (uwas_handler_duration_seconds{handler,quantile})
• Behavioural change: plaintext api_key fallback is now opt-in (global.users.allow_legacy_plaintext_api_key, default false). Operators upgrading from v0.4.x with a plaintext key must set the flag or migrate to hashed credentials.

Features

Web Server

• Auto HTTPS — Let's Encrypt certificates with zero configuration
• HTTP/3 (QUIC) — Via quic-go with Alt-Svc header advertisement
• Built-in Cache — Varnish-level caching with grace mode, tag-based purge, ESI (Edge Side Includes)
• PHP Ready — FastCGI with connection pooling and .htaccess support
• Per-domain PHP — Multiple PHP versions per domain with auto-port assignment, crash auto-restart
• Load Balancer — 5 algorithms, health checks, circuit breaker, canary routing
• WebSocket Proxy — Transparent TCP tunnel with hijack + bidirectional pipe
• URL Rewrite — Apache mod_rewrite compatible engine
• Brotli + Gzip — Dual compression with Accept-Encoding negotiation
• Image Optimization — On-the-fly WebP/AVIF conversion

Hosting Control Panel

• 40-page Dashboard — React 19 admin panel with dark/light theme
• Applications — Deploy and supervise Node.js, Python, Ruby, Go, custom, and Docker apps
• Web Terminal — Browser-based shell via WebSocket-to-PTY bridge
• Multi-user Auth — Admin, reseller, user roles with TOTP 2FA
• WordPress Management — One-click install, plugin updates, debug mode, error log viewer
• DNS Zone Editor — Full CRUD for Cloudflare, Hetzner, DigitalOcean, Route53
• File Manager — Browse, edit, upload, delete files via dashboard
• SFTP Server — Built-in pure Go SFTP with chroot per domain + SSH key management
• Database Management — MySQL/MariaDB + Docker containers (MariaDB/MySQL/PostgreSQL)
• Site Migration — SSH wizard: rsync files + dump/import database
• Clone/Staging — One-click domain clone with DB duplication
• Backup/Restore — Local, S3, SFTP providers with scheduling + webhook notifications
• Cron Jobs — Per-domain cron management with execution monitoring and failure alerts

Security & Monitoring

• WAF — SQL injection, XSS, shell, RCE detection
• Per-domain Rate Limiting — Sharded token bucket per domain
• Bandwidth Limits — Monthly/daily caps with throttle or block action
• Webhook Events — 11 event types with HMAC-SHA256 signatures and retry
• Uptime Monitoring — Per-domain health checks with alerting
• Analytics — Per-domain traffic, referrer tracking, user agent breakdown
• Prometheus Metrics — p50/p95/p99 latency percentiles
• Audit Logging — Track all admin actions with timestamps and IPs
• IP Access Control — Per-domain whitelist/blacklist
• Resource Limits — Per-domain CPU/memory/PID limits via Linux cgroups v2

DevOps

• Git Deploy — Git clone/pull + build + health check + restart with concurrent protection, env persistence, and cancellation support
• AI-Native — MCP server for LLM-driven management
• Nginx/Apache Migration — CLI config converter
• Hot-Reload — All per-domain chains rebuild on SIGHUP (zero downtime)
• Self-Update — Binary auto-update from GitHub releases
• CI/CD — GitHub Actions for build, test, release automation
• Single Binary — ~15MB, no dependencies, just download and run

Install

# One-line install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/uwaserver/uwas/main/install.sh | sh

Update

# One-line update (detects current version, downloads latest, restarts service)
curl -fsSL https://raw.githubusercontent.com/uwaserver/uwas/main/update.sh | sh

Or download from GitHub Releases.

Build from Source

git clone https://github.com/uwaserver/uwas.git && cd uwas
make build        # Production binary → bin/uwas
make linux        # Cross-compile for Linux amd64

Quick Start

# Start server (auto-creates config on first run)
uwas

# Or with a specific config
uwas serve -c uwas.yaml

# Install as systemd service (auto-start on boot)
sudo uwas install
sudo systemctl start uwas

# Dashboard
# http://your-ip:9443/_uwas/dashboard/

# CLI commands (API key auto-loaded from ~/.uwas/.env)
uwas status
uwas php list
uwas domain list
uwas doctor

Configuration

UWAS uses a single YAML file. See uwas.example.yaml for a full reference.

Static Site

global:
  http_listen: ":80"
  https_listen: ":443"
  acme:
    email: you@example.com

domains:
  - host: example.com
    root: /var/www/html
    type: static
    ssl:
      mode: auto

WordPress / PHP

domains:
  - host: blog.example.com
    root: /var/www/wordpress
    type: php
    ssl:
      mode: auto
    php:
      fpm_address: "unix:/var/run/php/php8.3-fpm.sock"
    htaccess:
      mode: import
    cache:
      enabled: true
      ttl: 1800

Standalone App + Domain Route

Apps live outside the main domain YAML. Create them from the dashboard Applications page or as files under /etc/uwas/apps.d/; then route a domain to the app by using apps://<name> as a proxy upstream.

# /etc/uwas/apps.d/my-api.yaml
name: my-api
runtime: node
work_dir: /var/lib/uwas/apps/my-api
port: 0
env:
  NODE_ENV: production

# uwas.yaml or domains.d/api.example.com.yaml
domains:
  - host: api.example.com
    type: proxy
    ssl:
      mode: auto
    proxy:
      upstreams:
        - address: "apps://my-api"

Native runtimes with an empty workdir get a small demo file on create (index.js, app.py, app.rb, or main.go) so the app has something runnable immediately. Existing files are never overwritten.

Reverse Proxy with WebSocket

domains:
  - host: api.example.com
    type: proxy
    ssl:
      mode: auto
    proxy:
      upstreams:
        - address: "http://127.0.0.1:3000"
          weight: 3
        - address: "http://127.0.0.1:3001"
          weight: 1
      algorithm: least_conn
      websocket: true
      health_check:
        path: /health
        interval: 10s

Bandwidth Limits + Rate Limiting

domains:
  - host: example.com
    root: /var/www/html
    type: static
    bandwidth:
      enabled: true
      monthly_limit: 100GB
      daily_limit: 5GB
      action: throttle  # or "block"
    security:
      rate_limit:
        requests: 100
        window: 1m

Requirements

No PHP needed for static sites, reverse proxy, or redirect domains.

CLI

uwas                         Start server (auto-setup if no config)
uwas serve    -c uwas.yaml   Start with specific config
uwas serve    -d             Start as background daemon
uwas version                 Print version info
uwas config   validate       Validate config file
uwas domain   list           List domains
uwas cache    stats          Cache statistics
uwas cache    purge          Purge cache
uwas status                  Server status via admin API
uwas reload                  Hot-reload configuration
uwas stop                    Stop running server
uwas restart                 Restart running server
uwas migrate  nginx <file>   Convert Nginx config to UWAS
uwas migrate  apache <file>  Convert Apache config to UWAS
uwas backup                  Create config backup
uwas restore                 Restore from backup
uwas php      list           List detected PHP versions
uwas php      start <ver>    Start PHP-FPM for version
uwas install                 Install as systemd service
uwas uninstall               Remove systemd service
uwas user     list           List admin users
uwas doctor                  System diagnostics + auto-fix
uwas help                    Show help

Architecture

Request Flow:

  TCP → TLS (SNI routing)
    → HTTP Parse
      → Middleware Chain:
          Recovery → Request ID → Security Headers → Rate Limit → Access Log
        → Virtual Host Lookup
          → Per-domain: IP ACL → Rate Limit → BasicAuth → CORS → Header Transform
            → Security Guard (blocked paths, WAF)
              → Bandwidth Check (throttle/block)
              → Rewrite Engine (mod_rewrite compatible)
              → Cache Lookup (L1 memory + L2 disk)
                → Handler:
                    ├── Static File    (ETag, Range, pre-compressed, SPA)
                    ├── FastCGI/PHP    (connection pool, CGI env)
                    ├── Reverse Proxy  (5 LB algorithms, circuit breaker)
                    ├── WebSocket      (TCP tunnel, bidirectional pipe)
                    └── Redirect       (301/302/307/308)
              → Cache Store
              → Bandwidth Record
    → Response

Project Layout

cmd/uwas/                → CLI entry point (19 commands)
internal/
  admin/                 → REST API (205+ routes) + dashboard embed + TOTP auth
  alerting/              → Alert thresholds + webhook/Slack/Telegram/email notifications
  analytics/             → Per-domain traffic analytics
  apps/                  → Standalone Node/Python/Ruby/Go/custom/Docker app supervision
  auth/                  → Multi-user RBAC (admin/reseller/user) + session + TOTP 2FA
  backup/                → Local/S3/SFTP backup + restore + scheduling
  bandwidth/             → Per-domain bandwidth limits (throttle/block)
  build/                 → Build metadata (version, commit, date) via ldflags
  cache/                 → L1 memory (256-shard LRU) + L2 disk cache + ESI
  cli/                   → CLI framework and commands
  config/                → YAML parser, validation, defaults, ByteSize/Duration types
  cronjob/               → Cron job management + execution monitoring
  database/              → MySQL/MariaDB management + Docker container support
  deploy/                → Git clone/pull + Docker-based application deployment
  dnsmanager/            → Cloudflare, Route53, Hetzner, DigitalOcean DNS CRUD
  dnschecker/            → DNS record verification (A/MX/NS/TXT)
  doctor/                → System diagnostics + auto-fix
  filemanager/           → Web file manager (browse/edit/upload/delete)
  firewall/              → UFW management via API
  handler/
    fastcgi/             → PHP handler, CGI environment builder
    proxy/               → Reverse proxy, load balancing, WebSocket, circuit breaker
    static/              → Static files, MIME, ETag, pre-compressed, SPA
  install/               → System package installer task queue
  logger/                → Structured logger (slog wrapper)
  mcp/                   → MCP server for AI management
  metrics/               → Prometheus-compatible metrics
  middleware/            → Chain, recovery, rate limit, gzip, CORS, WAF, bot guard
  migrate/               → Nginx/Apache converter + SSH site migration + clone
  monitor/               → Uptime monitoring per domain
  notify/                → Webhook, Slack, Telegram, Email (SMTP) channels
  pathsafe/              → Path traversal guard (symlink-resolving containment check)
  phpmanager/            → PHP detect, install, start/stop, per-domain assign
  respond/               → Centralized JSON response helpers (status + hardening headers + 5xx logging)
  rewrite/               → URL rewrite engine (Apache mod_rewrite compatible)
  rlimit/                → Per-domain resource limits via Linux cgroups v2
  router/                → Virtual host routing, request context
  selfupdate/            → Binary self-update from GitHub releases
  server/                → HTTP/HTTPS/HTTP3 server + request dispatch + log rotation
  serverip/              → Server IP detection (interfaces + public IP)
  services/              → systemd service management (start/stop/restart)
  sftpserver/            → Built-in SFTP server (pure Go, chroot per domain)
  siteuser/              → SFTP user management (chroot jail + SSH keys)
  terminal/              → WebSocket-to-PTY bridge for browser-based shell
  tls/                   → TLS manager, ACME client, auto-renewal, cert expiry alerts
    acme/                → RFC 8555 ACME protocol, JWS signing
  webhook/               → Event-driven webhook delivery (11 events, HMAC, retry)
  wordpress/             → WordPress install, manage, debug, permissions
pkg/
  fastcgi/               → FastCGI binary protocol, connection pool
  htaccess/              → .htaccess parser and converter
web/dashboard/           → React 19 SPA (40 pages, Vite + TypeScript + Tailwind)

Dashboard

UWAS includes a 40-page React 19 dashboard at /_uwas/dashboard/ with dark/light theme:

Sites: Dashboard, Domains, Domain Detail, Topology, Certificates, DNS Zone Editor, Cloudflare, WordPress, Clone/Staging, Migration, File Manager

Server: PHP, PHP Config, Applications, Database, DB Explorer, SFTP Users, Cron Jobs, Services, Packages, IP Management, Email Guide

Performance: Cache, Metrics, Analytics, Logs

Security: Security, Firewall, Unknown Domains, Audit Log, Admin Users, Users

System: Config Editor, Webhooks, Backups, Terminal, Updates, Doctor, Settings

Auth: Login (with 2FA/TOTP support)

Comparison

Performance

Tested with hey on AMD Ryzen 9 9950X3D:

Deployment

Systemd

sudo cp init/uwas.service /etc/systemd/system/
sudo systemctl enable uwas
sudo systemctl start uwas

# Live config reload (zero downtime)
sudo systemctl reload uwas

Docker

docker build -t uwas .
docker run -p 80:80 -p 443:443 -v ./uwas.yaml:/etc/uwas/uwas.yaml uwas

Migration from Nginx/Apache

# Convert existing Nginx config
uwas migrate nginx /etc/nginx/sites-enabled/example.conf > uwas.yaml

# Convert Apache config
uwas migrate apache /etc/apache2/sites-enabled/example.conf > uwas.yaml

# Or use the dashboard Migration wizard for full site transfer (files + database)

Development

make dev        # Build development binary
make test       # Run all tests
make lint       # Run go vet + staticcheck
make clean      # Clean build artifacts

# Dashboard
cd web/dashboard && npm run build

License

UWAS is dual-licensed:

• AGPL-3.0 for open-source and community use — full text
• Commercial license for enterprise and proprietary use — uwaserver.com/enterprise

Contributing

1. Open an issue first to discuss
2. One feature/fix per PR
3. Tests required
4. go vet must pass