Skip to content

Releases: overdigo/fwp

v0.5.0 - Auto XDP & Resource Limits

Choose a tag to compare

@overdigo overdigo released this 23 Apr 20:02

What's new in v0.5.0

  • Auto XDP (Experimental): Optional high-performance eBPF firewall for DDoS protection and automatic port whitelisting. Installed via install.sh --autoxdp or through the interactive setup prompt.
  • Systemd Resource Limits: Added fwp stack limits command to enforce memory prioritization (MemorySwapMax=0) and CPU accounting using cgroups for FrankenPHP, MariaDB, and Redis.
  • Improved Installation Workflow: Critical fixes for worker.php timing and race conditions during site creation, ensuring 100% reliable domain onboarding.

v0.4.0 - Environment Standardization & Security Hardening

Choose a tag to compare

@overdigo overdigo released this 20 Apr 20:40

🚀 What's New in v0.4.0

🛠️ Developer & Admin Experience

  • Advanced CLI Environment: Integrated bash-completion and nanorc (150+ languages syntax highlighting) for root.
  • Productivity Aliases: New global shortcuts in /etc/profile.d/fwp_aliases.sh:
    • fprl / fpre: FrankenPHP reload/restart.
    • ltr / lk: Order by time or size.
    • ip4 / ip6: Public IP lookup.

🛡️ Security & Stability

  • Hardened Shell: Bash completion is now strictly restricted to the root user's ~/.bashrc.
  • Permission Fixes: Per-site Caddyfiles now use 644 permissions, allowing the www-data user to load them correctly.
  • Webroot Ownership: Enforced www-data:www-data ownership for /var/www/ to prevent service crashes.
  • Orphan Cleanup: Automated removal of orphaned site configurations that lack a physical directory.

⚡ Performance & Cache

  • Cache Selection: Added --cache=wpsc|wpce|none flags to fwp site create.
  • System Tuning: Improved MariaDB and Redis optimization for container environments.

v0.3.0 - Security Hardening & HSTS Preload

Choose a tag to compare

@overdigo overdigo released this 18 Apr 15:25

Security & Infrastructure Improvements

  • HSTS Preload Compliance: Granular 3-step redirect chain (HTTP -> HTTPS Host -> HTTPS Canonical).
  • Hardened HSTS: Increased max-age to 2 years (63072000s) with includeSubDomains and preload.
  • Anonymity: Stripped Server header from all responses including redirects.
  • Security Audit Tool: New standalone script tests/security_audit.sh to verify TLS, SNI, and HSTS.
  • TLS Optimization: Forced modern cipher suites and mandatory SNI support.

Performance

  • Worker Mode scaling: Default 32 threads for ZTS processing.
  • Enhanced Caddyfile: Optimized static asset handling and image negotiation (WebP/AVIF).

Project

  • Random DB prefixing for better security.
  • Comprehensive technical documentation (hsts.md, tls.md).