Features — MaxPanel

Isolation

Per-tenant cages built from systemd transient units, mount namespaces, XFS project quotas, and cgroup v2 limits. PHP-FPM pools live inside the cage, with open_basedir pinned to the user's home. Apache enforces SymLinksIfOwnerMatch on every vhost. Path-traversing operations in the agent use openat2 with RESOLVE_BENEATH.

Web

nginx terminates TLS in front of Apache; Apache routes to a per-user PHP-FPM socket. ACME HTTP-01 issuance via Let's Encrypt, fully automatic. Multi-version PHP from ppa:ondrej/php (8.1, 8.2, 8.3, 8.4); per-domain version selector; php.ini editor with a curated allow-list of safe directives.

Mail

Postfix on 25/465/587, Dovecot on 993/995, both backed by SQLite lookup tables that the panel writes. OpenDKIM signs outgoing mail; rspamd scores incoming. SPF + DKIM + DMARC records auto-published when you create a mail domain. Roundcube provided at /webmail with one-click SSO from the customer panel.

Outgrow a single box? Pair a remote mail node over a pinned-cert HTTPS API with Ed25519 request signing and a single-customer customer_id equality check.

DNS

PowerDNS with the LMDB backend (no external database). Zone + record CRUD via the panel UI; dig answers within seconds of a write.

Databases

MariaDB with per-user databases + accounts and configurable MAX_USER_CONNECTIONS / MAX_QUERIES_PER_HOUR. A watcher process kills runaway queries that exceed your threshold. Optional MongoDB for tenants who need it. phpMyAdmin pre-configured at /phpmyadmin.

Backups

Restic-backed, dedup-friendly, schedulable. Destinations: S3, SFTP, local. Per-account on-demand archives in a portable .mpa format. Granular restore — single file, single table, single mailbox. Import an existing archive as a brand-new account, with database renaming + WordPress / Laravel config rewrite handled automatically.

Customer-side tools

Browser file manager with built-in editor (CodeMirror)
Browser terminal — xterm.js over WebSocket to a jailed PTY
SSH key management with jail wrapper
One-click WordPress install with staging environment + promote-to-live
Domain management (primary, addon, subdomain, parked)

Hierarchy + reselling

Three-tier model: admin → reseller → user. Resellers get their own pool of disk / memory / CPU and can carve it up into packages for their own customers. Impersonation is fully audited.

Licensing + tamper detection

Self-validating: panel phones home every 6 hours, refuses to run if the license is revoked, attestation hash binds the binary to a known release. Debug-mode tokens (issued by you) let support staff inspect a panel without tripping tamper flags.