nginx-panel

Sign in to manage your hosted sites

Overview

Your hosting at a glance
0
Total sites
0
SSL secured
0
Static sites
0
Dynamic (PHP)
0
Reverse proxies
Domains
Add website
New static or proxy site
Manage websites
All hosted domains
🔒
SSL/TLS
Issue certificates
Deploy app
Git deploy via pm2
🗄
Databases
MariaDB per site
Files
File Manager
Upload, browse, edit
Metrics
📈
Logs & traffic
Gauges, charts, requests
Security
Hardening status
What's protected
🔑
Change password
Update admin login

DomainTypeSSLStatus

Select a site above to browse and upload its files. Static and dynamic (PHP) sites have a manageable webroot — reverse-proxy sites don't (their code lives in a deployed app instead, managed from "Deploy app" on the Websites tab).

Select a site above to see its traffic gauges, hourly chart, and recent request log.

Admin password

Hardening applied by this panel

  • UFW firewall: only ports 22/80/443 open, everything else denied at OS level
  • SSH: password authentication disabled, root login disabled — key-only access
  • Fail2ban: SSH (3 tries, 24h ban), nginx rate-limit, bot, and bad-bot jails active
  • Automatic OS security updates enabled (no reboot without manual approval)
  • nginx DDoS/rate limiting: 30 req/s per IP on all sites, 1 req/s on login endpoints, 50 concurrent connections per IP — excess returns 429, Fail2ban bans on repeated violations
  • Kernel: SYN cookies, ICMP hardening, spoofed-IP (rp_filter) filtering, martian packet logging, BBR congestion control
  • Panel runs as an unprivileged system user with narrowly-scoped sudo rights (nginx reload + certbot only — never full root)
  • Login is rate-limited (8 attempts / 15 min) to resist brute-force attacks
  • CSRF protection via per-session double-submit tokens on every state-changing request
  • Session cookies are HttpOnly, SameSite=Strict, and Secure once served over HTTPS
  • Security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) on panel and every generated nginx site config
  • PHP: expose_php off, display_errors off, allow_url_include off, session hardening, dangerous functions disabled
  • MariaDB: anonymous users removed, test database dropped, remote root disabled, bound to localhost only
  • File uploads block executable/script extensions (.sh, .py, .exe, etc.) — .php only permitted on dynamic-mode sites
  • File manager paths validated against directory traversal on every request
  • Dotfiles blocked and directory listing disabled on all generated sites
  • Raw nginx config edits validated with nginx -t and auto-rolled-back if invalid
  • Deployed backend apps run under the panel's own unprivileged user, isolated from nginx and system processes
  • Each site's databases get a dedicated MySQL user scoped to only that site's own databases
  • Database credentials shown once and never stored by the panel
  • SSL: TLS 1.2/1.3 only, OCSP stapling, session resumption, HTTP/2 auto-enabled, Certbot auto-renewal verified