FEATURES

Everything the stack did, one binary does

Execution model, HTTP delivery, shared state, observability and security — built in, on by default or one environment variable away. No nginx configs, no sidecars, no plugins to compile.

Run PHP

Execution model

Persistent workers, cooperative fibers and true background threads — the request lifecycle is yours to shape.

Worker mode

01

Persistent PHP processes bootstrap once and handle thousands of requests. Superglobals, buffers and headers soft-reset between requests; autoloaders, containers and DB connections persist.

Fiber multiplexing

02

Each worker handles hundreds of concurrent requests via PHP 8.4 Fibers — sleeps and awaits yield the fiber instead of blocking the thread.

Async promises

03

Dispatch closures to a dedicated thread pool and await results — with all, race and any combinators for parallel fan-out.

Early response

04

Send the response to the client immediately, then keep processing in the background — queue jobs, write logs, warm caches.

Decorators

05

Intercept function and method calls with PHP 8 attributes — retry, cache, trace or guard without touching call sites.

SSE streaming

06

Real-time Server-Sent Events straight from PHP with explicit flush control — no proxy buffering surprises.

Serve

HTTP & delivery

The web-server layer nginx used to own — routing, static files, TLS, compression and protection — configured with environment variables.

Three routing modes

07

Traditional file mapping, framework front-controller, or SPA fallback — one variable switches; worker mode stacks on top of any of them.

Static files

08

In-memory content cache, automatic MIME detection, ETag and Last-Modified headers, streaming for large files.

Brotli compression

09

Text responses compressed out of the box — quality tunable 0–11, bytes-saved exposed as a metric.

Built-in TLS

10

TLS termination with two variables — PEM certificate and key, minimum protocol version enforced at startup.

Rate limiting

11

Per-IP limits with configurable windows. Over-limit requests get 429; a full PHP queue answers 529 backpressure.

Timeouts

12

Header-read timeout against Slowloris, request timeouts, and a graceful drain window on shutdown.

Custom error pages

13

Your own HTML per status code — drop 404.html or 503.html in a directory and point one variable at it.

Graceful shutdown

14

SIGTERM drains in-flight connections before exit — rolling deploys without dropped requests.

Coordinate

Shared state

Process-wide concurrent primitives so workers coordinate without Redis or APCu — in-process operations cost microseconds, not network round-trips.

Counter

15

Atomic int64 accumulator — get, set, add, compareAndSet.

Atomic

16

Int64 with explicit memory-ordering control.

Flag

17

Atomic boolean for one-shot transitions.

Once

18

Run-once container with reentrancy-safe factory.

Mutex

19

Poisoning mutex over a stored value, with deadlock detection.

Channel

20

Bounded, fiber-aware MPMC queue between workers.

Map

21

Concurrent string-keyed store with batched access.

Pool

22

Bounded object pool with per-thread affinity.

Observe

Observability

Metrics, logs, traces and profiles are built into the server — no exporters, no sidecars, no code changes.

Prometheus metrics

23

A dedicated internal port exposes request, worker, queue, cache and async metrics — ready for Grafana.

Structured logging

24

JSON access logs with method, path, status, duration and request ID in every line — Loki and Elasticsearch parse them as-is.

Request IDs

25

X-Request-ID generated or passed through automatically, available in PHP and stamped on every log line.

Tracing & APM

26

W3C Trace Context, OpenTelemetry export, auto-instrumentation of PDO, cURL and Redis, plus a PHP tracing SDK.

Built-in profiler

27

Per-request profiles in xhprof, speedscope, pprof and FlameGraph formats — triggered by header, cookie or sampling.

Health checks

28

Liveness and readiness endpoints plus a live configuration snapshot — Kubernetes probes work out of the box.

Protect

Security

Sensible protections on by default, and deny-lists for the sharp edges of legacy PHP apps.

Dot-path blocking

29

Hidden files and directories — .env, .git/, .htaccess — are never served. On by default, no configuration.

Trusted proxies

30

Real client IP from Forwarded (RFC 7239) and X-Forwarded-* headers, with CIDR-based trust and rightmost-non-trusted resolution.

PHP execution deny-list

31

Block .php execution at writable paths like /uploads/** — uploaded-shell attacks on legacy apps die before disk I/O.

Symlink allow-paths

32

Symlink escapes from the document root are blocked unless explicitly allow-listed — Laravel storage:link still works.

Two lines in a Dockerfile

Copy your app into the image and run it.