DaNode Update

By Danny Arends in Website
Posted at: 14 Mar 2026, 18:28, last edited: 14 Mar 2026, 18:28

DaNode is a small, self-contained HTTP/HTTPS web server written in D, serving multiple domains with SSL/SNI from a single process. It supports CGI-style scripting in any language (APIs available for PHP, Python, R, Perl, The D programming language) and has been in production on my personal domains for over twelve years.

Here's what changed recently.

Automatic Let's Encrypt renewal.

The headline addition: We now implements the ACME protocol to bootstrap and renew Let's Encrypt certificates automatically. No more manual certificate management or downtime due to expired SSL certificates. Alongside this, the entire SSL layer was modernized: OpenSSL 3.0.15 is now used enabling modern cipher preferences and enforcement (TLS 1.2 minimum, AES256-GCM-SHA384, server-side preference).

Security hardening.

Four vulnerability classes were fixed: shell injection in the CGI API (spawnShell() was replaced with spawnProcess()), path traversal exploits have been patched via the safePath() function, XSS in directory listing output, and unbounded request sizes, now separately capped for the header, body, and large file uploads.

Reliability improvements.

Rate limiting and a hard cap of 1,000 simultaneous connections, and new support for HTTP 206 Partial Content support that fixes streaming for video, audio, and download managers. The CGI processes are now properly cleaned up on shutdown and several updates to multipart form parsing have fixed some nasty URL decoding edge cases have been fixed. File streaming uses 2KB chunks through a proper buffer instead of loading into memory

Built in D, GPL v3, contributions welcome.

Last modified: 14 Mar 2026, 18:28 | Edit