Skip to content

Powered by Grav

Ægir vs BOA: what the stack adds

Ægir vs BOA: what the stack actually adds

Install it, point it at your sites, and forget you were supposed to have a sysadmin. It Just Works™.

Ægir is a proven open-source control panel that turns "install, clone, back up and upgrade a Drupal site" into a few clicks. But Ægir on its own assumes you have already built and will keep guarding everything underneath it — the web server, the database, PHP, the firewall, the backups, the 3 a.m. pager. BOA (Barracuda · Octopus · Ægir) is that everything-underneath, delivered as one hardened stack you install with a single command — and then it looks after itself: it watches its services, repairs what breaks, sheds hostile traffic and keeps itself patched, with no babysitting and no sysadmin background required. That is the whole point of BOA. And it is zero-config where a hand-built stack makes you work: Valkey — the Redis-class cache — just works, nothing to do; New Relic monitoring is one licence key in a control file; Composer and Drush are ready to use; and all 12 PHP versions, from legacy 5.6 and 7.0 to the latest 8.5, switch per site or globally. More than once we have been asked to take a look at a server running a BOA installed ten-plus years earlier and never upgraded since — still running, uptime measured in years, zero incidents of any kind.

Omega8.cc — going on ~16 years of Ægir hosting, with roots back to the first web control panel in 1995 — is now the lead maintainer of Ægir 3, developing it on BOA and backporting improvements to the community. The comparison below is the plain-language version of what that self-caring stack actually buys you.

The comparison at a glance

Both columns are the same Ægir 3. The difference is everything wrapped around it — and how much of that you keep building and guarding yourself.

What you care about Bare Ægir — you build and guard it Ægir on BOA — built in, kept current
Getting from an empty server to your first live site You hand-build the whole stack first — Apache (its default), PHP-FPM, a secured database, a mail agent, DNS/FQDN, sudo rules, PHP memory limits — then install Ægir; the manual path is dozens of copy-paste steps. One command installs and configures the entire stack and your first Ægir, then finishes the last hardening step itself in the background.
The operating system it runs on Any Unix you set up and maintain yourself; the distro, and keeping it current, are your job. Installs onto a deliberately chosen, systemd-free Devuan base and upgrades the OS release for you as part of setup.
Keeping PHP, the database and the OS patched Your job entirely — Ægir's own upgrade only refreshes Ægir's frontend/backend code; it never touches the OS, PHP or the database. The stack updates its own key tools, monitors and OS packages on a schedule, and one command moves PHP or the database to a newer version.
Free HTTPS (SSL) certificates Out of the box you get a self-signed certificate that browsers flag as untrusted. Automated Let's Encrypt isn't in core — it's a separately-installed contributed module you add, wire up and maintain yourself. Real Let's Encrypt certificates are built in and automated — issued, listed across all your domain aliases, and auto-renewed before expiry, including for the control panel itself.
Surviving a sudden traffic spike or DoS attack Nothing is included, and there is no load-shedding of any kind; the docs leave firewalling and load protection to you. A load "auto-pause" ladder briefly sheds web load during a spike and resumes within seconds, and an abuse guard drops hostile requests before they reach PHP.
Blocking scanners, brute-forcers and bad bots No built-in intrusion or abuse detection; you install and tune something like fail2ban yourself. A log-scoring engine watches the web traffic every few seconds, scores offenders across several detectors, and feeds genuine attackers into the firewall automatically (with self-expiry).
A firewall on the server Not part of Ægir; the install notes treat firewall rules as outside its scope. A firewall (CSF/lfd) is installed and wired into the web-abuse pipeline automatically during setup.
When a service crashes at 3 a.m. A dead web server, PHP or database stays dead until a human notices — there is no self-healing. Each box watches its own services every few seconds and restarts a crashed web server, PHP or database on its own, typically within ~5 seconds.
Backups you can actually restore Ægir can back up a site on demand, but the archive lands on the Ægir master's own disk — no automated, off-server, encrypted backups, and scheduling them needs a contributed module. On top of Ægir's site backups, every host takes automated rotated daily database dumps, and can push encrypted, rotated backups of the whole system off-site to S3.
Making sites fast under load You get a plain web/PHP/MySQL stack; any caching, HTTP/2, HTTP/3 or forward-secrecy tuning is on you. Ships a per-user page cache, a fast in-memory cache/lock layer, PHP opcode caching, HTTP/2 and HTTP/3, and forward secrecy, tuned by default.
Hosting many client sites kept apart One Ægir instance runs shared platform codebases with a separate database per site — but every site runs under the same single backend user, with no isolation between tenants. Runs many separate Ægir instances on one box, each in its own virtual jail, so tenants are isolated from one another rather than sharing one backend.
Giving clients safe shell / file access There is no client operating-system account at all — "clients" are only front-end billing/access records — and the one backend aegir user is, by its own docs, root-equivalent and for trusted operators only. Each client gets a locked-down limited shell with SFTP/FTPS scoped to only their own sites — never the powerful system user.
Locking down risky access paths Standard Drupal/Ægir security; a client who can edit their own site code could smuggle in a command that runs with backend privileges. Extra guardrails at the tooling and web layers stop tenant-supplied code from escalating, and restrict which files the web server may execute or write.
Staying on Drupal 7 safely Runs Drupal 7, but upstream core is end-of-life — sourcing security fixes and keeping it alive on modern PHP is on you. Ships a maintained extended-support Drupal 7 fork (Drupal 7.105.1 +Extra core), security backports included, kept running on the latest PHP 8.5 — long after upstream D7 reached end of life.
Running the newest Drupal (10 / 11) on current PHP A Drupal 7-based frontend on the older Drush 6/7/8 toolchain; it hosts up to Drupal 9 and never shipped turnkey Drupal 10/11 support. Supports Drupal 11 on the latest PHP 8.5 today, using current Drush for installs and updates, with PHP versions from 5.6 to 8.5 selectable per site.
Who keeps it alive if something breaks The upstream community project, now in quiet long-term maintenance — a Drupal 7-era stack seeing only occasional commits — supported through community forums and third-party providers. Omega8.cc is the lead maintainer of Ægir 3, actively developing it on BOA and offering commercial licensing and hosted plans.

Is there still a reason to run Ægir bare?

Honestly, for anything you actually depend on — no, and that's by design. BOA is Ægir 3, carried forward rather than competed with. Every reason people used to reach for a bare install has since been folded in or quietly overtaken:

  • "I already run my own hardened stack." Then you're maintaining, by hand, the very things BOA maintains for you — and putting the same Ægir UI on top, minus the 3 a.m. pager.
  • "I want to choose Apache, MariaDB, systemd myself." Sensible picks a decade ago. BOA is deliberately opinionated — Nginx, Percona, Valkey, Devuan/no-systemd — because those are the combinations it keeps fast and secure in production every day. The opinions are the value, not a limitation.
  • "I need Ægir spread across many servers." Upstream's remote-server and clustering support is real, but it is hands-on sysadmin work — its own docs put the load balancer and shared file storage "out of scope." BOA's Master/Satellite model delivers the isolation and density most people reached for that feature to get.
  • "I just want to learn or evaluate Ægir." You'll meet the real thing sooner on BOA — the same Ægir 3, installed and running in one command.

What is left of bare Ægir is a Drupal 7-era frontend on the older Drush toolchain — no built-in HTTPS automation, firewall, abuse protection, self-healing or off-site backups, and development that has slowed to a trickle. It is still a fine way to read the code and understand the model; as something to run today, it is the legacy path. BOA is the same engine kept current.

Where to go next

© 2026 BOA Documentation. All rights reserved.