Welcome to KatWebX!

KatWebX is an extremely fast web-server and reverse proxy for the modern web. Its features are listed below.

You can download KatWebX's releases or source code from github.com/kittyhacker101/KatWebX.

Already have KatWebX? Continue reading the content on this page to learn how to configure KatWebX properly.


Folder structure

KatWebX keeps all of its data contained with its folder. The folder structure is listed below.


Global configuration

KatWebX's global configuration is stored in the /conf.json file. Changes made to this file only take effect after KatWebX has been restarted.


Configuration types

Normal types are automatically used, regex types can be used by prefixing the configuration string with #r. When the string is set to its regex type, the string set in the configuration is parsed as regex.


Loading certificate and key pairs

To use a certificate and key, you must name the certificate [domain].crt, and the key [domain].pem. The certificate used is automatically detected using SNI. If no matching certificate is present, the files default.crt and default.pem will be used instead.

The keyfile must be in pkcs8 format. You can convert it into pkcs8 using the command below (requires openssl): openssl pkcs8 -topk8 -nocrypt -in oldkey.pem -out newkey.pem


Getting a TLS certificate

You can get free TLS certificates from Let's Encrypt through the use of an ACME client, like sslforfree.com.

Note: It is heavily recommended that you generate your own ECDSA key and CSR instead of letting the ACME client do it. Most ACME clients default to using RSA instead of ECDSA, which will result in reduced server peformance.


Forcing encrypted connections using HSTS

It's highly recommended that you make all internet-facing sites HTTPS only. To do so, you can enable the conf.hsts configuration option. This will automatically redirect all requests to HTTPS, and set an HSTS header, to allow for HSTS preloading. You can then request for your site to be added to the HSTS preload list here.

Note: Once you are on the preload list, it is very difficult to get off it. Make sure your site works properly over HTTPS before doing this!


OCSP stapling

KatWebX supports stapling an OCSP response, but it doesn't have a builtin OCSP client. If you split the certificate chain into two files, you can get an OCSP reponse manually using the commands below (requires openssl and bash): URI=$(openssl x509 -noout -ocsp_uri -in server.crt)
openssl ocsp -issuer ca.crt -cert server.crt -url $URI -respout output.ocsp

You can then apply it to a host by renaming the file to [domain].ocsp. Note that this file must be renewed often (usually every 7 days) to prevent it from expiring.


Socket listening

KatWebX can also listen using sockets passed to it, instead of directly binding to an address. The first socket passed to KatWebX will serve HTTP, and the second optional socket passed to KatWebX will serve HTTPS. When using sockets, KatWebX will behave the same as it would if you were binding to a TCP/IP address. You can test out the socket listening using the command below (requires systemfd and katwebx): systemfd -s http::8080 -s https::8181 -- ./katwebx


Peformance optimization

Although KatWebX is designed to be high-peformance, it may need a bit of extra tweaking when under extreme load. Here's some tips on how to improve KatWebX's peformance.