OpenPanel

Docker-powered web hosting control panel that gives every user a fully isolated environment with dedicated web server, database, and networking — VPS-grade security on shared hardware.

688stars
98forks
TypeScript

OpenPanel is a web hosting control panel built around Docker containers, designed to solve the fundamental security problem of shared hosting: the fact that all users share the same web server, PHP runtime, and database instance. Instead, OpenPanel provisions a dedicated Docker context per user — each user gets their own web server container (Nginx, Apache, OpenLitespeed, or OpenResty), their own database instance (MySQL, MariaDB, or Percona), their own PHP-FPM containers spanning PHP 5.6 through 8.4, and a private network and storage volume. The result is VPS-grade isolation on shared hardware without the VPS price tag.

The panel ships in two tiers: a free Community Edition and a paid Enterprise Edition. The Community Edition covers everything a small-to-medium hosting operation needs — multi-user management, Docker-based isolation, CLI automation via OpenCLI, cPanel import, white-label branding, and billing integrations with FOSSBilling, WHMCS, and Blesta. The Enterprise Edition adds priority support and additional managed features. Installation is a single bash command, and it supports Ubuntu, Debian, AlmaLinux, RockyLinux, and CentOS across both AMD64 and ARM64 architectures.

The OpenCLI layer provides over 100 Bash-based terminal commands covering user lifecycle management, backup scheduling, DNS configuration, PHP version management, WAF (CorazaWAF) control, email server management, resource quota enforcement, and Docker image operations. A sentinel monitoring daemon continuously checks service health, resource usage, and DNS integrity, sending email or webhook alerts when thresholds are breached. The architecture deliberately separates the admin interface (OpenAdmin, port 2087) from the end-user interface (OpenPanel, port 2083), giving hosting providers the ability to expose only what is appropriate to each audience.

What You Get

  • Per-user Docker isolation - Each hosting account runs in its own Docker context with dedicated web server, database, PHP-FPM containers, private network bridge, and scoped storage volume, preventing any cross-tenant resource or data bleed.
  • Choice of web server per user - Deploy Nginx, Apache, OpenLitespeed, or OpenResty independently per user, with optional Varnish caching layer, all managed through OpenAdmin or the CLI without affecting other users.
  • Dedicated database engine per user - Each user gets their own MySQL 8.0, MariaDB, or Percona instance with phpMyAdmin access, eliminating shared database risks and allowing per-user engine selection.
  • Full PHP version matrix - Run PHP 5.6 through 8.4 simultaneously, with per-domain version assignment so a single user can serve a legacy site on PHP 7.0 and a new project on PHP 8.4 from the same account.
  • OpenCLI automation layer - Over 100 Bash terminal commands cover user management, backup scheduling, DNS control, WAF toggling, PHP migration, Docker image operations, and resource quota enforcement without any GUI interaction.
  • CorazaWAF integration - OWASP CRS-based web application firewall powered by Coraza running inside Caddy, manageable per-domain via CLI with rule set updates, statistics by country/IP/path, and enable/disable toggles.
  • Billing platform integrations - Native modules for FOSSBilling, WHMCS, and Blesta to automate account provisioning, plan changes, and suspensions from your billing system.
  • cPanel and CyberPanel import - Built-in account migration tools to import cPanel backup archives and CyberPanel accounts, preserving websites, databases, email, and DNS records.
  • White-label branding - Customize the panel name, colors, logo, domain, nameservers, and visible feature set to present a fully branded hosting product without modifying source code.
  • Sentinel monitoring daemon - Continuous background monitoring of service health, traffic patterns, resource utilization, OOM events, and DNS integrity with configurable alerting thresholds and notification delivery.

Common Use Cases

  • Running a shared hosting business with VPS-grade isolation - A hosting provider serves 300 clients from a single dedicated server, each in their own Docker context, eliminating the ‘noisy neighbor’ problem and reducing support tickets caused by one user affecting another.
  • Migrating an existing cPanel infrastructure without downtime - A web host uses the built-in cPanel importer to move accounts from a legacy cPanel server, preserving all websites, MySQL databases, email accounts, and DNS zones while eliminating per-seat cPanel licensing costs.
  • Offering managed WordPress hosting with per-client PHP control - A hosting company provisions Nginx + Varnish + PHP 8.3 for each WordPress client, letting clients switch to PHP 8.4 themselves through the OpenPanel interface without opening a support ticket.
  • Automating a reseller hosting operation via billing integration - A reseller integrates OpenPanel with WHMCS so that account creation, plan upgrades, suspension, and deletion are triggered automatically from the billing system, requiring zero manual admin intervention.
  • Standing up a secure development environment for an agency - A digital agency deploys OpenPanel on a single VPS to host client staging sites in fully isolated containers, ensuring that one client’s misconfigured application cannot access another client’s files or database.
  • Running a multi-architecture ARM-based hosting cluster - An operator uses ARM-based cloud instances for cost efficiency, deploying OpenPanel which natively supports AArch64 alongside AMD64 and treating both architecture targets identically.

Under The Hood

Architecture OpenPanel follows a layered control-plane architecture where a central set of Bash-based CLI commands (OpenCLI) orchestrates Docker Engine, Caddy, BIND9, and per-user service containers through shell-level abstraction rather than a compiled service layer. The system separates concerns across three planes: the admin plane (OpenAdmin), the user plane (OpenPanel), and the infrastructure plane (OpenCLI + Docker). Configuration is stored in flat INI-style files under /etc/openpanel/, and system state is tracked in a shared MySQL instance used for user metadata and resource accounting. The architecture is intentionally shell-driven rather than microservice-driven, making each component inspectable and patchable without recompiling anything, at the cost of relying on Bash for coordination logic.

Tech Stack The infrastructure layer is built almost entirely in Bash — OpenCLI’s 100+ commands are individual shell scripts that invoke Docker CLI, iptables, Caddy API calls, BIND9 zone management, and MySQL queries. The user and admin web panels are TypeScript React applications served as static assets behind Caddy, which acts as the primary reverse proxy and SSL terminator using automated Let’s Encrypt certificates. DNS is managed by BIND9, containerized per the Docker Compose deployment. CorazaWAF is embedded in a custom Caddy image to provide per-domain OWASP CRS enforcement. End-to-end testing is implemented with Playwright, running full browser-based acceptance tests against both the OpenPanel and OpenAdmin interfaces. The installer is a self-contained Bash script that bootstraps the entire stack on Ubuntu, Debian, AlmaLinux, RockyLinux, and CentOS across AMD64 and ARM64.

Code Quality The Bash layer is well-structured with consistent file headers, usage functions, color-coded output helpers, and MIT-licensed attribution blocks in most scripts. Each OpenCLI script follows the same pattern: parse flags, validate inputs, execute operations, and emit structured output with consistent exit codes. The TypeScript panel frontend uses Playwright for comprehensive end-to-end test coverage across both admin and user interfaces, with dedicated test files for domains, SSL, backups, MySQL, email, FTP, cron jobs, and 2FA. There are no traditional unit tests for the shell layer, but the acceptance test suite provides substantial coverage of the CLI-driven user journeys. Error handling in the shell scripts is generally explicit with meaningful exit codes and error messages, though some scripts suppress stderr for cleanliness.

What Makes It Unique The defining technical choice is treating Docker Engine as the isolation primitive rather than OS-level users or namespaces, which eliminates shared library conflicts and allows each user to independently choose their database engine and web server without root access. Most competing panels either share a single Apache/Nginx/MySQL stack across all users (traditional shared hosting) or require a full VM per customer (VPS hosting) — OpenPanel occupies the middle ground by making container provisioning a first-class hosting operation primitive. The Sentinel daemon’s continuous health monitoring combined with the OpenCLI API surface creates a fully automatable hosting stack where billing systems, monitoring tools, and custom scripts can control every aspect of the platform without depending on a GUI.

Self-Hosting

OpenPanel ships under a split licensing model. The OpenCLI scripts and configuration files are licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 (CC BY-NC-ND), which means you can use and share them for non-commercial purposes but cannot create derivative works or use them commercially without permission from the copyright holder. The OpenAdmin and OpenPanel UI components are distributed under a commercial EULA rather than an open-source license. In practical terms: you can self-host and operate OpenPanel for commercial hosting businesses under the paid Enterprise tier, but you cannot fork and redistribute modified versions or embed the code in your own competing product without explicit authorization.

Running OpenPanel in production requires a Linux VPS or dedicated server with at least 4 GB of RAM and a modern multicore CPU — the Docker-per-user model multiplies the baseline resource footprint compared to traditional shared-stack panels. You are responsible for OS patching, Docker security updates, Caddy version management, BIND9 configuration, and backups of both the MySQL metadata database and user data volumes. The OpenCLI update command automates panel version upgrades, but you own the underlying server infrastructure. The Sentinel daemon helps with runtime monitoring, but there is no built-in HA or automatic failover — single-server deployments have a single point of failure unless you architect clustering yourself.

The Community Edition is free and covers most operational needs for small to medium hosting providers. The Enterprise Edition, available via subscription from openpanel.com, adds priority support, a dedicated account manager, and access to closed-source enterprise modules. Compared to a managed hosting control panel SaaS (where the vendor manages updates, security patches, and uptime), self-hosting OpenPanel means you trade operational convenience for full infrastructure control, cost savings on per-seat licensing, and the ability to customize every layer of the stack down to the shell scripts and Docker images.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search