KatWebX is an extremely fast web-server and reverse proxy for the modern web. Its features are listed below.
You can download KatWebX's releases or source code from github.com/kittyhacker101/KatWebX.
Already have KatWebX? Continue reading the content on this page to learn how to configure KatWebX properly.
KatWebX keeps all of its data contained with its root folder. The folder structure is listed below.
KatWebX's global configuration is stored in the /conf.toml file. It tries it's best to be both backwards and forwards compatible, and usually follows semantic versioning (note that sometimes functionality can be added in a patch version).
Changes made to the configuration only take effect after KatWebX has been restarted. You can also pass configuration files to KatWebX as command-line arguments, like the example shown below. ./katwebx myconfig.toml
A copy of the default configuration file can be found here.
To use a certificate and key, you must name the certificate [domain].crt, and the key [domain].pem. The certificate used is automatically detected using SNI. If no matching certificate is present, the files default.crt and default.pem will be used instead.
The keyfile must be in pkcs8 format. You can convert it into pkcs8 using the command below (requires openssl): openssl pkcs8 -topk8 -nocrypt -in oldkey.pem -out newkey.pem
You can get free TLS certificates from Let's Encrypt through the use of an ACME client, like sslforfree.com.
Note: It is heavily recommended that you generate your own ECDSA key and CSR instead of letting the ACME client do it. Most ACME clients default to using RSA instead of ECDSA, which will result in reduced server peformance.
It's highly recommended that you make all internet-facing sites HTTPS only. To do so, you can enable the content.hsts configuration option. This will automatically redirect all requests to HTTPS, and set an HSTS header, to allow for HSTS preloading. You can then request for your site to be added to the HSTS preload list here.
Note: Once you are on the preload list, it is very difficult to get off it. Make sure your site works properly over HTTPS before doing this!
KatWebX supports stapling an OCSP response, but it doesn't have a builtin OCSP client. If you split the certificate chain into two files, you can get an OCSP reponse manually using the commands below (requires openssl and bash): URI=$(openssl x509 -noout -ocsp_uri -in server.crt)openssl ocsp -issuer ca.crt -cert server.crt -url $URI -respout output.ocsp
You can then apply it to a host by renaming the file to [domain].ocsp. Note that this file must be renewed often (usually every 7 days) to prevent it from expiring.
KatWebX can also listen using unix sockets passed to it, instead of directly binding to an address. The first socket passed to KatWebX will serve HTTP, and the second optional socket passed to KatWebX will serve HTTPS. When using sockets, KatWebX will behave the same as it would if you were binding to a TCP/IP address. You can test out the socket listening using the command below (requires systemfd and katwebx): systemfd -s http::8080 -s https::8181 -- ./katwebx
On unix systems, KatWebX's configuration can be reloaded at runtime by sending it a SIGHUP signal. This can be done using this command: killall katwebx --signal SIGHUP
Note that the configuration values server.http_addr, server.tls_addr, server.stream_timeout, server.prefer_chacha_poly, and server.cert_folder can't be changed without a restart of the server. Encryption certificates, keys, and OCSP responses can't be changed without restarting the server.
Although KatWebX is designed to be high-peformance, it may need a bit of extra tweaking when under extreme load. Here's some tips on how to improve KatWebX's peformance.
This page shows the documentation for KatWebX v1.0.0-eval1. The latest documentation for KatWebX can be viewed at katwebx.kittyhacker101.tk.