GubinNET is a high-performance, secure, and modular HTTP server written in Go. Itβs designed for production-grade hosting with built-in support for:
β
Static file serving (SPA-ready)
β
Reverse proxy with SNI
β
Dynamic modules (C/C++, Go, Python, WASM)
β
Built-in DDoS protection
β
Prometheus + pprof monitoring
β
Structured logging & hot reload
Unlike traditional proxies, GubinNET allows secure execution of native modules β but with strict signing and isolation to prevent RCE and privilege escalation.
π Security-first: No dynamic
g++compilation. All modules must be pre-compiled and signed.
| Feature | Description |
|---|---|
| Static Hosting | Serve SPAs (React, Vue) with try_files fallback |
| Reverse Proxy | Forward traffic to backend services |
| SNI / HTTPS | TLS with per-host certificates |
| Dynamic Modules | Load .so or WASM modules (C/C++, Go, Rust) |
| Module Signing | Ed25519 signature verification for .so binaries |
| DDoS Protection | Rate limiting + IP banning |
| Observability | Prometheus /metrics, pprof, and /healthz |
| Structured Logging | JSON logs with request ID, duration, status |
| Hot Reload | SIGHUP to reload config without downtime |
GubinNET prioritizes security over convenience:
- β No dynamic C++ compilation β
g++execution removed to prevent RCE. - β
Modules must be pre-compiled β developers compile
module.cppβmodule.sooffline. - β All modules must be signed with Ed25519 key.
- β
Path traversal protection via
safeJoin()and strict validation. - β
Security headers:
X-Frame-Options,X-XSS-Protection,HSTS. - β Isolation: Modules run in main process but are monitored and logged.
GubinNET supports dynamic modules via CGO or WASM β but only if they are trusted and signed.
server_name=modules.example.com
listen_port=80
app_mode=cgo
module_path=/etc/gubinnet/modules/my_module/module.so
module_sig=/etc/gubinnet/modules/my_module/module.so.sig
use_ssl=true
cert_path=/etc/ssl/certs/modules.crt
key_path=/etc/ssl/private/modules.key- Module must be compiled manually:
g++ -shared -fPIC module.cpp -o module.so
- Signed with private key:
openssl dgst -sha256 -sign private.pem -out module.so.sig module.so
- Server verifies signature using
/etc/gubinnet/gubinnet.pub.
β οΈ No.cppβ.socompilation at runtime.
Coming soon: WASM support via
wazerofor full sandboxing.
server_name=api.example.com
listen_port=80
app_mode=proxy
proxy_url=http://internal-service:8080
use_ssl=true
cert_path=/etc/ssl/certs/api.crt
key_path=/etc/ssl/private/api.key
redirect_to_https=true- All traffic forwarded to backend.
- Supports SNI and HTTPS termination.
server_name=spa.example.com
listen_port=80
app_mode=static
root_path=/var/www/spa
try_files=index.html
use_ssl=true
cert_path=/etc/ssl/certs/spa.crt
key_path=/etc/ssl/private/spa.key- Ideal for React, Vue, Angular apps.
- Fallback to
index.htmlfor client-side routing.
git clone https://github.com/yourusername/gubinnet.git
cd gubinnet
go build -o gubinnet main.gosudo mkdir -p /etc/gubinnet/{config,logs,modules}
sudo mkdir -p /var/www# Generate Ed25519 key pair
openssl genpkey -algorithm ED25519 -out /etc/gubinnet/private.pem
openssl pkey -in /etc/gubinnet/private.pem -pubout -out /etc/gubinnet/gubinnet.pubServer requires
/etc/gubinnet/gubinnet.pubto verify module signatures.
/etc/gubinnet/config/example.ini:
server_name=modules.example.com
listen_port=80
app_mode=cgo
module_path=/etc/gubinnet/modules/demo/module.so
module_sig=/etc/gubinnet/modules/demo/module.so.sig
use_ssl=true
cert_path=/etc/ssl/certs/example.com.crt
key_path=/etc/ssl/private/example.com.key
redirect_to_https=truesudo ./gubinnetServer starts on:
:80β HTTP:443β HTTPS:9090β/metricsand/healthz:6060βpprof(profiling)
Reload config without restart:
kill -HUP $(pgrep gubinnet)GET http://localhost:9090/healthz
β 200 OKGET http://localhost:9090/metricsMetrics include:
http_requests_totalhttp_request_duration_secondshttp_active_connectionsmodule_executions_totalmodule_errors_total
# CPU profile
curl http://localhost:6060/debug/pprof/profile > profile.out
# Heap profile
curl http://localhost:6060/debug/pprof/heap > heap.out
# View with:
go tool pprof profile.outFROM alpine:latest AS builder
RUN apk add --no-cache gcc g++ libc-dev
WORKDIR /app
COPY . .
RUN go build -o gubinnet main.go
FROM alpine:latest
RUN apk add --no-cache ca-certificates
WORKDIR /app
COPY --from=builder /app/gubinnet .
COPY --from=builder /app/config /etc/gubinnet/config
COPY --from=builder /app/modules /etc/gubinnet/modules
COPY --from=builder /app/logs /etc/gubinnet/logs
COPY --from=builder /app/gubinnet.pub /etc/gubinnet/gubinnet.pub
EXPOSE 80 443 9090 6060
CMD ["./gubinnet"]version: '3'
services:
gubinnet:
build: .
ports:
- "80:80"
- "443:443"
- "9090:9090"
- "6060:6060"
volumes:
- ./ssl:/etc/ssl
- ./data/config:/etc/gubinnet/config
- ./data/modules:/etc/gubinnet/modules
- ./data/logs:/etc/gubinnet/logs
restart: unless-stopped/etc/gubinnet/
βββ config/ # .ini configuration files
β βββ site1.ini
βββ modules/ # Pre-compiled, signed modules
β βββ demo/
β βββ module.so
β βββ module.so.sig
βββ logs/
β βββ access.log # JSON-formatted access logs
β βββ antiddos.log # Blocked IPs
βββ gubinnet.pub # Public key for module verificationLogs are written in structured JSON:
{
"timestamp": "2025-04-05T10:00:00Z",
"level": "INFO",
"message": "Request processed",
"method": "GET",
"path": "/modules/demo",
"status": 200,
"duration": 0.012,
"remote": "192.168.1.100",
"user_agent": "curl/7.68.0",
"request_id": "a1b2c3d4-e5f6-7890-g1h2-i3j4k5l6m7n8"
}Log rotation: daily.
- Rate limit: 100 requests/sec per IP.
- Ban duration: 60 seconds.
- Logs blocked IPs in
/etc/gubinnet/logs/antiddos.log.
Configurable via code (in future: config file).
MIT License β see LICENSE
We welcome:
- WASM module support
- External module runner (sandboxed processes)
- JWT auth middleware
- OpenTelemetry tracing
Open an issue or submit a PR!
β Keep it fast.
β Keep it secure.
β One proxy to rule them all.